.NET Framework agent release notes

Release date: September 17, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Made the .NET Framework Contrast tray window resizable.

  • Improved ASMX route detection and handling of sources from deserialization.

Release date: September 3, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected. New and improved:

  • Telemetry is now enabled in the .NET Framework agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

  • Azure Service Fabric is supported as a deployment type for the .NET Framework agent.

  • Cleaned up text in the Contrast tray.

Bug fixes:

  • .NET service restart causes IIS workers to fail to start. (SUP-1818)

  • There is a null reference in FileAnalysisEngine.FindVulnerabilities parameter.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Tray crashes on startup. (SUP-1891)

  • Agent fails to startup properly when application is archived. (SUP-1849)

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.6, 20.7.2, 20.7.3, 20.7.4

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Important notes:

  • The agent’s file analysis rules now execute within the context of the agent’s sensors component. These rules will now execute in Azure App Service and Docker deployments. Previously these rules only executed in the agent’s background Windows service component.

Bug fixes:

  • When a third-party profiler would be chained with Contrast, that profiler could instrument some internal Contrast methods which lead to some instability. This issue has been fixed now.

  • The agent could fail to properly observe some Web API 2 routes. This issue has been fixed now.

  • When an OWIN-based application was deployed to Azure App Service, the agent would cause an application error. This issue has been fixed.

  • When the agent’s background Windows service was shutting down it could sometimes harmlessly crash. This issue has been fixed.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.1, 20.6.3, 20.6.4

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • Added support for OWIN based-hosting and self-hosted Web API applications outside of IIS.

  • The agent will now clean up old logs in Azure App Service and Docker-based deployments.

  • Improved logging and reliability around the agent’s auto-upgrade process.

  • Improved performance of Protect XSS.

  • Added support for route-based coverage of WCF services using Unity interception.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When the agent’s service would restart IIS with Contrast sensors on an overloaded server, the service could start receiving messages from those sensors before it was ready to handle them which lead to the sensors failing to initialize. This issue has been fixed now.

  • When a user would set up profiler chaining with AppDynamics in an Azure App Service environment, the AppDynamics profiler would fail to load. This has now been fixed.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.5.1

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

Important notes:

  • Beginning with this release, the minimum supported operating system is Windows Server 2012 and the minimum .NET Framework version is .NET 4.7.1.

  • The legacy .NET Framework agent maintains support for Windows Server 2008 and older .NET Framework versions. The legacy agent has all of the current features of the .NET Framework agent and receives critical bug fixes but otherwise will not be further developed.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, it was rejected due to missing information. The agent now sends all expected information for this vulnerability.

Language versions currently supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.4.1, 20.4.2, 20.4.3

New and improved:

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example, invalid yaml).

Important notes:

  • The agent’s auto-update feature will no longer update the agent when running on Windows Server 2008 or servers with .NET Framework 4.7.0 or older. This change is in preparation for the upcoming fork of the Contrast .NET Framework agent. See below for more details.

  • The next release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Bug fixes:

  • When an application hosted on IIS was (mis)configured without a virtual path, the agent’s background Windows service would crash. The agent’s background Windows service now properly handles this configuration.

  • A race condition around requests for configuration values that did not have default values could lead to a crash of the agent’s background Windows service. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.