.NET Core agent release notes

Release date: April 13, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Agent initialization will now log the final resolved value for assess.enable and protect.enable.

  • Improved route discovery for controller actions using convention or pattern-based routing.

Bug fixes:

  • .NET Core agent hangs on async tasks. (SUP-2667)

Release date: March 25, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved accuracy for async APIs under Assess.

  • Accurate reporting of the verb and URL parameters for unexercised routes when using the NetCore framework.

Release date: March 10, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Added support for server.path configuration.

  • The agent will now report the host of Web Service components.

Release date: March 2, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved agent performance by alleviating common agent hot spots.

  • Improved Assess data propagation on asynchronous methods.

  • Improved Assess detection of unsafe cryptographic algorithms.

Bug fixes:

  • Agent does not properly handle valid tls_versions configuration: tls|tls11|tls12 (DOTNET-2551)

  • The agent's profiler component chooses not to instrument a process when .NET Framework runtime was loaded first but the environment variable indicated .NET Core. (SUP-2225)

Release date: February 10, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Improved application archiving capabilities. Once an application is archived in the Contrast web interface, the .NET Core agent will be disabled without needing an IIS restart.

Bug fixes:

  • Different signatures for the same dataflow reports duplicate routes. (SUP-2345)

Release date: February 2, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Important note:

  • All agent configuration settings referring to the terms blacklist and whitelist have been changed to denylist and allowlist, respectively. For example, agent.dotnet.app_pool_whitelist is now agent.dotnet.app_pool_allowlist. The agent will continue to respect the old configuration names until August 2nd, 2022.

New and improved:

  • Protect will now mask sensitive data in the attack vector if enabled in the Contrast web interface.

  • Refined crypto-bad-mac rule to ignore .NET Core library code.

  • Added support for additional .NET Core deployment types (self-contained and framework dependant executables).

Bug fixes:

  • Protect path traveral in monitoring mode will now report a path-traversal probe when an attack goes through a "path resolution API" such as Path.GetFullPath. (SUP-2190)

Release date: January 13, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Self-contained .NET Core deployments are now supported.

Release date: January 11, 2021

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • Added checkpoints to ensure semantic SQL rules are not reported by the agent when the rule is disabled in the Contrast web interface.

  • Added support for framework dependent executables.

  • Removed agent.dotnet.enable_runtimeid_callbackhandler configuration.

Bug fixes:

  • Session based auto-verification policies didn’t change the vulnerability status. (SUP-2365)

Release date: December 8, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • The profiler will now log to syslog in the event of a major error or exception.

Release date: December 1, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

Bug fixes:

  • .NET Core agent has a problem on startup when an application specified a custom NLog configuration file. (SUP-2220)

Release date: November 19, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1, 5.0

New and improved:

  • The agent now supports .NET Core 5.

Release date: November 16, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

New and improved:

  • The agent now reports names of classes used as part of enhanced library usage.

Bug fixes:

  • The agent was reporting misleading route observation predictions upon route discovery. (DOTNET-2213)

  • The agent fails to start when Contrast provided a syslog configuration with messages at INFO level. (DOTNET-2310)

  • The agent caused an error during agent initialization if the console was disabled. (DOTNET-2283)

Release date: October 29, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

Important notes:

New and improved:

  • With this release, the CLR Instrumentation Engine (CIE) is fully supported. Custom CIE environment variables are no longer required and can be removed. (You may have to reinstall the site extension.)

  • Officially deprecated and removed CONTRAST__AGENT__DOTNET__CONTAINER. The configuration flag has no effect. All environments that required it, no longer require the flag to function.

  • Reduced the size of the Azure App Services Site Extension by removing diagnostics from the download. Diagnostics is still available for other deployment types.

  • Minor performance improvements under Protect's XSS.

Bug fixes:

  • When agent sensors failed to initialize under Windows, they would crash the IIS process with an "IOException: The handle is invalid." exception. (DOTNET-2253)

Release date: October 20, 2020

Language versions currently supported: .NET Core: 2.1, 3.0, 3.1

Important notes:

  • We will no longer support .NET Core 2.2 beginning with this version. This is keeping up with Microsoft’s support policy, and their announcement to end support for .NET Core 2.2 by Dec 23, 2019. If you are using .NET Core 2.2, please make sure to use the .NET Core agent version 1.5.20 or lower until you can upgrade your application’s .NET Core runtime.

New and improved:

  • The .NET Core agent now supports logging to stdout for managed code.

Bug fixes:

  • Found memory leak in correlation tasks. (SUP-2065)

Release date: October 8, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Agent causes 500 if the app changes the maximum request body size. (SUP-2032, workaround available)

Release date: September 30, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Telemetry now reports application framework and profiler chaining configurations.

Release date: September 17, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Azure Service Fabric is supported as a deployment type for the .NET Core agent.

Bug fixes:

  • The agent does not respect the  api.certificate.ignore_cert_errors configuration property.

Release date: September 3, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Agent fails to startup properly when application is archived. (SUP-1849)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Type scanning may throw an exception. (SUP-1671)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around Virtual Patch usage.

Bug fixes:

  • Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around non-graceful shutdowns.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.10, 1.5.11, 1.5.12

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.3

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

  • The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

  • When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

  • When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New and improved:

  • Added support for Linux Azure App Service.

  • Added support for Alpine.

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.