Release Notes - 1.5
1.5.5-funcrel
Resolved Issues
Customer Ticket Id |
Details |
47415 |
Fixes a .NET analysis error/crash during the "checking dependencies" phase by limiting the recursive call when fetching package dependencies. |
46907 |
Fixes "Unresolved" warnings in .NET analysis log when use of "global" in "obj" is not part of the source code delivery. |
47384 |
Fixes incorrect/false (non-dynamic) links from VB.NET methods to tables created by the analyzer inference engine: all links found from the dataflow entry point with the inference engine are now handled as "dynamic". |
47133 |
Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)". |
46698 |
Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)". |
Other Updates
Details |
Provides an update to improve CASTIL generation for loops. |
An update to create static calls to virtual methods called by syntactic sugar: MoveNext, Dispose and Current.Get in foreach statement; Dispose method in using statement and using declaration. |
Provide a fix for CASTIL generation of for loop without condition but with initializer and/or increment block. |
Provide a fix for CASTIL generation of foreach loop containing instructions generating inner blocks like try/catch. |
Supported added for "SyntaxKind.DiscardDesignation". |
Improve support of versioning for nupkg dependencies: interval of version and no version in nuspec files. |
1.5.4-funcrel
Resolved Issues
Customer Ticket Id |
Details |
45446 |
Fixes an issue wherein the wrong links to method inheriting from the same interface but not referenced in code. |
45254 |
Fixes the False Positive: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)". |
46337 |
Fixes the false links to Table from ".NET AppSetting found in configuration file". |
46051 |
Fixes many Warning : "DOTNET.0150:No definition found for the name" that should not be displayed. |
Link Improvements
Callee Type |
Caller Type |
Details |
Table |
AppSetting |
link is now ignorable or dynamic |
Other Updates
Details |
Fixes the wrong devirtualization links between two unrelated projects. |
Added missing bookmarks for access exec links created for foreach statement. |
Improved the CastIL generation for the foreach statement in case of an array instead of a classic List/collection. |
Improved creation of global using files. |
Fixes an issue wherein the analysis crashed while loading metamodel files from extension. |
Changes the behaviour to decrease number of default devirtualization links when devirtualization fails. |
1.5.3-funcrel
Resolved Issues
Customer Ticket Id |
Details |
44244 |
Fixes missing links between .NET methods due to warnings generated by the Roslyn compiler used in the analyzer. |
44932 |
Fixes an issue seen after upgrading CAST Imaging Console from 2.10.1 to 2.10.3: the Analysis Report was erroneously displaying analyzed files as unanalyzed. |
44521 |
Fixes and removes the cause of the warning displayed in the analysis log "Issue encountered while processing visitor:LinqToSQLVisitor: System.IndexOutOfRangeException: Index was outside the bounds of the array" impacting analysis results.. |
44546 |
Fixes an issue causing the .NET Analyzer to incorrectly handle "ImplicitUsings" in csproj files. |
Other Updates
Details |
Fixes duplicate types errors in assemblies that have the same name despite the removal of similar assemblies. |
1.5.2-funcrel
Resolved Issues
Customer Ticket Id |
Details |
43329 |
Fixes an issue wherein a warning message was displayed in the log. DOTNET.0142:No ressource found for nuget package Microsoft.NET.Sdk.Functions version 4.1.3 warning when the dll existed in the relevant folder. |
Other Updates
Details |
Fixes an issue wherein CASTIL was creating a static link. After the fix, the property physicalLink.inferenceEngineRequests is put only on deduced links (the double link is removed). |
False positive for the rule (1027088): "Avoid non-public custom exception types". |
Fixes an issue wherein the Exception PathTooLongException on one dependency was preventing to get the other dependencies. |
Fixes an issue wherein the main C# method was an entry point when it was called (C# method should NOT be an entry point). |
Rules
Rule Id |
New Rule |
Details |
1027088 |
FALSE |
Fixes false positive on sealed class for the rule "Avoid non-public custom exception types". |
1.5.1-funcrel
Note
This extension has been withdrawn and is no longer available. All updates and fixes are provided in 1.5.2-funcrel.
