.NET Core agent release notes

Release date: June 28, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Important

Microsoft support for .NET 5.0 ended on May 10th, 2022. Contrast support for .NET 5.0 will EOS in December 2022. Upgrade your application to a newer, supported version of .NET.

Bug fixes:

  • Agent could cause an application error when capturing the application's response when the HTTP context was null at the end of the request. This has been fixed. (DOTNET-4219)

  • Resolved a performance regression only present in version 2.1.15.

Release date: June 21, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Important

Microsoft support for .NET 5.0 ended on May 10th, 2022. Contrast support for .NET 5.0 will EOS in December 2022. Upgrade your application to a newer, supported version of .NET.

New and improved:

  • Improved Assess response capture, especially with regards to reducing the agent's impact to response streaming.

  • Improved detection of when the agent is running in an Azure Functions environment.

Release date: June 13, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Important

Microsoft support for .NET 5.0 ended on May 10th, 2022. Contrast support for .NET 5.0 will EOS in December 2022. Upgrade your application to a newer, supported version of .NET.

Bug fixes:

  • The agent did not send assess.tags with the "preflight" vulnerability check (but did send this information with the vulnerability report.) The agent now sends the expected information with both messages. (DOTNET-4157)

  • Assess analysis did not include ASPNET Core MVC model-bound path parameters. The agent will now correctly find vulnerabilities originating from a model-bound path parameter. (DOTNET-4163)

Release date: May 26, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Important

Microsoft support for .NET 5.0 ended on May 10th, 2022. Contrast support for .NET 5.0 will EOS in December 2022. Upgrade your application to a newer, supported version of .NET.

New and improved:

  • Added Assess sanitizers for mganss' HtmlSanitizer APIs. (DOTNET-4033)

  • Reduced the amount of memory used by the runtime for all libraries not instrumented by the agent. This has resulted in 5-10% reduction in process memory.

Release date: May 17, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Important

Microsoft support for .NET 5.0 ended on May 10th, 2022. Contrast support for .NET 5.0 will EOS in December 2022. Upgrade your application to a newer, supported version of .NET.

New and improved:

  • Improved Assess taint tracking for validation methods.

  • Assess will no longer propagate on HttpRequest.PathBase .(DOTNET-4117)

Release date: May 10, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Improved accuracy of Assess URL character tracking to exclude the port number. (DOTNET-4093)

  • Assess will no longer report path traversal on Linux systems when ASP.NET Core reads time zone info from the file system. (DOTNET-4062)

Release date: April 27, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Minor performance improvements to the cost of calling into Contrast sensors from instrumented code.

  • Added diagnostics check-access option to test that a Windows user has access to agent profiler and sensor components.

  • Improved cookie value parsing logic to avoid reporting that an invalid cookie is missing HttpOnly or secure flags.

Release date: April 14, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

Bug fixes:

  • Protect untrusted deserialization did not respect URL exclusions. (DOTNET-4019)

  • Agent failed to detect web service flow map components when an application used .NET Core's dependency injection (i.e., services.AddHttpClient).(DOTNET-4023)

Release date: March 24, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Agent will now report web service components which can be viewed on the application's flow map diagram. (This item mistakenly appeared in release notes for 2.1.6)

  • Expanded APIs used to detect unvalidated redirect vulnerabilities under Assess.

  • Diagnostics validate-yaml will now validate application.metadata and application.session_metadata values follow expected format.

  • Added new deep-connect diagnostics command to help troubleshoot agent communication with Contrast.

Bug fixes:

  • Semantic Path Traversal attacks would be detected and blocked by the agent but failed to report to Contrast. (DOTNET-3978)

Release date: March 16, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Diagnostics cert-info command's validation of certificates now more closely matches the agent's HttpClient's certificate validation.

Bug fixes:

  • The Azure App Service Site Extension's XDT in version 2.1.6 included a bad transform that caused the App Service instance to crash. This has been fixed. (DOTNET-3983)

Release date: March 14, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Improved reporting of library class names to exclude compiler-generated types.

  • Added Protect support for GraphQL inputs.

  • Agent will now report web service components which can be viewed on the application's flow map diagram.

  • Diagnostics config-keys will now provide descriptions for special Contrast environment variables that can be used to configure specific agent behavior (e.g., CONTRAST_CONFIG_PATH to set the path of the agent's configuration file.)

Bug fixes:

  • Agent instrumentation of Utf8JsonReader lead to an application crash under 32-bit processes.

  • In some rare cases, the Azure App Service Site Extension could fail to cleanly upgrade because the agent's profiler component was locked. Agent components within the site extension are now housed in a version-specific directory. Note that users that have manually specified the path to agent components will need to update these paths. This should not be common as the Site Extension automatically sets the environment variables with the correct paths necessary to load the agent.

