• sln were not analyzed by standalone tool fix by @matteo-tosi in #262
• added --sdk-path parameter

Full Changelog

• Fixed #258 "Standalone scanner throws exception: 'ProjectName' is already part of the workspace"

Full Changelog

• Fixed #257 "Exception on solution that contains a Solution Items section"

• Support running dotnet tool against a single project
• Better filtering by projects in the dotnet tool
• #246 Package security-scan is not compatible with netcoreapp3.1

• #248 Be able to exit with non-zero error code when warnings are found

• Blue-yellow edition in support of Ukraine.

• Fixed #239 "Adding custom sanitizers to a config file in stand-alone runner".

• Added support for .NET 6.0 and VS2022

• New parameter --ignore-msbuild-errors for standalone runner to ignore errors from incompatible projects.
• Bug fixes and improvements.

• Standalone runner improved. My favorite way to run SCS!
• Bug fixes and improvements.
• A script was made by Sebastien gioria for importing the analysis results into DefectDojo.

• New inter-procedural taint analysis engine.
• New sinks and sources.
• Bug fixes.
• Standalone tool.

• Removed EntityFramework "Interpolated" sinks that caused false positives.
• Added configuration entry for Web Config analyzer to allow filtering file names.

Bugfix release.

• Fix MissingMethodException "Method not found: 'YamlDotNet.Serialization.IDeserializer YamlDotNet.Serialization.DeserializerBuilder.Build()'" if incompatible version of YamlDotNet is loaded by the process.

• Better taint analysis in implicit string conversions case.
• Out of range exception fix.
• New SQL injection and Path Traversal sinks.

Thanks @watfordgnf and @indy-singh for the contributions!

• XSS analyzer was rewritten. Additional sanitizers were added.
• Added ReportAnalysisCompletion option to output a message that the analysis did run.
• Bugfixes and improvements.

• Better C# 7 handling
• CSRF analyzer configuration made more flexible.
  Configuration file schema version has changed to 2.0, so if you had custom config settings, you’ll need to adjust to the schema and bump your file name from config-2.0.yml to config-2.1.yml or change from Version: 2.0 to Version: 2.1 if it was added to a project.
• Bug fixes.

Thanks @kevin-montrose for the contributions!

Bugfix release.

• Fixes using SCS as nuget. #117
• One click code fixes were removed until a separate assembly is created. #71

The release adds support for VS2019 and bug fixes. Also:

• Adds multiple XSS sinks for WebForms (thanks Andrei!)
• Changes in SCS configuration file doesn't require to restart Visual Studio anymore.
• Warnings are suppressed for generated code.
• Adds .NET Core cookie analyzer.

This is a major release that introduces configurable taint sources, sanitizers and validators. Configuration file schema version has changed to 2.0, so if you had custom config settings, you'll need to adjust to the schema and bump your file name from config-1.0.yml to config-2.0.yml or change from Version: 1.0 to Version: 2.0 if it was added to a project.
With the introduction of taint sources and taint entry points warning are shown only for the tainted data. Unknowns are reported only in the Audit Mode.
Multiple improvements and fixes were done to Taint, Anti-CSRF token, XSS, SQL injection, Path traversal, XPath injection, Certificate validation analyzers.
New LDAP injection detection was added.
An issue was fixed that could surface as Session Terminated unexpectedly. Disabling 'Security Code Scan' might help prevent....

I would like to thank all contributors to this and previous releases. Also to everyone who has reported issues or feature requests.

Important: This release targets full .NET framework and may not run on Unix machines. Although as tested it runs fine in microsoft/dotnet 2.1 docker container on Linux, still for Unix based Continuous Integration builds it is better to use SecurityCodeScan.VS2017 NuGet package, that targets netstandard.

Added external configuration files: per user account and per project. It allows you to customize settings from built-in configuration or add your specific Sinks and Behaviors.

⚠️Note: Configuration schema has changed in version 3.0.0 please refer to the documentation above for examples.

Audit Mode setting (Off by default) was introduced for those interested in warnings with more false positives.

Couple of issues related to VB.NET fixed:

• VB.NET projects were not analyzed when using the analyzer from NuGet.
• 'Could not load file or assembly 'Microsoft.CodeAnalysis.VisualBasic, Version=1.0.0.0...' when building C# .NET Core projects from command line with dotnet.exe

Insecure deserialization analyzers for multiple libraries and formatters:

• Json.NET
• BinaryFormatter
• FastJSON
• JavaScriptSerializer
• DataContractJsonSerializer
• NetDataContractSerializer
• XmlSerializer
• and many more...

Added warning for the usage of AllowHtml attribute.
Different input validation analyzer and CSRF analyzer improvements.

Exceptions analyzing VB.NET projects fixed.

XXE analysis expanded. More patterns to detect Open Redirect and Path Traversal. Weak hash analyzer fixes. Added request validation aspx analyzer. False positives reduced in hardcoded password manager.

Web.config analysis:

• The feature was broken. See how to enable.
• Added detection of request validation mode.
• Diagnostic messages improved.

Taint improvements:

• Area expanded.
• Taint diagnostic messages include which passed parameter is untrusted.

Various improvements were made to taint analysis. The analysis was extended from local variables into member variables. False positive fixes in:

• XSS analyzer.
• Weak hash analyzer. Added more patterns.
• Path traversal. Also added more patterns.

New features:

• Open redirect detection.