微软代码分析工具CAT.NET 2.0 beta版下载

Win7之家（ www.win7china.com）：微软代码分析工具CAT.NET 2.0 beta版下载

微软托管代码的源代码安全扫描工具milestone（里程碑）版本发布了，现在微软官方网站已经提供下载。

程序员可以“点击此处”参与该beta项目并下载微软代码分析工具 - Microsoft Code Analysis Tool（简称 CAT.NET 2.0）。

CAT.NET 2.0 的正式版将在 Visual Studio 2010 RTM 发布后不久推出，目前这个版本主要用以问题和建议反馈。根据该则消息来看，这次的改进不少，大家可以看下升级历史，时间关系，软媒没有完全翻译出来，因为搞开发的哪能看不懂英文呢？看不懂的飘过，能用到的都必须能看懂才算合格的程序员，谁让编程是英语的世界呢。

软媒特别提供英文原文如下：

Microsoft Code Analysis Tool for Net v2.0 Goes Beta

A testing development milestone for the next iteration of Microsoft’s managed code security source code scanning tool is currently available for download. Developers can now access the Beta build of the second version of Microsoft Code Analysis Tool for Net and test drive the release before it is generally available in just a few months. Testers can grab the latest build of CAT.NET v2.0 by joining the Beta program for the project on Microsoft Connect, revealed Syed Aslam Basha, Microsoft Information Security Tools (IST) Test Lead. However, developers looking to get a feeling of what CAT.NET v2.0 brings to the table will need to hurry, as the Beta program will last only a single month.

“The final released version is scheduled to release shortly after Visual Studio 2010 RTM. The goal of this beta program is to garner feedback from the user community,” Basha said, indicating that feedback should be sent to ist-cat at microsoft.com.

CAT.NET v2.0 brings to the table a consistent volume of code changes which have impacted user experience and core analysis. Basha provided a list of the changes which has been included at the bottom of this article. According to Microsoft, CAT.NET v2.0 now features UX integration with both Visual Studio 2010 and FxCop command prompt. At the same time, the tool will make available to developers 46 new configuration and 9 data flow rules. Devs will be able to leverage various aspects of CAT.NET v2.0’s evolution such as tainted data flow analysis and a configuration analysis engine.

Here are the changes highlighted by Basha:

“User Experience:

- Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
- Easy analysis using FxCop command line or UI interface or VSTS Team Build.
- Currently beta includes FxCop UI and Command prompt.

Core Analysis:

- Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version.
- Updated tainted data flow analysis engine to track both tainted operands and source symbols.
- Reduced false positives and false negatives.
- Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
- New Data flow rule to detect XML Injection attacks
- Updated configuration rules engine detecting clear text connection strings and credentials.
- Rules to detect insecure defaults.
- Example minRequiredPasswordLength attribute of membership providers add element.
- Configuration rules updated to detect @page directive configuration overrides. “