1.5.0-funcrel
New Support
Summary |
Details |
Support.NET Core 7 / ASP.NET Core 7 |
Support for NET Core 7 and ASP.NET Core 7 frameworks. |
Support C# 11 |
Support for version 11 of the C# language. |
1.5.0-beta4
Resolved Issues
Customer Ticket Id |
Details |
41935 |
Fixes a false violation of rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)" when using declaration syntax. |
42558 |
Fixes an issue wherein the cs files included in SDK projects were considered as 'dead code' because new syntaxes to declare sdk-style were not supported. Now support is provided for all syntaxes. |
41637 |
Fixes an issue where incorrect violation count was displayed in Engineering Dashboard for the rule "Avoid comparing passwords against hard-coded strings". |
Other Updates
Details |
.NET is provided with a new option to disable linking .NET Client code to SQL Database Tables. By default, this option is disabled. |
Corrected the wrong generic type for nested class or enum of a generic class in extraction files. |
Corrected the metamodel property of quality rules to correct violation count displayed in Dashboard. |
Rules
Rule Id |
New Rule |
Details |
7198 |
FALSE |
Fixed false positive for the rule (7198): "Avoid String concaténation in loops (.NET)" when the concatenation was done inside the initialization during variable declaration. |
New Support
Summary |
Details |
Support for .NET 5+ OS-specific TFMs |
Support added for.NET 5+ OS-specific TFMs. The syntax is "framework TFM" + "-" + "OS-specific". |
1.5.0-beta3
Resolved Issues
Customer Ticket Id |
Details |
41374 |
Fixes a false violation of the rule 7862: "Avoid catching an exception of type Exception, RuntimeException, or Throwable". |
41802 |
Fixes an issue causing the analysis to fail with the error "System.ArgumentException: An item with the same key has already been added". |
Link Improvements
Callee Type |
Caller Type |
Details |
Type (class) |
C# Method |
When no variable is declared in a catch we now have a catchLink to the actual exception class used and Exception as callee. |
Type (class) |
C# Method |
When there is a filter with a IsExpression, the callee of the catchLink is the exception(s) present in the filter. |
Other Updates
Details |
A new option has been added to select and remove automatically similar input assemblies. Set to disabled by default. |
The analysis behaviour has been updated to add a Finalise() method in all visitors and call them before saving violations: this method can be called in rules defined in User Community extensions to filter violations at the end of the project analysis. |
Fixes an issue causing the analysis to stop with the error "Unknown exception System.NullReferenceException: Object reference not set to an instance of an object". |
Fixes an issue causing the DotNetCmd.exe utility to exit with the error code -1073740940. |
Fixes two issues related to catchLinks: 1) When no variable is declared in a catch the .NET Analyzer had a catchLink to the "Exception" as a callee and not the actual "Exception class" used; 2) when there is a filter with an "IsExpression", the callee of the catchLink wasn't the exception(s) present in the filter. |
The analysis behaviour has been updated to ensure that the symbols comparison process is completed with the current project's .NET version. |
The analysis behaviour has been updated to avoid an argument exception caused by a duplicate key entry in the dictionary used by the diagnostic AvoidRaisingExceptionsInUnexpectedLocation. |
Rules
Rule Id |
New Rule |
Details |
1027102 |
TRUE |
Avoid using Regex constructor or static method without timeout |
Summary |
Improve the performance of the 'Dead source detector' |
1.5.0-beta2
Resolved Issues
Customer Ticket Id |
Details |
40482 |
Fixes an issue causing an analysis to fail with the error "DOTNET.0007:Unknown language Unknown. Couldn't load project." |
37973 |
Fixes an issue where the analyzer will exclude duplicate projects based on assembly name causing .CS files to be ignored (lack of support of SDK-style project files). |
40912 |
Fixes an issue where .csproj and .vbproj files were encoded in UTF-16 causing all .cs and .vb files to be ignored during the analysis. The fix ensures that project files are always streamed in UTF-8 to safely load them. |
Other Updates
Details |
Unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects are now logged as unused and made available in CAST Console. |
