All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Pipeline only changes
Pipeline only changes
Pipeline only changes
Pipeline only changes
Pipeline only changes
Fixes suppression command to not perturb line breaks, particularly when a file has findings which are not selected for suppression. #631
Extend the false positive fix for the issue reported in #548 to Sdk-style msbuild projects.
Fixes extraneous printing of git errors when git ignore checking is enabled during analysis.
Pipeline maintenance.
Expanded content for rule guidance containing "TO DO"s.
Added guidance for several rules such as weak hash algorithm, disabling certificate validation, and TLS client configuration.
Fix substitution pattern in PHP Request rule.
Pipeline only changes
Pipeline only changes
Fixes properly setting the default value for the OutputFileFormat
and OutputTextFormat
fields when using the options-json
argument to the analyze command.
Improvement to pipeline to allow rerunning failed deploy jobs.
Populate additional fields for GitHub Code scanning
Populate Confidence values for rules
Update Dependencies
Prioritize confidence value from Pattern level in Issue records but fall back to rule level if not specified.
Additional pipeline fixes
Fix GitHub binary release process
Update Application Inspector dependency
Remove trailing period after general guidance URI in output to make it clickable when automatically converted to uri by terminal
Update dependencies
Move GitHub Release task to last task in publish pipeline.
Update dependencies.
Build using .NET 8
Update dependencies. Resolves an issue with some xpath queries via AppInspector Rules engine microsoft/ApplicationInspector#567
Update OmniSharp language server and App Inspector dependencies.
Update deployment pipeline version
Update dependencies - incorporate a fix for an issue with JSONPath selection used for matching boolean values. microsoft/ApplicationInspector#561
Fix a JSON formatting error in the android debuggable rule
Delete advisory parser script. #586
Update action versions for github workflows.
Removes workaround for 404 sarif schema uri
Updates dependencies to latest.
Fix ordering of proposed fixes in UX. #582
Fix concurrent access issue with cache storage for fixes. Fix #480
Fix language filtering on random number generator rules. Fix #468
Improve HTTP url detection rule to exclude more schema definitions.
Fixes an issue with loading settings in the Visual Studio extension.
Fix false positives reported in #344, #548 and #549.
Fixes an issue handling IEnumerable arguments specified with the options-json argument to Analyze.
Updates RuleEngine dependency to fix an issue with handling matching strings with //
in languages that use //
for inline comment format.
Update VS Code Extension Dependencies
Updated Guidance for DS126858
- Update SemVer dependency in VS Code Extension.
- Removed sub scan workspace command in VS Code extension.
- Fixed an issue in the VS Code Extension that would try to run the language server with dotnet on the system path instead of the version fetched by the .NET Install Tool extension.
- Adds new rules and improves precision of some existing rules.
- Fixes issue where the CLI global tool package was attempting to run with a mismatched runtime.
- Republish of 1.0.5 due to a release pipeline error
- Add CHANGELOG.md
- Support ignore-case
i
and multi-linem
modifiers on the Pattern property of Fixes.
- Fixes output sarif returning not applicable fixes
- Fixes output sarif for runs with rules with empty string for Recommendation and Description
- Fix output sarif for runs with rules with null string for Recommendation and Description
This version is a major refactor of DevSkim.
- Added fix and suppress commands that operate on the output sarif from Analyze and the source code scanned with analyze to apply fixes/suppressions
Usage:
devskim analyze -I path/to/source -O myresults.sarif
devskim fix -I path/to/source -O myresults.sarif --dry-run --all
devskim suppress -I path/to/source -O myresults.sarif --dry-run --all
- Support jsonpath/xpath and ymlpath based rules
- New
--options-json
argument to analyze to specify DevSkim configuration via a JSON file, including ability to Ignore rules only for specific languages - IDE extensions are now based on a unified C# Language Server, should have better performance and reliability and support new options like user provided Rules/Languages.
- DevSkim Rule format is now an extension of Application Inspector rule format
- Input/output files are now named parameters (-I/--source-code and -O/--output-file), not positional parameters
Old: devskim analyze path/to/src path/to/output.sarif -f sarif
New: devskim analyze -I path/to/src -O path/to/out.sarif
- Sarif is now the default output format for the CLI
- DevSkim targets .NET 6.0 and .NET 7.0
- Rule self tests are now included directly in rule specification (must-match and must-not-match fields) and are checked by the Verify command.
- Visual Studio Extension now targets VS 2022 instead of VS 2019.
- VS Code Extension now requires VSC Engine 1.63 or later
- Json is no longer supported as an output format argument to CLI
- Pack, test and catalogue commands removed from CLI
- Rule improvements and DevSkim engine performance and reliablity improvements.