Release Notes - 1.4
1.4.16-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|---|
| Fixes token replacement in route which led to missing link from Dotnet Get Resource Service to DotNet Get Operation | |
| Fixes an error in token replacement in route which led to missing DotNet Controller Action object | |
| 52493 | Improves accuracy of rule: 1043030 - Ensure the X-Frame-Options header is setup (ASP.NET) |
| 52591 | Improves accuracy of rule: 1043086 - Avoid using Html.Raw() or HtmlHelper.Raw() |
| 51711 | Fixes token replacement in route definition which led to missing links call from Dotnet Get Resource Service to DotNet Get Operation. |
1.4.15-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 49923 | Fixes an issue causing false negative violations on code within BlockStatements for the rule 1043086 "Avoid using Html.Raw() or HtmlHelper.Raw()". |
| 47897 | Fixes an issue causing a false positive violations for boolean values in settings for the rule 1043018 "Avoid storing passwords in the config files". |
Other Updates
| Details |
|---|
| Fixes a traceback error seen in the analysis log: "TypeError: argument of type 'NoneType' is not iterable". |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043086 | FALSE | Fixes an issue causing false negative violations on code within BlockStatements for the rule 1043086 "Avoid using Html.Raw() or HtmlHelper.Raw()". |
| 1043018 | FALSE | Fixes an issue causing a false positive violations for boolean values in settings for the rule 1043018 "Avoid storing passwords in the config files". |
1.4.14-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 45983 | Fixes an issue causing broken links from Angular "Get HTTP Service" objects to "DotNet Controller Action" objects. |
Other Updates
| Details |
|---|
| Fixes an error: "UnboundLocalError: local variable 'fd' referenced before assignment". The situations causing this error have been fixed: Contextual keyword used as identifier for member is now supported and close file properly file when exception is raised is now handled. |
1.4.13-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 43765 | Fixes an issue causing a mismatch of the violation count value displayed in the "Risk Investigation" view and the "Application Investigation" view in the CAST Engineering Dashboard. |
| 44196 | Fixes an issue causing missing links for REST API calls. |
Other Updates
| Details |
|---|
| Fixes an issue causing the incorrect creation of "CAST_DotNet_PostOperation" objects for Get, Delete and Put operations. |
| Fixes an issue causing the following warning entry in the analysis log "Extension dotnetweb has encountered an issue "AttributeError: 'NoneType' object has no attribute 'file'"". |
New Support
| Summary | Details |
|---|---|
| Support of OData | Support of OData server side for ASP.NET and ASP.NETCore. |
1.4.12-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 43516 | Fixes an issue where missing "Dotnet Controller Action" objects were evident after upgrade from extension 1.4.9 to 1.4.11 and a re-analysis with the same source code. |
| 43392 | Fixes an issue where missing "Dotnet Put Operation" objects were evident. |
| 43553 | Fixes an issue where missing links were evident between "DotNet Get Resource Service" and "DotnetController Action" objects. |
Other Updates
| Details |
|---|
| Fixes an issue where a "Controller class" in a file scope namespace is not found, causing a missing "DotNet Controller Action" object. |
1.4.11-funcrel
Other Updates
| Details |
|---|
| Fixes an issue wherein the controllers with partial class were not analyzed correctly. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043086 | TRUE | Avoid using Html.Raw() or HtmlHelper.Raw() |
1.4.10-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 39887 | Fixed the missing .NET Web operations when ApiController/Route is used. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043010 | FALSE | Fixed the false negative in rule (1043010): "Avoid creating cookie without setting httpOnly option (C#)" when HttpOnly property is not set. |
| 1043022 | FALSE | Fixed the false negative in rule (1043022): "Avoid using unsecured cookie (C#)" when Secure property is not set. |
| 1043012 | FALSE | Fixed the wrong bookmark in rule (1043012): "Avoid creating cookie without setting httpOnly option in Config file (ASP.NET)" when there are 2 tags system.web with the second without httpCookies tag inside. |
1.4.9-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 39887 | Fixes an issue where links were missing from Angular/Typescript to .NET backend. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043024 | FALSE | Fixes a missing violation for the rule: "Always enable RequireSSL attribute for cookies in Config file (ASP.NET)". Fixes an issue where, Forms-authentication cookie required an SSL. |
