Release Notes - 1.5

1.5.5-funcrel

Resolved Issues

Customer Ticket Id Details
47415 Fixes a .NET analysis error/crash during the "checking dependencies" phase by limiting the recursive call when fetching package dependencies.
46907 Fixes "Unresolved" warnings in .NET analysis log when use of "global" in "obj" is not part of the source code delivery.
47384 Fixes incorrect/false (non-dynamic) links from VB.NET methods to tables created by the analyzer inference engine: all links found from the dataflow entry point with the inference engine are now handled as "dynamic".
47133 Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)".
46698 Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)".

Other Updates

Details
Provides an update to improve CASTIL generation for loops.
An update to create static calls to virtual methods called by syntactic sugar: MoveNext, Dispose and Current.Get in foreach statement; Dispose method in using statement and using declaration.
Provide a fix for CASTIL generation of for loop without condition but with initializer and/or increment block.
Provide a fix for CASTIL generation of foreach loop containing instructions generating inner blocks like try/catch.
Supported added for "SyntaxKind.DiscardDesignation".
Improve support of versioning for nupkg dependencies: interval of version and no version in nuspec files.

1.5.4-funcrel

Resolved Issues

Customer Ticket Id Details
45446 Fixes an issue wherein the wrong links to method inheriting from the same interface but not referenced in code.
45254 Fixes the False Positive: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)".
46337 Fixes the false links to Table from ".NET AppSetting found in configuration file".
46051 Fixes many Warning : "DOTNET.0150:No definition found for the name" that should not be displayed.
Callee Type Caller Type Details
Table AppSetting link is now ignorable or dynamic

Other Updates

Details
Fixes the wrong devirtualization links between two unrelated projects.
Added missing bookmarks for access exec links created for foreach statement.
Improved the CastIL generation for the foreach statement in case of an array instead of a classic List/collection.
Improved creation of global using files.
Fixes an issue wherein the analysis crashed while loading metamodel files from extension.
Changes the behaviour to decrease number of default devirtualization links when devirtualization fails.

1.5.3-funcrel

Resolved Issues

Customer Ticket Id Details
44244 Fixes missing links between .NET methods due to warnings generated by the Roslyn compiler used in the analyzer.
44932 Fixes an issue seen after upgrading CAST Imaging Console from 2.10.1 to 2.10.3: the Analysis Report was erroneously displaying analyzed files as unanalyzed.
44521 Fixes and removes the cause of the warning displayed in the analysis log "Issue encountered while processing visitor:LinqToSQLVisitor: System.IndexOutOfRangeException: Index was outside the bounds of the array" impacting analysis results..
44546 Fixes an issue causing the .NET Analyzer to incorrectly handle "ImplicitUsings" in csproj files.

Other Updates

Details
Fixes duplicate types errors in assemblies that have the same name despite the removal of similar assemblies.

1.5.2-funcrel

Resolved Issues

Customer Ticket Id Details
43329 Fixes an issue wherein a warning message was displayed in the log. DOTNET.0142:No ressource found for nuget package Microsoft.NET.Sdk.Functions version 4.1.3 warning when the dll existed in the relevant folder.

Other Updates

Details
Fixes an issue wherein CASTIL was creating a static link. After the fix, the property physicalLink.inferenceEngineRequests is put only on deduced links (the double link is removed).
False positive for the rule (1027088): "Avoid non-public custom exception types".
Fixes an issue wherein the Exception PathTooLongException on one dependency was preventing to get the other dependencies.
Fixes an issue wherein the main C# method was an entry point when it was called (C# method should NOT be an entry point).

Rules

Rule Id New Rule Details
1027088 FALSE Fixes false positive on sealed class for the rule "Avoid non-public custom exception types".

1.5.1-funcrel

Note

This extension has been withdrawn and is no longer available. All updates and fixes are provided in 1.5.2-funcrel.

1.5.0-funcrel

New Support

Summary Details
Support.NET Core 7 / ASP.NET Core 7 Support for NET Core 7 and ASP.NET Core 7 frameworks.
Support C# 11 Support for version 11 of the C# language.

1.5.0-beta4

Resolved Issues

Customer Ticket Id Details
41935 Fixes a false violation of rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)" when using declaration syntax.
42558 Fixes an issue wherein the cs files included in SDK projects were considered as 'dead code' because new syntaxes to declare sdk-style were not supported. Now support is provided for all syntaxes.
41637 Fixes an issue where incorrect violation count was displayed in Engineering Dashboard for the rule "Avoid comparing passwords against hard-coded strings".

Other Updates

Details
.NET is provided with a new option to disable linking .NET Client code to SQL Database Tables. By default, this option is disabled.
Corrected the wrong generic type for nested class or enum of a generic class in extraction files.
Corrected the metamodel property of quality rules to correct violation count displayed in Dashboard.

Rules

Rule Id New Rule Details
7198 FALSE Fixed false positive for the rule (7198): "Avoid String concaténation in loops (.NET)" when the concatenation was done inside the initialization during variable declaration.

New Support

Summary Details
Support for .NET 5+ OS-specific TFMs Support added for.NET 5+ OS-specific TFMs. The syntax is "framework TFM" + "-" + "OS-specific".

1.5.0-beta3

Resolved Issues

Customer Ticket Id Details
41374 Fixes a false violation of the rule 7862: "Avoid catching an exception of type Exception, RuntimeException, or Throwable".
41802 Fixes an issue causing the analysis to fail with the error "System.ArgumentException: An item with the same key has already been added".
Callee Type Caller Type Details
Type (class) C# Method When no variable is declared in a catch we now have a catchLink to the actual exception class used and Exception as callee.
Type (class) C# Method When there is a filter with a IsExpression, the callee of the catchLink is the exception(s) present in the filter.

