.NET Core agent release notes

Release date: September 17, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Azure Service Fabric is supported as a deployment type for the .NET Core agent.

Bug fixes:

  • The agent does not respect the  api.certificate.ignore_cert_errors configuration property.

Release date: September 3, 2020

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Agent fails to startup properly when application is archived. (SUP-1849)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Type scanning may throw an exception. (SUP-1671)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around Virtual Patch usage.

Bug fixes:

  • Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

New and improved:

  • Improved logging around non-graceful shutdowns.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.10, 1.5.11, 1.5.12

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.3

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

  • The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

  • When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

  • When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New and improved:

  • Added support for Linux Azure App Service.

  • Added support for Alpine.

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.