1.4.8-funcrel
Other Updates
| Details |
|---|
| Technical update to extend the XML config parser so that it can be re-used by quality rules. |
1.4.7-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1101038 | FALSE | Fixed a false violation for the rule 1101038: "Avoid OR conditions testing equality on the same identifier in SQL WHERE clauses". |
1.4.6-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | The rule: “Avoid storing passwords in the config files” was not taking into account the file appsettings.json (which is a .NET related file). Now this file (any file called appsettings.<x>.json) is taken into account. This changes the rule calculation and potentially additional violations may be found. |
1.4.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 37235 | Fixed wrong detail check for the rule (1043082): “Avoid client provided dictionaries to have high request sizes”. |
1.4.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 34185 | Violation for rule (rule id: 1043066): "Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application" even though the remediation applied. |
| 33785 | False positive for the rule (rule id: 1043074): Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
| 34602 | Net analysis warning: "Extension com.castsoftware.dotnetweb has encountered an issue" |
Other Updates
| Details |
|---|
| Performance issue in procedure SET_DotNETWeb_Controller. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043066 | FALSE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application. |
| 1043074 | FALSE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
New Support
| Summary | Details |
|---|---|
| Add support of VB files for controllers | Add support of VB files for controllers. |
1.4.3-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043024 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
| 1043012 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
1.4.2-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 33017 | False positive violation of the rule 1043018 - Avoid storing passwords in the config files. <add key="PasswordLength" value="12" /> is wrongly flagged as a violation. |
| 32582 | "DOTNET Get Operation" objects are not created and the links to them are missing. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | "Avoid storing passwords in the config files" - false positive violation caused by the code "<add key="PasswordLength" value="12" />". |
1.4.1-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 31004 | Missing ASP.NET post/get operations from ASP.NET MVC support. |
| 31469 | Broken link since there are missing CAST_DotNet_Controller_Action objects from ActionResult. |
| 30752 | All DotNet Operation objects are missing in comparison to snapshot n-1. |
Other Updates
| Details |
|---|
| Extension [com.castsoftware.dotnetweb] Tracebacks reports in analyses's logs. |
1.4.0-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 29268 | Missing Web API call links between JavaScript and .NET |
| 29266 | Missing link between razor service and .NET operation |
Other Updates
| Details |
|---|
| Clean the url routing between client and server |
| Two .NET Post and Get operations are created for one single operation |
1.4.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | Avoid storing passwords in the config files : search for passwords in appSettings tag added |
| 1043084 | TRUE | Avoid XML schemas with unbounded occurrences |
| 1043082 | TRUE | Avoid client provided dictionaries to have high request sizes |
1.4.0-alpha2
Other Updates
| Details |
|---|
| Incorrect URL in case of [controler] - this change may impact your existing analysis results (call graph resolution has been increased and object properties have changed). |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | Avoid storing passwords in the config files (a missing violation was fixed - this could impact your analysis results) |
| 1043080 | TRUE | Avoid disabling OR not defining encryption behavior for encryption when connecting with Database |
| 1043078 | TRUE | Avoid debug binaries that include detailed debug information |
| 1043076 | TRUE | Avoid disabling custom errors mode to prevent exposure of exceptions and error data |
1.4.0-alpha1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043074 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration |
| 1043072 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in code |
| 1043070 | TRUE | Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC) |
| 1043068 | TRUE | Avoid using RequireHttpsAttribute on Web APIs that receive sensitive information |
| 1043066 | TRUE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application |