Release Notes - 1.4
1.4.14-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
45983 | Fixes an issue causing broken links from Angular "Get HTTP Service" objects to "DotNet Controller Action" objects. |
Other Updates
Details |
---|
Fixes an error: "UnboundLocalError: local variable 'fd' referenced before assignment". The situations causing this error have been fixed: Contextual keyword used as identifier for member is now supported and close file properly file when exception is raised is now handled. |
1.4.13-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
44196 | Fixes an issue causing missing links for REST API calls. |
43765 | Fixes an issue causing a mismatch of the violation count value displayed in the "Risk Investigation" view and the "Application Investigation" view in the CAST Engineering Dashboard. |
Other Updates
Details |
---|
Fixes an issue causing the following warning entry in the analysis log "Extension dotnetweb has encountered an issue "AttributeError: 'NoneType' object has no attribute 'file'"". |
Fixes an issue causing the incorrect creation of "CAST_DotNet_PostOperation" objects for Get, Delete and Put operations. |
New Support
Summary | Details |
---|---|
Support of OData | Support of OData server side for ASP.NET and ASP.NETCore. |
1.4.12-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
43553 | Fixes an issue where missing links were evident between "DotNet Get Resource Service" and "DotnetController Action" objects. |
43392 | Fixes an issue where missing "Dotnet Put Operation" objects were evident. |
43516 | Fixes an issue where missing "Dotnet Controller Action" objects were evident after upgrade from extension 1.4.9 to 1.4.11 and a re-analysis with the same source code. |
Other Updates
Details |
---|
Fixes an issue where a "Controller class" in a file scope namespace is not found, causing a missing "DotNet Controller Action" object. |
1.4.11-funcrel
Other Updates
Details |
---|
Fixes an issue wherein the controllers with partial class were not analyzed correctly. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043086 | TRUE | Avoid using Html.Raw() or HtmlHelper.Raw() |
1.4.10-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
39887 | Fixed the missing .NET Web operations when ApiController/Route is used. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043012 | FALSE | Fixed the wrong bookmark in rule (1043012): "Avoid creating cookie without setting httpOnly option in Config file (ASP.NET)" when there are 2 tags system.web with the second without httpCookies tag inside. |
1043022 | FALSE | Fixed the false negative in rule (1043022): "Avoid using unsecured cookie (C#)" when Secure property is not set. |
1043010 | FALSE | Fixed the false negative in rule (1043010): "Avoid creating cookie without setting httpOnly option (C#)" when HttpOnly property is not set. |
1.4.9-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
39887 | Fixes an issue where links were missing from Angular/Typescript to .NET backend. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043024 | FALSE | Fixes a missing violation for the rule: "Always enable RequireSSL attribute for cookies in Config file (ASP.NET)". Fixes an issue where, Forms-authentication cookie required an SSL. |
1.4.8-funcrel
Other Updates
Details |
---|
Technical update to extend the XML config parser so that it can be re-used by quality rules. |
1.4.7-funcrel
Rules
Rule Id | New Rule | Details |
---|---|---|
1101038 | FALSE | Fixed a false violation for the rule 1101038: "Avoid OR conditions testing equality on the same identifier in SQL WHERE clauses". |
1.4.6-funcrel
Rules
Rule Id | New Rule | Details |
---|---|---|
1043018 | FALSE | The rule: “Avoid storing passwords in the config files” was not taking into account the file appsettings.json (which is a .NET related file). Now this file (any file called appsettings.<x> .json) is taken into account. This changes the rule calculation and potentially additional violations may be found. |
1.4.5-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
37235 | Fixed wrong detail check for the rule (1043082): “Avoid client provided dictionaries to have high request sizes”. |
1.4.4-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
34602 | Net analysis warning: "Extension com.castsoftware.dotnetweb has encountered an issue" |
33785 | False positive for the rule (rule id: 1043074): Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
34185 | Violation for rule (rule id: 1043066): "Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application" even though the remediation applied. |
Other Updates
Details |
---|
Performance issue in procedure SET_DotNETWeb_Controller. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043074 | FALSE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration. |
1043066 | FALSE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application. |
New Support
Summary | Details |
---|---|
Add support of VB files for controllers | Add support of VB files for controllers. |
1.4.3-funcrel
Rules
Rule Id | New Rule | Details |
---|---|---|
1043012 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
1043024 | FALSE | Avoid to trigger a violation on a config file when the good config is done in csharp code |
1.4.2-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
32582 | "DOTNET Get Operation" objects are not created and the links to them are missing. |
33017 | False positive violation of the rule 1043018 - Avoid storing passwords in the config files. <add key="PasswordLength" value="12" /> is wrongly flagged as a violation. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043018 | FALSE | "Avoid storing passwords in the config files" - false positive violation caused by the code "<add key="PasswordLength" value="12" />". |
1.4.1-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
30752 | All DotNet Operation objects are missing in comparison to snapshot n-1. |
31469 | Broken link since there are missing CAST_DotNet_Controller_Action objects from ActionResult. |
31004 | Missing ASP.NET post/get operations from ASP.NET MVC support. |
Other Updates
Details |
---|
Extension [com.castsoftware.dotnetweb] Tracebacks reports in analyses's logs. |
1.4.0-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
29266 | Missing link between razor service and .NET operation |
29268 | Missing Web API call links between JavaScript and .NET |
Other Updates
Details |
---|
Two .NET Post and Get operations are created for one single operation |
Clean the url routing between client and server |
1.4.0-beta1
Rules
Rule Id | New Rule | Details |
---|---|---|
1043082 | TRUE | Avoid client provided dictionaries to have high request sizes |
1043084 | TRUE | Avoid XML schemas with unbounded occurrences |
1043018 | FALSE | Avoid storing passwords in the config files : search for passwords in appSettings tag added |
1.4.0-alpha2
Other Updates
Details |
---|
Incorrect URL in case of [controler] - this change may impact your existing analysis results (call graph resolution has been increased and object properties have changed). |
Rules
Rule Id | New Rule | Details |
---|---|---|
1043076 | TRUE | Avoid disabling custom errors mode to prevent exposure of exceptions and error data |
1043078 | TRUE | Avoid debug binaries that include detailed debug information |
1043080 | TRUE | Avoid disabling OR not defining encryption behavior for encryption when connecting with Database |
1043018 | FALSE | Avoid storing passwords in the config files (a missing violation was fixed - this could impact your analysis results) |
1.4.0-alpha1
Rules
Rule Id | New Rule | Details |
---|---|---|
1043066 | TRUE | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application |
1043068 | TRUE | Avoid using RequireHttpsAttribute on Web APIs that receive sensitive information |
1043070 | TRUE | Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC) |
1043072 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in code |
1043074 | TRUE | Avoid creating unsecured HTTPS GET metadata endpoint in configuration |