Release Notes - 1.4
-
1.4.19
1.4.19
Fixes a false violation of the rule 3612: “Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)”. 📝 45254 Fixes and removes false links to table objects from “.NET AppSetting found in configuration file”. 📝 46337 Fixes a false violation of the rule 3612: “Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)”. 📝 47133 Fixes incorrect/false (non-dynamic) links from VB.NET methods to tables created by the analyzer inference engine: all links found from the dataflow entry point with the inference engine are now handled as “dynamic”. 📝 47384 -
1.4.18
1.4.18
Fixes an issue that was causing a mismatch in the Engineering Dashboard between the total violation count in the main tile and the CSV export report. 📝 43359 -
1.4.17
1.4.17
Corrected the violation count displayed in Engineering Dashboard for the rule (1027024): “Avoid comparing passwords against hard-coded strings” 📝 41637 Corrected the wrong generic type for nested class or enum of a generic class in extraction files. Corrected the metamodel property of quality rules to correct violation count displayed in Dashboard. Fixed false positives for the rule: “Avoid String concaténation in loops (.NET)” when the concatenation was done inside the initialization during variable declaration. 💎 7198 1.4.16
1.4.16
Fixes a false violation of rule 3612: “Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)” when using declaration syntax. 📝 41935 .NET has a new option to disable linking .NET Client code to SQL Database Tables. Not activated by default. 1.4.15
1.4.15
The analysis behaviour has been updated to ensure that the symbols comparison process is completed with the current project’s .NET version. Avoid argument exception with duplicate key entry in dictionary for AvoidRaisingExceptionsInUnexpectedLocation diag 1.4.14
1.4.14
Fixes an issue causing an analysis to fail with the error “DOTNET.0007:Unknown language Unknown. Couldn’t load project.” 📝 40482 The analyzer has been updated to prevent the analysis of unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects. The analyzer has been updated to ensure that generated objects (such as classes) are saved with the properties “external” and “generated” (previously these objects were only saved with the property “external). Fixes a false positive in rule 1027042 “Avoid having unmatched contracts for exported interfaces” that is triggered when a class does not implement directly the interface but inherits a class that implements it. Fixes an issue where tags disabling implicit file inclusion in SDK style project files are ignored during an analysis causing unwanted files to be analyzed. Fixes an issue where the analyzer was previously analyzing the same file multiple times (due to the existence of multiple project files specifying the compilation of the file multiple times). Fixes an issue causing the analyzer to create the wrong type of link (accessReadLink) when the assignment of an object is done by a deconstruct operation. The analyzer now creates an accessWriteLink link instead. Fixes a false negative in rule 1027100 “Avoid dangerous File Upload” that is triggered when “HttpPostedFile.SaveAs” is used. “Avoid having unmatched contracts for exported interfaces”: removed a false positive that is triggered when a class does not implement directly the interface but inherits a class that implements it. 💎 1027042 “Avoid dangerous File Upload”: fixes a false negative that is triggered when “HttpPostedFile.SaveAs” is used. 💎 1027100 1.4.13
1.4.13
Fixes an issue causing an analysis crash with the error “Unknown exception System.InvalidOperationException: The project already contains the specified reference.” 📝 39034 Fixes an issue causing an analysis crash with the error “Unknown exception System.InvalidOperationException: The project already contains the specified reference.” 📝 38601 Fixes an issue causing an analysis crash with the error: “Unknown exception System.IO.DirectoryNotFoundException: Could not find a part of the path.” 📝 38362 Fixes a false violation of the rule 8108 - “Avoid missing release of stream connection after an effective lifetime”. 📝 39086 Fixes an issues where the analysis completed but took a very long time to run. 