Release Notes - 1.4
1.4.13-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 44196 | Fixes an issue causing missing links for REST API calls. |
| 43765 | Fixes an issue causing a mismatch of the violation count value displayed in the “Risk Investigation” view and the “Application Investigation” view in the CAST Engineering Dashboard. |
Other Updates
| Details |
|---|
| Fixes an issue causing the following warning entry in the analysis log “Extension dotnetweb has encountered an issue “AttributeError: ‘NoneType’ object has no attribute ‘file’””. |
| Fixes an issue causing the incorrect creation of “CAST_DotNet_PostOperation” objects for Get, Delete and Put operations. |
New Support
| Summary | Details |
|---|---|
| Support of OData | Support of OData server side for ASP.NET and ASP.NETCore. |
1.4.12-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 43553 | Fixes an issue where missing links were evident between “DotNet Get Resource Service” and “DotnetController Action” objects. |
| 43392 | Fixes an issue where missing “Dotnet Put Operation” objects were evident. |
| 43516 | Fixes an issue where missing “Dotnet Controller Action” objects were evident after upgrade from extension 1.4.9 to 1.4.11 and a re-analysis with the same source code. |
Other Updates
| Details |
|---|
| Fixes an issue where a “Controller class” in a file scope namespace is not found, causing a missing “DotNet Controller Action” object. |
1.4.11-funcrel
Other Updates
| Details |
|---|
| Fixes an issue wherein the controllers with partial class were not analyzed correctly. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043086 | TRUE | Avoid using Html.Raw() or HtmlHelper.Raw() |
1.4.10-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 39887 | Fixed the missing .NET Web operations when ApiController/Route is used. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043012 | FALSE | Fixed the wrong bookmark in rule (1043012): “Avoid creating cookie without setting httpOnly option in Config file (ASP.NET)” when there are 2 tags system.web with the second without httpCookies tag inside. |
| 1043022 | FALSE | Fixed the false negative in rule (1043022): “Avoid using unsecured cookie (C#)” when Secure property is not set. |
| 1043010 | FALSE | Fixed the false negative in rule (1043010): “Avoid creating cookie without setting httpOnly option (C#)” when HttpOnly property is not set. |
1.4.9-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 39887 | Fixes an issue where links were missing from Angular/Typescript to .NET backend. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043024 | FALSE | Fixes a missing violation for the rule: “Always enable RequireSSL attribute for cookies in Config file (ASP.NET)”. Fixes an issue where, Forms-authentication cookie required an SSL. |
1.4.8-funcrel
Other Updates
| Details |
|---|
| Technical update to extend the XML config parser so that it can be re-used by quality rules. |
1.4.7-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1101038 | FALSE | Fixed a false violation for the rule 1101038: “Avoid OR conditions testing equality on the same identifier in SQL WHERE clauses”. |
1.4.6-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | The rule: “Avoid storing passwords in the config files” was not taking into account the file appsettings.json (which is a .NET related file). Now this file (any file called appsettings.<x>.json) is taken into account. This changes the rule calculation and potentially additional violations may be found. |
1.4.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 37235 | Fixed wrong detail check for the rule (1043082): “Avoid client provided dictionaries to have high request sizes”. |
1.4.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 34602 | Net analysis warning: “Extension com.castsoftware.dotnetweb has encountered an issue” |
| 33785 | False positive for the rule (rule id: 1043074): Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
| 34185 | Violation for rule (rule id: 1043066): “Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application” even though the remediation applied. |
Other Updates
| Details |
|---|
| Performance issue in procedure SET_DotNETWeb_Controller. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043074 | FALSE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
| 1043066 | FALSE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application. |
New Support
| Summary | Details |
|---|---|
| Add support of VB files for controllers | Add support of VB files for controllers. |
1.4.3-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043012 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
| 1043024 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
1.4.2-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 32582 | “DOTNET Get Operation” objects are not created and the links to them are missing. |
| 33017 | False positive violation of the rule 1043018 - Avoid storing passwords in the config files. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043018 | FALSE | “Avoid storing passwords in the config files” - false positive violation caused by the code “ |
1.4.1-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 30752 | All DotNet Operation objects are missing in comparison to snapshot n-1. |
| 31469 | Broken link since there are missing CAST_DotNet_Controller_Action objects from ActionResult. |
| 31004 | Missing ASP.NET post/get operations from ASP.NET MVC support. |
Other Updates
| Details |
|---|
| Extension [com.castsoftware.dotnetweb] Tracebacks reports in analyses’s logs. |
1.4.0-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 29266 | Missing link between razor service and .NET operation |
| 29268 | Missing Web API call links between JavaScript and .NET |
Other Updates
| Details |
|---|
| Two .NET Post and Get operations are created for one single operation |
| Clean the url routing between client and server |
1.4.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043082 | TRUE | Avoid client provided dictionaries to have high request sizes |
| 1043084 | TRUE | Avoid XML schemas with unbounded occurrences |
| 1043018 | FALSE | Avoid storing passwords in the config files : search for passwords in appSettings tag added |
1.4.0-alpha2
Other Updates
| Details |
|---|
| Incorrect URL in case of [controler] - this change may impact your existing analysis results (call graph resolution has been increased and object properties have changed). |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043076 | TRUE | Avoid disabling custom errors mode to prevent exposure of exceptions and error data |
| 1043078 | TRUE | Avoid debug binaries that include detailed debug information |
| 1043080 | TRUE | Avoid disabling OR not defining encryption behavior for encryption when connecting with Database |
| 1043018 | FALSE | Avoid storing passwords in the config files (a missing violation was fixed - this could impact your analysis results) |
1.4.0-alpha1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1043066 | TRUE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application |
| 1043068 | TRUE | Avoid using RequireHttpsAttribute on Web APIs that receive sensitive information |
| 1043070 | TRUE | Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC) |
| 1043072 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in code |
| 1043074 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration |