.NET Core agent release notes

.NET Core 2.1.0 adds support for applications targeting .NET 6.

Improved Assess data flow analysis through APIs using Span, Memory, ValueTask, ValueStringBuilder, and StringSegment types.

Agent now recognizes specific DateOnly and TimeOnly APIs as validators for Assess.

Added route coverage support for .NET 6's minimal API structure.

Dependencies of the agent diagnostics tool (contrast-dotnet-diagnostics.exe) could be removed during the upgrade process and not installed, causing the diagnostics tool to immediately crash when run. This has been resolved. Note that this issue only affected users using the .NET Core for IIS Installer.

Reduced agent performance impact to request latency of ASPNET Core applications.

Improved Assess data flow tracking through System.Text.Json.JsonDocument APIs.

Implemented Assess event limits to improve performance.

The .NET Core agent now supports Assess Stored XSS and Trust Boundary Violation rules.

Minor performance improvements.

Improved security of the agent upgrade service.

NullReferenceException when agent attempted to determine the version of .NET Core from an unusual command line. (DOTNET-3454)

Assess SQL Injection false positive when numeric values were safely used by Entity Framework Core internally. (DOTNET-3435)

Improved Assess data flow coverage through String.Format and JsonEncodedText.Encode.

Added Assess and Protect handling for when System.Text.Json serialization is set as the formatter/model-binder for ASP.NET Core.

Further reduced the amount of memory used by the agent's profiler component.

Reduced agent's overhead on each request.

The installed .NET Core for IIS agent now includes an auto-upgrade service that, if enabled in the service's configuration, will automatically upgrade the agent to the latest version on NuGet.

Improved Assess coverage APIs involving Span<T>, Range, and Index parameters.

The agent will no longer report weak hash algorithm used by the Azure Storage client SDK.

The agent would fail to discover routes declared using ASPNET Core MVC 3+ endpoint-style routing. (DOTNET-3265)

Further reduced memory usage of the agent's profiler component.

Improved Assess coverage of Memory<T> and MemoryExtension APIs.

Added official support for RHEL 7 and 8.

The agent could fail to report discovered routes to Contrast. (DOTNET-3234)

Reduced the amount of memory used by the agent's profiler component.

Improved Assess coverage of Memory<T> and Span<T> APIs.

Agent did not respect URL-based exclusions for Assess response-based rules. (DOTNET-3161)

Protect will no longer report semantic SQL findings on queries constructed safely using EF Core 2.1/3.1/5.0.

Profiler will now log all profiler settings, not just settings from the YAML file.

Profiler will no longer instrument diagnostics/powershell/powershell core.

Improved Assess coverage of APIs that return task.

Protect will no longer report semantic SQL chaining on queries constructed safely using LINQ 2 SQL.

Protect will no longer report use of dangerous functions on queries constructed safely using Entity Framework.

Agent's interaction with ASPNET Core's DI container could cause applications built on top of a Boilerplate template to not start up. (DOTNET-3038)

Assess will no longer report untrusted deserialization against JsonNET JsonSerializerProxy. (DOTNET-3031)

Assess false positive when using JsonSerializerProxy with Json.NET deserialization. (DOTNET-3031)

Agent did not send sessionId when reporting routes. (DOTNET-3021)

Improved performance of calling into Contrast code from instrumented methods.

Improved agent startup performance.

Will now discover and observe health check routes.

Will now observe endpoint routing routes (discovery was implemented in a previous version).

Agent will now discover endpoint routing routes.

Improved memory usage of logging communication with Contrast.

Agent will now discover and observe routes used by routing middleware handlers.

Reduced memory used by agent to capture stack traces.

Improve performance of capturing repeated stack traces under Protect.

Improved Assess coverage of ref struct objects when using the Common Instrumentation Engine (CIE).

Improved Assess sql-injection coverage of EF Core APIs.

Expanded coverage of Protect cmd-injection rule.

Will now discover health check routes.

Diagnostics now offers create-script to create deployment "scripts" for the local machine. Currently supports PowerShell, bash, launch settings, and web.config.

Diagnostics check-process will now inspect logs in the logs directory specified by environment variable (if set).

Agent will now report agent errors to telemetry.

Agent could fail to identify Assess sources when inspecting a model bound object that mixed JObject type within a POCO type. (DOTNET-2534)

Library reporting could fail on obfuscated assemblies. (DOTNET-2846)

Improved logging when both CLR and CoreCLR are in the same process.

Improved instrumentation performance under CLR Instrumentation Engine (CIE).

Improved logging for unsupported .NET Core runtime versions.

Added verb + url reporting for .NET Core Razor Pages discovered routes.