Release date: February 28, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Improved performance of Assess analysis, especially with regards to methods with internal implementations that make heavy use of Span APIs.

  • Assess potential sanitizers and validators will now be automatically reported to Contrast by default.

  • .NET Core for IIS agent now enables profiler chaining by default.

Release date: February 10, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Assess now supports GraphQL sources and route coverage for graphql-dotnet library versions 4.0.1+.

  • Improved performance by reducing cost of jumping from instrumented code to Contrast sensors.

Release date: January 24, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Improved performance of Assess analysis of System.Text.Json API calls.

Bug fixes:

  • The agent's sensors component did not respect a custom data directory set during install. (DOTNET-3739)

  • Diagnostics' system-info command failed to gather information about IIS application pools and applications. (DOTNET-3670)

Release date: January 11, 2022

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Improved performance of Assess and Protect analysis by reducing the cost of calling into Contrast code from instrumented code.

  • Improved performance of Assess analysis of application code with data flow within LINQ where clauses.

Bug fixes:

  • Fixed an issue where agent logs indicated an error due to a missing default configuration value. (DOTNET-3633)

  • Fixed an issue where the agent's Upgrade Service component could crash when instrumented by the Contrast .NET Core agent earlier than 2.1.0. Note that this would only occur if a user set global environment variables to add the Contrast .NET Core agent's profiler. (DOTNET-3689)

  • Routes included the application's virtual path when deployed to IIS.  (DOTNET-3632)

Release date: December 14, 2021

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • Now supports profiler chaining with AppDynamics.

  • Now supports Assess log-injection.

Bug fixes:

  • When an instrumented application used a static DI container with cookie options then the agent would cause the application to fail to start. (DOTNET-3630)

Important note:

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1, 5.0, and 6.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

Release date: November 9, 2021

Language versions currently supported: .NET Core: 3.1, .NET 5.0, 6.0

New and improved:

  • .NET Core 2.1.0 adds support for applications targeting .NET 6.

  • Improved Assess data flow analysis through APIs using SpanMemoryValueTaskValueStringBuilder, and StringSegment types.

  • Agent now recognizes specific DateOnly and TimeOnly APIs as validators for Assess.

  • Added route coverage support for .NET 6's minimal API structure.

Important note:

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

Archive

Release date: November 2, 2021

Language versions currently supported: .NET Core: 3.0, 3.1, 5.0

New and improved:

  • Dependencies of the agent diagnostics tool (contrast-dotnet-diagnostics.exe) could be removed during the upgrade process and not installed, causing the diagnostics tool to immediately crash when run. This has been resolved. Note that this issue only affected users using the .NET Core for IIS Installer.

  • Reduced agent performance impact to request latency of ASPNET Core applications.

Important note:

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

Release date: October 21, 2021

Language versions currently supported: .NET Core: 3.0, 3.1, 5.0

New and improved:

  • Improved Assess data flow tracking through System.Text.Json.JsonDocument APIs.

  • Implemented Assess event limits to improve performance.

Important note:

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

Release date: October 6, 2021

Language versions currently supported: .NET Core: 3.0, 3.1, 5.0

Note

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

New and improved:

  • The .NET Core agent now supports Assess Stored XSS and Trust Boundary Violation rules.

  • Minor performance improvements.

  • Improved security of the agent upgrade service.

Bug fixes:

  • NullReferenceException when agent attempted to determine the version of .NET Core from an unusual command line. (DOTNET-3454)

  • Assess SQL Injection false positive when numeric values were safely used by Entity Framework Core internally. (DOTNET-3435)

Release date: September 22, 2021

Language versions currently supported: .NET Core: 3.0, 3.1, 5.0

Note

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

New and improved:

  • Improved Assess data flow coverage through String.Format and JsonEncodedText.Encode.

  • Added Assess and Protect handling for when System.Text.Json serialization is set as the formatter/model-binder for ASP.NET Core.

Release date: September 1, 2021

Language versions currently supported: .NET Core: 3.0, 3.1, 5.0

Note

Starting with version 2.0.0, the Contrast .NET Core agent no longer supports .NET Core 2.1 and .NET Core 3.0. The agent continues to support .NET Core 3.1 and 5.0. This follows Microsoft's EOL for .NET Core 2.1 on August 22, 2021 and .NET Core 3.0 on March 3, 2020.

New and improved:

  • Further reduced the amount of memory used by the agent's profiler component.

  • Reduced agent's overhead on each request.