Other Updates

Details
A new option has been added to select and remove automatically similar input assemblies. Set to disabled by default.
The analysis behaviour has been updated to add a Finalise() method in all visitors and call them before saving violations: this method can be called in rules defined in User Community extensions to filter violations at the end of the project analysis.
Fixes an issue causing the analysis to stop with the error "Unknown exception System.NullReferenceException: Object reference not set to an instance of an object".
Fixes an issue causing the DotNetCmd.exe utility to exit with the error code -1073740940.
Fixes two issues related to catchLinks: 1) When no variable is declared in a catch the .NET Analyzer had a catchLink to the "Exception" as a callee and not the actual "Exception class" used; 2) when there is a filter with an "IsExpression", the callee of the catchLink wasn't the exception(s) present in the filter.
The analysis behaviour has been updated to ensure that the symbols comparison process is completed with the current project's .NET version.
The analysis behaviour has been updated to avoid an argument exception caused by a duplicate key entry in the dictionary used by the diagnostic AvoidRaisingExceptionsInUnexpectedLocation.

Rules

Rule Id New Rule Details
1027102 TRUE Avoid using Regex constructor or static method without timeout

Performance Improvements

Summary
Improve the performance of the 'Dead source detector'

1.5.0-beta2

Resolved Issues

Customer Ticket Id Details
40482 Fixes an issue causing an analysis to fail with the error "DOTNET.0007:Unknown language Unknown. Couldn't load project."
37973 Fixes an issue where the analyzer will exclude duplicate projects based on assembly name causing .CS files to be ignored (lack of support of SDK-style project files).
40912 Fixes an issue where .csproj and .vbproj files were encoded in UTF-16 causing all .cs and .vb files to be ignored during the analysis. The fix ensures that project files are always streamed in UTF-8 to safely load them.

Other Updates

Details
Unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects are now logged as unused and made available in CAST Console.
The analyzer has been updated to prevent the analysis of unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects.
The analyzer has been updated to detect and remove similar input assemblies that are not present in the csproj or vbproj file. Previously these files were analyzed causing the error "The type 'xxx' exists in both 'xxx' and 'yyy'".
The anlayzer has been updated to ensure that memory consumption is logged for each project during the analysis process.
The analyzer has been updated to ensure that generated objects (such as classes) are saved with the properties "external" and "generated" (previously these objects were only saved with the property "external).
Fixes a false positive in rule 1027042 "Avoid having unmatched contracts for exported interfaces" that is triggered when a class does not implement directly the interface but inherits a class that implements it.
Fixes an issue where tags disabling implicit file inclusion in SDK style project files are ignored during an analysis causing unwanted files to be analyzed.
Fixes an issue where the analyzer was previously analyzing the same file multiple times (due to the existence of multiple project files specifying the compilation of the file multiple times).
Fixes an issue causing the analyzer to create the wrong type of link (accessReadLink) when the assignment of an object is done by a deconstruct operation. The analyzer now creates an accessWriteLink link instead.
Fixes a false negative in rule 1027100 "Avoid dangerous File Upload" that is triggered when "HttpPostedFile.SaveAs" is used.

Rules

Rule Id New Rule Details
1027042 FALSE "Avoid having unmatched contracts for exported interfaces": removed a false positive that was triggered when a class did not implement directly the interface but inherited a class that implemented it.
1027100 FALSE "Avoid dangerous File Upload": fixes a false negative that is triggered when "HttpPostedFile.SaveAs" is used.

New Support

Summary Details
Support of C# 10 The .NET Analyzer now supports the analysis of C# 10.

1.5.0-beta1

Resolved Issues

Customer Ticket Id Details
39034 Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38601 Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38362 Fixes an issue causing an analysis crash with the error: "Unknown exception System.IO.DirectoryNotFoundException: Could not find a part of the path."
39086 Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".
37489 Fixes an issues where the analysis completed but took a very long time to run.
38509 Fixes several incorrect terms in warning messages found in the .NET analysis log file.
38529 Fixes an issue where the warning "DOTNET.0012:Could not load assembly" was encountered many times in one analysis. This warning is now not triggered for DLLs that are not .NET assemblies and where there is more than one DLL in a directory of a build of a package, then add all DLLs are added.

Other Updates

Details
Update made to change the behaviour of dataflow for Client/Server link resolution: the flow now does not stop on unknown external method and instead continues the flow.
Changes made to stop the exception being raised when analyzing code with local functions: now the analyzer carefully ignores local function calls in order to avoid exceptions (and so, continue the analysis of the current file).
Fixes an exception raised by the Security Analyzer during log forging analysis due to optional arguments encountered in the code.
Fixes an issue where the log contained many instances of the entry "An exception occurred while generating code for…." when tuple expressions were being analyzed.
Provides automatic blackboxing for the ExternalLinksBuilder component in order to obtain accurate C/S links. In previous releases a custom blackbox was required. Note that with previous releases of the .NET Analyzer, accurate client/server links were only found when standard persistence frameworks (such as Oracle ODP, Npgsql, MySql.Data) were used. Starting from release 1.5.0, even when a custom (in-house) persistence framework is used, accurate client/server links are now found in many cases.

Rules

Rule Id New Rule Details
8108 FALSE Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".

Transaction Improvements

Type Framework
Client/server links ADO.NET and custom wrappers of ADO.NET