[New for Release 220.127.116.11]
The CAT.NET activity can be used to run the CATNetCmd.exe tool to check for security issues in an assembly. For more details on this tool see the
MSDN Security Tools blog. In this example we aim to show the basic steps that are required to get the activity integrated into a build.
Before you can make use of any of the
TFS 2010 community build activities you have to make sure they are available for the build system and on your development PC. Instructions for this process can be found in the
ALM Rangers build guide or in the
StyleCop page of this wiki. This page assumes the CatNetScan activity is available in the developers build process workflow toolbox.
The 2.0 CTP of Cat.NET can be downloaded from Microsoft Connect
One of these versions needs to be installed on the build agent PC, it should not matter which.
Add the activity to the workflow
The CatNetScan activity should added to the workflow. As the tool works with compiled assemblies it is probably best to place it just after the build workflows Compile and Tests block.
Setting the Properties
The following properties need to be set (as a minimum)
|(Required) – this is a comma separated list of assemblies to test. Wild cards can be used. A good starting option is to use
|(Required) – this is the XML file to dump the analysis results in. This is set as required as it is used by the activity to set return values and build messages based on the analysis results. A good default is
BuildDetail.DropLocation + "\MicrosoftCodeAnalysisReport.xml" as this places the report file in the build drop location
|The activity will try to look for the command line exe in it’s default location. If this fails a hard coded path can be entered in this property e.g.
"C:\Program Files (x86)\Microsoft\CAT.NET\CATNetCmd.exe"
The other properties of the activity match the command line arguments of the Cat.NET tools. For more details run CatNETCMD.EXE /?
Running the Build
When the build is run, and if a CAT.NET violation is found, such as a SQL Injection or XSS issue, then the build will fail and the number of issues will be listed in the build report summary. The details of the issues will be found in the XML report file
in the drops location (if using the setting above)
The activity also returns an out bool parameter AnalysisFailed to indicated if any issues were found, which can be used in the build workflow.