Release date: August 16, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Note

An upcoming version (2.0) of the .NET Core agent will drop support for .NET Core 2.1 and 3.0. This follows Microsoft's support policy with .NET Core 2.1 support ending on August 22nd. (.NET Core 3.0 EOL was March 3, 2020)

New and improved:

  • The installed .NET Core for IIS agent now includes an auto-upgrade service that, if enabled in the service's configuration, will automatically upgrade the agent to the latest version on NuGet.

  • Improved Assess coverage APIs involving Span<T>Range, and Index parameters.

  • The agent will no longer report weak hash algorithm used by the Azure Storage client SDK.

Bug fixes:

  • The agent would fail to discover routes declared using ASPNET Core MVC 3+ endpoint-style routing. (DOTNET-3265)

Release date: July 22, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Note

An upcoming version (2.0) of the .NET Core agent will drop support for .NET Core 2.1 and 3.0. This follows Microsoft's support policy with .NET Core 2.1 support ending on August 22nd. (.NET Core 3.0 EOL was March 3, 2020)

New and improved:

  • Further reduced memory usage of the agent's profiler component.

  • Improved Assess coverage of Memory<T> and MemoryExtension APIs.

  • Added official support for RHEL 7 and 8.

Bug fixes:

  • The agent could fail to report discovered routes to Contrast. (DOTNET-3234)

Release date: July 12, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Reduced the amount of memory used by the agent's profiler component.

  • Improved Assess coverage of Memory<T> and Span<T> APIs.

Bug fixes:

  • Agent did not respect URL-based exclusions for Assess response-based rules. (DOTNET-3161)

Release date: June 30, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Protect will no longer report semantic SQL findings on queries constructed safely using EF Core 2.1/3.1/5.0.

  • Profiler will now log all profiler settings, not just settings from the YAML file.

  • Profiler will no longer instrument diagnostics/powershell/powershell core.

  • Improved Assess coverage of APIs that return task.

Release date: June 21, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Protect will no longer report semantic SQL chaining on queries constructed safely using LINQ 2 SQL.

  • Protect will no longer report use of dangerous functions on queries constructed safely using Entity Framework.

Bug fixes:

  • Agent's interaction with ASPNET Core's DI container could cause applications built on top of a Boilerplate template to not start up. (DOTNET-3038)

  • Assess will no longer report untrusted deserialization against JsonNET JsonSerializerProxy. (DOTNET-3031)

Release date: June 14, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Bug fixes:

  • Assess false positive when using JsonSerializerProxy with Json.NET deserialization. (DOTNET-3031)

Release date: June 10, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Bug fixes:

  • Agent did not send sessionId when reporting routes. (DOTNET-3021)

Release date: June 2, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved performance of calling into Contrast code from instrumented methods.

  • Improved agent startup performance.

  • Will now discover and observe health check routes.

  • Will now observe endpoint routing routes (discovery was implemented in a previous version).

Release date: May 25, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Agent will now discover endpoint routing routes.

Release date: May 20, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved memory usage of logging communication with Contrast.

  • Agent will now discover and observe routes used by routing middleware handlers.

Release date: May 12, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Reduced memory used by agent to capture stack traces.

  • Improve performance of capturing repeated stack traces under Protect.

  • Improved Assess coverage of ref struct objects when using the Common Instrumentation Engine (CIE).

  • Improved Assess sql-injection coverage of EF Core APIs.

Release date: May 5, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Expanded coverage of Protect cmd-injection rule.

  • Will now discover health check routes.

  • Diagnostics now offers create-script to create deployment "scripts" for the local machine. Currently supports PowerShell, bash, launch settings, and web.config.

  • Diagnostics check-process will now inspect logs in the logs directory specified by environment variable (if set).

  • Agent will now report agent errors to telemetry.

Bug fixes:

  • Agent could fail to identify Assess sources when inspecting a model bound object that mixed JObject type within a POCO type. (DOTNET-2534)

  • Library reporting could fail on obfuscated assemblies. (DOTNET-2846)

Release date: April 19, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved logging when both CLR and CoreCLR are in the same process.

  • Improved instrumentation performance under CLR Instrumentation Engine (CIE).

  • Improved logging for unsupported .NET Core runtime versions.

  • Added verb + url reporting for .NET Core Razor Pages discovered routes.

Bug fixes:

  • Fixed an error in parsing certain SQL queries in Protect semantic SQL rules. (DOTNET-646)

  • Fixed a memory leak. (DOTNET-2771)

Release date: April 13, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Agent initialization will now log the final resolved value for assess.enable and protect.enable.

  • Improved route discovery for controller actions using convention or pattern-based routing.

Bug fixes:

  • .NET Core agent hangs on async tasks. (SUP-2667)

Release date: March 25, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved accuracy for async APIs under Assess.

  • Accurate reporting of the verb and URL parameters for unexercised routes when using the NetCore framework.

Release date: March 10, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Added support for server.path configuration.