📝 37489 Fixes several incorrect terms in warning messages found in the .NET analysis log file. 📝 38509 Fixes an issue where the warning “DOTNET.0012:Could not load assembly” was encountered many times in one analysis. This warning is now not triggered for DLLs that are not .NET assemblies and where there is more than one DLL in a directory of a build of a package, then add all DLLs are added. 📝 38529 Changes the behaviour to stop and exception being raised when analyzing code with local functions: now the analyzer carefully ignores local function calls in order to avoid exceptions (and so, continue the analysis of the current file). Fixes an exception raised by the Security Analyzer during log forging analysis due to optional arguments encountered in the code. Fixes an issue where the log contained many instances of the entry “An exception occurred while generating code for….” when tuple expressions were being analyzed. Fixes a false violation of the rule 8108 - “Avoid missing release of stream connection after an effective lifetime”. 💎 8108 1.4.12
1.4.12
No changes or updates have been made in this release. This is simply a move to LTS (Long Term Support).1.4.11-funcrel
1.4.11-funcrel
Improved support for databases: Oracle, DB2, MySQL, Microsoft.Data.SqlClient Fixes a false violation for “Avoid storing passwords in Comments”. 💎 1027046 Introduces support for C# 9: record, init-only accessor, top-level statement, target-typed new, covariant return type, … Support of C# 9 1.4.10-funcrel
1.4.10-funcrel
The release 1.4.10-funcrel replaces 1.4.9-funcrel, which was withdrawn due to an error where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.Fixes an issue where snapshots fail after an upgrade to 1.4.9-funcrel with the error “Error while executing Procedure: ERROR: function mal_as_allocation_eu_main_local.dss_diag_scope_generic_num(integer, integer, integer, integer) does not exist.” 📝 37290 Fixes an issue where .NET analysis failed with error: The process `“D:\CAST\Extensions\com.castsoftware.dotnet.1.4.7-funcrel\DotNetCmd.exe” “R:\Storage\XX\DotNetCmd.xml”’ exited with code -1073740940. 📝 36406 Fixes an issue where .NET analysis is missing links to System namespace that should be resolved from .NET framework. 📝 36719 Fixes an issue related to All ASMX transactions. A link is missing from “ASMX Source File” to its “C# source file”. But the ASMX object is defined in TCC configuration as entry point. Therefore, All ASMX transactions are empty. The link is missing for all ASMX objects that are entry points for transactions. 📝 26750 Fixes an issue related to missing assemblies with correct project hintpaths. The features using the hintpath of scproj files were found missing. After the fix, there is no Warning for DOTNET.0142 and DOTNET.0150. Fixes an issue related to third party application. Updating the third party package Microsoft.WindowsDesktop.App.Ref to version 6.0.6 Fixes an issue related to .NET Analysis concurrency. When two applications are launched parallelly with the same Zip file for the source code, first analysis ends successfully and the second one fails with an error. NEW Avoid dangerous File Upload. 💎 1027100 Support Dapper/Oracle/NpgSQL framework for .Net with blackboxing. Support Dapper/Oracle/NpgSQL framework for .Net 1.4.9-funcrel
1.4.9-funcrel
This release has been withdrawn due to an error, where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.1.4.8-funcrel
1.4.8-funcrel
Fixed false positive violations for the rule (7266): “Call ‘base.Dispose()’ or ‘MyBase.Finalize()’ in the “finally” block of ‘Dispose(bool)’ methods”. 📝 34766 Fixed false positive violations caused by event handler C# methods for the rule (1027098): “Avoid unused private types or members”. 📝 35114 Fixed incorrect links in the “Reference” section for the rule (1043010) “Avoid creating cookie without setting httpOnly option (C#)”. 📝 31317 Fixed false false positive violations for the rule (1027048): “Avoid returning null from non-async Task/Task <T>method”.📝 34864 Fixed false positive violations for the rule (1027048): “Avoid returning null from non-async Task/Task <T>method”.📝 35078 Fixed false positive violations for the rule (1027074): “Avoid hard-coded URIs (.NET)”. 