Real time Vulnerability Scanning using Cat.Net and Roslyn (outside VisualStudio) RRS feed

All replies

  •  Hi Dinis - Thanks for sharing. That’s a great implementation of CAT.NET to scan in an on-demand way during software development.
    Friday, June 22, 2012 7:20 PM
  • Thx :)

    Have you seen the latest posts? I bet you are going to like those even more: This ishow we have to show security vulnerabilities to developers (in real time as they are created) and Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)

    There is a great thread about it at Reddit

    Now, since I do have you guys attention (SDL Team), I have two requests for you regarding Cat.NET:

    1) Allow me to publish a decompiled version of Cat.NET v1 (created using ILSPY) on GitHub  (so that we can improve it).

    2) Allow the use of a modified Cat.NET version (with more features and rules) inside an Azure 'Security Code Scanning' Service

    Saturday, June 23, 2012 9:42 PM
  • Hi Dinis,

    We appreciate the work you are accomplishing with Micrsoft’s tools such as CAT.NET. Current licensing prevents the publishing of a decompiled version of Cat.NET v1. Our current movement around  the creative commons license has principally been in support of documentation releases only. It’s recognized that CAT.NET has had no significant updates recently. We are not prepared at this time to announce anything new in this space.

    Please remember that Cat.NET users must continue comply with the current software license.

    Thank you.

    Tuesday, July 17, 2012 8:27 PM
  • Yes, but you guys have completely dropped Cat.NET and since we can now easily get its source code (via Reflector or ILSPY) you should be encouraging this, right?

    For example, there are a number of dependencies on VisualStudio and EnvDTE which could be easily removed with code changes (Note that I was able to run Cat.NET outside VisualStudio, but that was done using reflection which is not the best way to do it)

    Question: who can make this decision there at Microsoft? (I have asked a number of people I know at Microsoft and nobody seems to know who owns Cat.NET these days)

    I talked to Scott Gu when we was in London and he was open to the idea, so is he the guy to talk to?

    Friday, July 20, 2012 5:56 AM
  • If you want to see what Cat.NET looks like out side VisualStudio you can download the PoC from here: Tool - Cat.Net outside VisualStudio v1.3.exe (that is a stand alone exe with everything needed, including Cat.NET exes)

    Here is a blog post that shows this tool in action (and the issue I had with EnvDTE: )

    Friday, July 20, 2012 6:14 AM