Fixed an error in parsing certain SQL queries in Protect semantic SQL rules. (DOTNET-646)

Fixed a memory leak. (DOTNET-2771)

Agent initialization will now log the final resolved value for assess.enable and protect.enable.

Improved route discovery for controller actions using convention or pattern-based routing.

.NET Core agent hangs on async tasks. (SUP-2667)

Improved accuracy for async APIs under Assess.

Accurate reporting of the verb and URL parameters for unexercised routes when using the NetCore framework.

Added support for server.path configuration.

The agent will now report the host of Web Service components.

Improved agent performance by alleviating common agent hot spots.

Improved Assess data propagation on asynchronous methods.

Improved Assess detection of unsafe cryptographic algorithms.

Agent does not properly handle valid tls_versions configuration: tls|tls11|tls12 (DOTNET-2551)

The agent's profiler component chooses not to instrument a process when .NET Framework runtime was loaded first but the environment variable indicated .NET Core. (SUP-2225)

Improved application archiving capabilities. Once an application is archived in the Contrast web interface, the .NET Core agent will be disabled without needing an IIS restart.

Different signatures for the same dataflow reports duplicate routes. (SUP-2345)

All agent configuration settings referring to the terms blacklist and whitelist have been changed to denylist and allowlist, respectively. For example, agent.dotnet.app_pool_whitelist is now agent.dotnet.app_pool_allowlist. The agent will continue to respect the old configuration names until August 2nd, 2022.

Protect will now mask sensitive data in the attack vector if enabled in the Contrast web interface.

Refined crypto-bad-mac rule to ignore .NET Core library code.

Added support for additional .NET Core deployment types (self-contained and framework dependant executables).

Protect path traveral in monitoring mode will now report a path-traversal probe when an attack goes through a "path resolution API" such as Path.GetFullPath. (SUP-2190)

Self-contained .NET Core deployments are now supported.

Added checkpoints to ensure semantic SQL rules are not reported by the agent when the rule is disabled in the Contrast web interface.

Added support for framework dependent executables.

Removed agent.dotnet.enable_runtimeid_callbackhandler configuration.

Session based auto-verification policies didn’t change the vulnerability status. (SUP-2365)

The profiler will now log to syslog in the event of a major error or exception.

.NET Core agent has a problem on startup when an application specified a custom NLog configuration file. (SUP-2220)

The agent now supports .NET Core 5.

The agent now reports names of classes used as part of enhanced library usage.

The agent was reporting misleading route observation predictions upon route discovery. (DOTNET-2213)

The agent fails to start when Contrast provided a syslog configuration with messages at INFO level. (DOTNET-2310)

The agent caused an error during agent initialization if the console was disabled. (DOTNET-2283)

With this release, the CLR Instrumentation Engine (CIE) is fully supported. Custom CIE environment variables are no longer required and can be removed. (You may have to reinstall the site extension.)

Officially deprecated and removed CONTRAST__AGENT__DOTNET__CONTAINER. The configuration flag has no effect. All environments that required it, no longer require the flag to function.

Reduced the size of the Azure App Service Site Extension by removing diagnostics from the download. Diagnostics is still available for other deployment types.

Minor performance improvements under Protect's XSS.

When agent sensors failed to initialize under Windows, they would crash the IIS process with an "IOException: The handle is invalid." exception. (DOTNET-2253)

We will no longer support .NET Core 2.2 beginning with this version. This is keeping up with Microsoft’s support policy, and their announcement to end support for .NET Core 2.2 by Dec 23, 2019. If you are using .NET Core 2.2, please make sure to use the .NET Core agent version 1.5.20 or lower until you can upgrade your application’s .NET Core runtime.

The .NET Core agent now supports logging to stdout for managed code.

Found memory leak in correlation tasks. (SUP-2065)

Agent causes 500 if the app changes the maximum request body size. (SUP-2032, workaround available)

Telemetry now reports application framework and profiler chaining configurations.

Azure Service Fabric is supported as a deployment type for the .NET Core agent.

The agent does not respect the  api.certificate.ignore_cert_errors configuration property.

Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Agent fails to startup properly when application is archived. (SUP-1849)

Type scanning may throw an exception. (SUP-1671)

Improved logging around Virtual Patch usage.

Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Improved logging around non-graceful shutdowns.

Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

Improved the performance of Protect SQL-Injection detection.

Improved the performance of Protect against XML-based inputs.

Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

The agent will now clean up old logs.

Removed the dependency on Microsoft.Extensions.Caching.Memory.

Improved performance of Protect XSS.

Improved performance of Protect SQL-Injection.

When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Added support for Linux Azure App Service.

Added support for Alpine.

Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.