📝 34960 Fixed false positives for rule (8402): “All types of a serializable class must be serializable” in C#. 📝 34773 Added a new tool “WSDLGenerator”: externalize generated files based on WSDL file in a separate tool. Fixed a bad type link between .NET and SQL synonym. Fixed an unexpected exception, that occurred during step: Dataflow symbol registration. Default links in ‘analysis schema’ decreased by 1730, when comparing analyses run between 8.3.42 and 8.3.43. Added a new tool XSDGenerator: externalize generated files based on XSD file in a separate tool. Correction of the error: “System.IO.DirectoryNotFoundException”, while moving CommandData.json file with folder path containing a space character. Fixed false positive violations for the rule: “Avoid hard-coded URIs (.NET)”. 💎 1027074 Fixed missing violations for the rule: “Avoid instantiations inside loops”. 💎 7212 Fixed false positive violations for the rule: “Call ‘base.Dispose()’ or ‘MyBase.Finalize()’ in the “finally” block of ‘Dispose(bool)’ methods”. 💎 7266 Fixed false positive violations caused by event handler C# methods for the rule: “Avoid unused private types or members”. 💎 1027098 Fixed false positive violations for the rule: “Avoid returning null from non-async Task/Task <T>method”.💎 1027048 NEW Fixed false positives for rule: “All types of a serializable class must be serializable” in C#. 💎 8402 Support for Asp.Net Core 5 and 6, libraries are imported as third parties. Support ASP.NET Core 5 and 6 1.4.7-funcrel
1.4.7-funcrel
Moving CommandData.json files raised an exception when running the analysis a second time. 1.4.6-funcrel
1.4.6-funcrel
Please do not use this version.An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element 📝 34467 An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element. 📝 34572 Rule name: “Avoid using console logging” should be renamed according to technology as: “Avoid using console logging (.NET)”. 📝 33966 CASTIL generation - Review CastIL generation for fields: Non static fields with initializers are now correctly instantiated and have a bookmark, static field are now initialized in static constructor Generated .json files are analyzed by HTML5 extension, but they should not be analyzed by the extension- this leads to invalid result variation PathTooLongException not catched raised DOTNET.0156 warning. The rule (8108) “Avoid missing release of stream connection after an effective lifetime” has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable. The rule “Avoid missing release of stream connection after an effective lifetime” has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable. 💎 8108 Rule name: “Avoid using console logging” is renamed according to technology as: “Avoid using console logging (.NET)”. 💎 1020060 The .NET Analyzer now supports .NET Core 5 and 6. Syntax support is limited to C# 8.0. Support of .NET Core 5 and 6 1.4.5-funcrel
1.4.5-funcrel
Net warning: DOTNET.0156: An unexpected exception occured while loading project Net 5 📝 31602 False violation for rule (rule id: 8110): Use dedicated stored procedures when multiple data accesses are needed. 📝 31022 Message “Required framework version is 4.8 but version 4.7.2 will be used instead” still displayed, when version 4.8 is installed. 📝 33194 Bad inherited link between a class and an instanciated: A bad relyon link has been replaced by an inheritance link. Removed false violation for the rule: Avoid not using dedicated stored procedures when processing multiple data accesses. 💎 8110 1.4.4-funcrel
1.4.4-funcrel
Transaction are deleted due to missing dll file reference: compilation conflicts between extractions and references 📝 29725 Missing Reference to Datarow even though the dll is present causing GUID changes between versions 📝 33077 DOTNET.0142: No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: support of Portable Class Library (PCL) for nuget package 📝 33272 DOTNET.0142:No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: Support of Portable Class Library (PCL) for nuget package. 📝 33379 False violation for QR “Avoid non-public custom exception types” for partial classes 📝 33476 Missing Reference to Datarow even though the dll is present causing GUID changes between versions 📝 33518 False positive on rule: “Avoid missing release of stream connection after an effective lifetime” with some methods of classes File and Stream. Get rid of useless flagged warning logs. 1.4.3-funcrel
