Supported Technologies

Supported Technologies

Platform Support

.NET Core for Windows

The Contrast .NET Core agent supports analysis of web applications built on the following technologies when executing within a Windows environment. Refer the the following table for supported versions.

Technology Supported versions
.NET Core Runtime 2.1.X, 2.2.X
.NET Core Target 2.1 (netcoreapp2.1), 2.2 (netcoreapp2.2)
Server container Kestrel, IISHttpServer
Hosting container
  • Self-hosted

  • IIS

  • IIS Express
  • Operating system
  • Windows 7, 8/8.1, 10

  • Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019
  • Processor architecture The agent can be used on both 32-bit and 64-bit systems. On 64-bit systems, you can use the agent to analyze both 32-bit and 64-bit web applications.
    Web application frameworks ASP.NET Core (2.1.X, 2.2.X)

    When running on Windows, the .NET Core agent does not support the following technologies at this time:

    • Http.sys (formerly called WebListener)
    • Self-contained deployments
    • Framework-dependent executables
    • .NET Core or ASP.NET Core versions 3.0 or above
    • .NET Core or ASP.NET Core version 2.0 or below
    • ASP.NET Core applications running under the .NET framework
    • Windows on ARM

    .NET Core for Linux

    The .NET Core agent does not support the Linux platform at this time.

    Unsupported Scenarios

    The .NET Core agent does not support the following scenarios:

    • Running with an ASP.NET Core application that's a higher version than the runtime (e.g., an application with the .NET Core 2.1 runtime that references ASP.NET Core 2.2)
    • Running with a .NET Core application for which the referenced ASP.NET Core version and the target runtime selected during compilation time don't match

    Supported Rules

    The following Assess and Protect rules are or will be supported by the .NET Core agent, as noted. Security rules that are currently supported by the .NET Framework, but are either not supported by the .NET Core agent or not applicable to it, are also noted.

    Assess Rules

    Assess rules supported in .NET Core:

    • autocomplete-missing
    • cache-controls-missing
    • clickjacking-control-missing
    • cmd-injection
    • crypto-bad-mac
    • crypto-bad-ciphers
    • crypto-weak-randomness
    • csp-header-missing
    • csp-header-insecure
    • hsts-header-missing
    • httponly
    • insecure-auth-protocol
    • ldap-injection
    • reflected-xss
    • path-traversal
    • parameter-pollution
    • secure-flag-missing
    • sql-injection
    • unvalidated-redirect
    • xcontenttype-header-missing
    • xpath-injection
    • xxe
    • xxssprotection-header-disabled

    Assess rules that may be supported in the future:

    • authorization-missing-deny
    • authorization-rules-misordered
    • cache-control-disabled
    • compilation-debug
    • cache-control-disabled
    • cookies-flag-missing
    • custom-errors-off
    • header-injection
    • header-checking-disabled
    • http-only-disabled
    • log-injection
    • ldap-injection
    • max-request-length
    • plaintext-conn-strings
    • request-validation-disabled
    • role-manager-protection
    • role-manager-ssl
    • session-regenerate
    • session-rewriting
    • session-timeout
    • stored-xss
    • trace-enabled
    • trust-boundary-violation
    • unvalidated-forward
    • version-header-enabled
    • weak-membership-config

    Assess rules that aren't applicable to .NET Core and won't be supported:

    • event-validation-disabled
    • forms-auth-protection
    • forms-auth-redirect
    • forms-auth-ssl
    • request-validation-control-disabled
    • trace-enabled-aspx
    • viewstate-encryption-disabled
    • viewstate-mac-disabled
    • wcf-detect-replays
    • wcf-exception-details
    • wcf-metadata-enabled

    Protect Rules

    Protect rules supported in .NET Core:

    • cmd-injection
    • reflected-xss
    • path-traversal
    • sql-injection
    • xxe

    Protect rules that will be supported in the future:

    • method-tampering
    • untrusted-deserialization