微軟代碼分析工具CAT.NET 2.0 beta版下載

Win7之家（ afsion.com.cn）：微軟代碼分析工具CAT.NET 2.0 beta版下載

微軟托管代碼的源代碼安全掃描工具milestone（里程碑）版本發(fā)布了，現(xiàn)在微軟官方網(wǎng)站已經(jīng)提供下載。

程序員可以“點(diǎn)擊此處”參與該beta項(xiàng)目并下載微軟代碼分析工具 - Microsoft Code Analysis Tool（簡(jiǎn)稱(chēng) CAT.NET 2.0）。

CAT.NET 2.0 的正式版將在 Visual Studio 2010 RTM 發(fā)布后不久推出，目前這個(gè)版本主要用以問(wèn)題和建議反饋。根據(jù)該則消息來(lái)看，這次的改進(jìn)不少，大家可以看下升級(jí)歷史，時(shí)間關(guān)系，軟媒沒(méi)有完全翻譯出來(lái)，因?yàn)楦汩_(kāi)發(fā)的哪能看不懂英文呢？看不懂的飄過(guò)，能用到的都必須能看懂才算合格的程序員，誰(shuí)讓編程是英語(yǔ)的世界呢。

軟媒特別提供英文原文如下：

Microsoft Code Analysis Tool for Net v2.0 Goes Beta

A testing development milestone for the next iteration of Microsoft’s managed code security source code scanning tool is currently available for download. Developers can now access the Beta build of the second version of Microsoft Code Analysis Tool for Net and test drive the release before it is generally available in just a few months. Testers can grab the latest build of CAT.NET v2.0 by joining the Beta program for the project on Microsoft Connect, revealed Syed Aslam Basha, Microsoft Information Security Tools (IST) Test Lead. However, developers looking to get a feeling of what CAT.NET v2.0 brings to the table will need to hurry, as the Beta program will last only a single month.

“The final released version is scheduled to release shortly after Visual Studio 2010 RTM. The goal of this beta program is to garner feedback from the user community,” Basha said, indicating that feedback should be sent to ist-cat at microsoft.com.

CAT.NET v2.0 brings to the table a consistent volume of code changes which have impacted user experience and core analysis. Basha provided a list of the changes which has been included at the bottom of this article. According to Microsoft, CAT.NET v2.0 now features UX integration with both Visual Studio 2010 and FxCop command prompt. At the same time, the tool will make available to developers 46 new configuration and 9 data flow rules. Devs will be able to leverage various aspects of CAT.NET v2.0’s evolution such as tainted data flow analysis and a configuration analysis engine.

Here are the changes highlighted by Basha:

“User Experience:

- Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
- Easy analysis using FxCop command line or UI interface or VSTS Team Build.
- Currently beta includes FxCop UI and Command prompt.

Core Analysis:

- Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version.
- Updated tainted data flow analysis engine to track both tainted operands and source symbols.
- Reduced false positives and false negatives.
- Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
- New Data flow rule to detect XML Injection attacks
- Updated configuration rules engine detecting clear text connection strings and credentials.
- Rules to detect insecure defaults.
- Example minRequiredPasswordLength attribute of membership providers add element.
- Configuration rules updated to detect @page directive configuration overrides. “