1.4.3-funcrel
False violation for rule “Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String). 📝 32682 False positive for the rule: “Avoid storing passwords in Comments”. 📝 32708 Unknown exception System.AggregateException in method AvoidRaisingExceptionsInUnexpectedLocation.Init 📝 32823 False violation for the rule: “Avoid hard-coded network resource names (.NET, VB)”: restrict ipv4 to 4 numbers pattern. 📝 32852 False violation for the rule: “Avoid comparing passwords against hard-coded strings”. 📝 32978 Update the analyzer, to provide a list of the .NET frameworks managed by default in a .json file. False violation for rule “ Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String). 💎 1027054 False positive for the rule: “Avoid storing passwords in Comments”. 💎 1027046 False violation for the rule: “Avoid hard-coded network resource names (.NET, VB)”: restrict ipv4 to 4 numbers pattern. 💎 1027032 False violation for the rule: “Avoid comparing passwords against hard-coded strings”. 💎 1027024 1.4.2-funcrel
1.4.2-funcrel
False positives in rule “Avoid hardcoded URIs”. Unknown exception System.ArgumentException raised in rule “Avoid unused private types or members”. General Protection Fault crash on code “QUAL_SACS”. Correction for initialization of plugins inside component. 1.4.1-funcrel
1.4.1-funcrel
Drop in FP, due to changes in .NET TCCSetup file. 📝 30747 Mismatch in violation count for the rule (7198): “Avoid String concatenation in loops (.NET)”. 📝 30762 False negative for the rule: “Avoid storing Non-Serializable Object as HttpSessionState attributes”. Rule does not consider Property objects. 📝 30482 False negative for the rule Avoid storing Non-Serializable Object as HttpSessionState attributes.’ Rule does not consider Property objects. 📝 31611 Analysis too long for file initializing, extremely big dictionary. 8108: False positive for method System.IO.File::Exists. TFP decreased by 4858.0 when migrating 8.3.37 -> 8.3.38 (upgraded dotnet extension). Generalized the string evaluation. 1.4.0-funcrel
1.4.0-funcrel
.NET Analysis crash — com.castsoftware.dotnet.1.3.1-funcrel\DotNetCmd.exe exited with code -1073741571 📝 28876 Exception occurred while loading a project: “System.ArgumentException: Version string portion was too short or too long”. 1.4.0-beta1
1.4.0-beta1
TCC config delivered by .NET extension is referring to package=“Dotnet_Extension” instead of package=“Base_DotNet”. False violation for “Always Revert After Impersonation” on stored instances of classes implementing IDisposable. 💎 1027008 False positive for “Avoid blocking async methods” in “main” method and missing violation on property “Task <TResult>.Result”.💎 1027058 NEW “Avoid raising exceptions in unexpected location”: a method that is not expected to throw exceptions throws an exception. Currently limited to C#. 💎 1027096 NEW “Avoid unused private types or members”: private or internal types or private members that are never executed or referenced are dead code. Currently limited to C#. 💎 1027098 1.4.0-alpha5
1.4.0-alpha5
Modified Transactions due to links alternating to objects with same fullname in different folders. 📝 28888 False violation (rule id:1027012): Avoid storing Non-Serializable Object as HttpSessionState attributes. 📝 28054 The rule (rule id: 8156): “Persistent classes should implement GetHashCode() and Equals()” should not apply for Entity Framework. 📝 29262 “System.Threading.Task” should be exception to the QR (rule id: 8086) “Avoid types that own disposable fields and are not disposable”. Fixed System.NullReferenceException raised in RawProjectBuilder.setProjectOutputKind. 1.4.0-alpha4
1.4.0-alpha4
NEW New rule: Avoid throwing ArgumentException from yielding method. 💎 1027050 Bookmark only the attribute declaration. 💎 1027042 Variable declared and initialized against a LINQ query when compare to ’null’ is always false. 💎 1027070 When comparison is done using “==” operator, as in “1 == aThrow.Children.Count()”, violation should not be set. 💎 1027020 Declaring a C# class without any access modifier (“public” or others) should raise a violation. 💎 1027088 1.4.0-alpha3