The analyzer has been updated to prevent the analysis of unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects. |
The analyzer has been updated to detect and remove similar input assemblies that are not present in the csproj or vbproj file. Previously these files were analyzed causing the error "The type 'xxx' exists in both 'xxx' and 'yyy'". |
The anlayzer has been updated to ensure that memory consumption is logged for each project during the analysis process. |
The analyzer has been updated to ensure that generated objects (such as classes) are saved with the properties "external" and "generated" (previously these objects were only saved with the property "external). |
Fixes a false positive in rule 1027042 "Avoid having unmatched contracts for exported interfaces" that is triggered when a class does not implement directly the interface but inherits a class that implements it. |
Fixes an issue where tags disabling implicit file inclusion in SDK style project files are ignored during an analysis causing unwanted files to be analyzed. |
Fixes an issue where the analyzer was previously analyzing the same file multiple times (due to the existence of multiple project files specifying the compilation of the file multiple times). |
Fixes an issue causing the analyzer to create the wrong type of link (accessReadLink) when the assignment of an object is done by a deconstruct operation. The analyzer now creates an accessWriteLink link instead. |
Fixes a false negative in rule 1027100 "Avoid dangerous File Upload" that is triggered when "HttpPostedFile.SaveAs" is used. |
Rules
Rule Id |
New Rule |
Details |
1027042 |
FALSE |
"Avoid having unmatched contracts for exported interfaces": removed a false positive that was triggered when a class did not implement directly the interface but inherited a class that implemented it. |
1027100 |
FALSE |
"Avoid dangerous File Upload": fixes a false negative that is triggered when "HttpPostedFile.SaveAs" is used. |
New Support
Summary |
Details |
Support of C# 10 |
The .NET Analyzer now supports the analysis of C# 10. |
1.5.0-beta1
Resolved Issues
Customer Ticket Id |
Details |
39034 |
Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference." |
38601 |
Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference." |
38362 |
Fixes an issue causing an analysis crash with the error: "Unknown exception System.IO.DirectoryNotFoundException: Could not find a part of the path." |
39086 |
Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime". |
37489 |
Fixes an issues where the analysis completed but took a very long time to run. |
38509 |
Fixes several incorrect terms in warning messages found in the .NET analysis log file. |
38529 |
Fixes an issue where the warning "DOTNET.0012:Could not load assembly" was encountered many times in one analysis. This warning is now not triggered for DLLs that are not .NET assemblies and where there is more than one DLL in a directory of a build of a package, then add all DLLs are added. |
Other Updates
Details |
Update made to change the behaviour of dataflow for Client/Server link resolution: the flow now does not stop on unknown external method and instead continues the flow. |
Changes made to stop the exception being raised when analyzing code with local functions: now the analyzer carefully ignores local function calls in order to avoid exceptions (and so, continue the analysis of the current file). |
Fixes an exception raised by the Security Analyzer during log forging analysis due to optional arguments encountered in the code. |
Fixes an issue where the log contained many instances of the entry "An exception occurred while generating code for…." when tuple expressions were being analyzed. |
Provides automatic blackboxing for the ExternalLinksBuilder component in order to obtain accurate C/S links. In previous releases a custom blackbox was required. Note that with previous releases of the .NET Analyzer, accurate client/server links were only found when standard persistence frameworks (such as Oracle ODP, Npgsql, MySql.Data) were used. Starting from release 1.5.0, even when a custom (in-house) persistence framework is used, accurate client/server links are now found in many cases. |
Rules
Rule Id |
New Rule |
Details |
8108 |
FALSE |
Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime". |
Transaction Improvements
Type |
Framework |
Client/server links |
ADO.NET and custom wrappers of ADO.NET |