  • The agent will now report the host of Web Service components.

Release date: March 2, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved agent performance by alleviating common agent hot spots.

  • Improved Assess data propagation on asynchronous methods.

  • Improved Assess detection of unsafe cryptographic algorithms.

Bug fixes:

  • Agent does not properly handle valid tls_versions configuration: tls|tls11|tls12 (DOTNET-2551)

  • The agent's profiler component chooses not to instrument a process when .NET Framework runtime was loaded first but the environment variable indicated .NET Core. (SUP-2225)

Release date: February 10, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved application archiving capabilities. Once an application is archived in the Contrast web interface, the .NET Core agent will be disabled without needing an IIS restart.

Bug fixes:

  • Different signatures for the same dataflow reports duplicate routes. (SUP-2345)

Release date: February 2, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Important note:

  • All agent configuration settings referring to the terms blacklist and whitelist have been changed to denylist and allowlist, respectively. For example, agent.dotnet.app_pool_whitelist is now agent.dotnet.app_pool_allowlist. The agent will continue to respect the old configuration names until August 2nd, 2022.

New and improved:

  • Protect will now mask sensitive data in the attack vector if enabled in the Contrast web interface.

  • Refined crypto-bad-mac rule to ignore .NET Core library code.

  • Added support for additional .NET Core deployment types (self-contained and framework dependant executables).

Bug fixes:

  • Protect path traveral in monitoring mode will now report a path-traversal probe when an attack goes through a "path resolution API" such as Path.GetFullPath. (SUP-2190)

Release date: January 13, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Self-contained .NET Core deployments are now supported.

Release date: January 11, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Added checkpoints to ensure semantic SQL rules are not reported by the agent when the rule is disabled in the Contrast web interface.

  • Added support for framework dependent executables.

  • Removed agent.dotnet.enable_runtimeid_callbackhandler configuration.

Bug fixes:

  • Session based auto-verification policies didn’t change the vulnerability status. (SUP-2365)

Release date: December 8, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • The profiler will now log to syslog in the event of a major error or exception.

Release date: December 1, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Bug fixes:

  • .NET Core agent has a problem on startup when an application specified a custom NLog configuration file. (SUP-2220)

Release date: November 19, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • The agent now supports .NET Core 5.

Release date: November 16, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

New and improved:

  • The agent now reports names of classes used as part of enhanced library usage.

Bug fixes:

  • The agent was reporting misleading route observation predictions upon route discovery. (DOTNET-2213)

  • The agent fails to start when Contrast provided a syslog configuration with messages at INFO level. (DOTNET-2310)

  • The agent caused an error during agent initialization if the console was disabled. (DOTNET-2283)

Release date: October 29, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

Important notes:

New and improved:

  • With this release, the CLR Instrumentation Engine (CIE) is fully supported. Custom CIE environment variables are no longer required and can be removed. (You may have to reinstall the site extension.)

  • Officially deprecated and removed CONTRAST__AGENT__DOTNET__CONTAINER. The configuration flag has no effect. All environments that required it, no longer require the flag to function.

  • Reduced the size of the Azure App Service Site Extension by removing diagnostics from the download. Diagnostics is still available for other deployment types.

  • Minor performance improvements under Protect's XSS.

Bug fixes:

  • When agent sensors failed to initialize under Windows, they would crash the IIS process with an "IOException: The handle is invalid." exception. (DOTNET-2253)

Release date: October 20, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

Important notes:

  • We will no longer support .NET Core 2.2 beginning with this version. This is keeping up with Microsoft’s support policy, and their announcement to end support for .NET Core 2.2 by Dec 23, 2019. If you are using .NET Core 2.2, please make sure to use the .NET Core agent version 1.5.20 or lower until you can upgrade your application’s .NET Core runtime.

New and improved:

  • The .NET Core agent now supports logging to stdout for managed code.

Bug fixes:

  • Found memory leak in correlation tasks. (SUP-2065)

Release date: October 8, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Agent causes 500 if the app changes the maximum request body size. (SUP-2032, workaround available)

Release date: September 30, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Telemetry now reports application framework and profiler chaining configurations.

Release date: September 17, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Azure Service Fabric is supported as a deployment type for the .NET Core agent.

Bug fixes:

  • The agent does not respect the  api.certificate.ignore_cert_errors configuration property.

Release date: September 3, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Agent fails to startup properly when application is archived. (SUP-1849)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Type scanning may throw an exception. (SUP-1671)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around Virtual Patch usage.

Bug fixes:

  • Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around non-graceful shutdowns.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.10, 1.5.11, 1.5.12

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.3

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

  • The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

  • When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

  • When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New and improved:

  • Added support for Linux Azure App Service.

  • Added support for Alpine.

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.