1.4.0-alpha3
False positive in the rule: “Close the outermost stream ASAP (Avoid missing release of stream connection after an effective lifetime)” 📝 27762 Wrong Violations for the rule: “Avoid missing release of stream connection after an effective lifetime” in .NET 📝 24427 False violation for the rule: “Avoid missing release of stream connection after an effective lifetime” 📝 26766 The Metric Rule: “Avoid missing release of stream connection after an effective lifetime” produces false positives 📝 28276 ASPX Transactions deleted 📝 26749 Objects not coming part of module causing transactions to be “Deleted” 📝 27617 False positives on QR “Avoid missing release of stream connection after an effective lifetime” when “using declaration” syntax is used Correct bookmark for rule “Avoid missing release of stream connection after an effective lifetime” False positives on QR “Avoid missing release of stream connection after an effective lifetime” when “using” syntax is used False positives on QR “Avoid missing release of stream connection after an effective lifetime” when “using” syntax is used improvement of the rule Avoid weak encryption providing insufficient key size (.NET) improvement of the rule “Avoid returning null from ToString()” to non override method increase pattern supported for rule “Avoid hardcoded URIs (.NET)” increase of the scope of the rule “Avoid using Obsolete attributes without message” improve support of nuget extractor Improve performance to compute Metrics and CRC 1.4.0-alpha2
1.4.0-alpha2
DOTNET.0156: An unexpected exception occurred while loading project xxxx. Project excluded from analysis. 📝 27654 DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name 📝 26398 DOTNET analysis stuck at End Compute Metrics for symbols 📝 27291 DOTNET analysis stuck at End Compute Metrics for symbols 📝 26465 DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name 📝 27061 1.4.0-alpha1
1.4.0-alpha1
A significant number of new rules have been added in this release of the extension which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.Diags may put violations on fields while fields are not part of the rule’s scope Unknown exception System.InvalidOperationException in PathUtils.FindCommonPath method NEW Avoid using Thread API to manage activities of threads 💎 1027014 NEW Avoid throwing exceptions in destructors 💎 1027016 NEW Avoid throwing exceptions in finally block 💎 1027018 NEW Avoid using Obsolete attributes without message 💎 1027030 NEW Avoid using Count or LongCount where Any can be used 💎 1027020 NEW Avoid using “new Guid()” 💎 1027022 NEW Avoid comparing passwords against hard-coded strings 💎 1027024 NEW Avoid hardcoded network resource names (.NET, VB) 💎 1027032 NEW Never catch NullReferenceException 💎 1027034 NEW Avoid if … else if constructs not terminated with an else clause (.NET, VB) 💎 1027038 NEW Avoid rethrow exception explicitly 💎 1027036 NEW Avoid having unmatched contracts for exported interfaces 💎 1027042 NEW Avoid using multiple OrderBy calls 💎 1027040 NEW Avoid storing passwords in Comments 💎 1027046 NEW Avoid using SafeHandle.DangerousGetHandle 💎 1027044 NEW Avoid returning null from non-async Task/Task <T>method💎 1027048 NEW Avoid having the same implementation in a conditional structure 💎 1027086 NEW Always use System.Uri instead of string to build URLs 💎 1027054 NEW Avoid blocking async methods 💎 1027058 NEW Avoid if statements and blocks that are always TRUE or FALSE 💎 1027070 NEW Avoid allowing File IO unrestricted access 💎 1027076 NEW Always mark Windows Forms starting point as STAThread 💎 1027078 NEW Avoid calling CoSetProxyBlanket and CoInitializeSecurity 💎 1027084 NEW Avoid using console logging 💎 1027082 NEW Always use ConfigureAwait(false) in library code awaited tasks 💎 1027080 NEW Avoid hardcoded URIs 💎 1027074 NEW Avoid returning null from ToString() 💎 1027068 NEW Avoid throwing exception from property getters 💎 1027066 NEW Always override ‘Equals’ and Comparison operators with IComparable implementation 💎 1027064