[New for Release 220.127.116.11]
The CAT.NET activity can be used to run the CATNetCmd.exe tool to check for security issues in an assembly. For more details on this tool see the
MSDN Security Tools blog. In this example we aim to show the basic steps that are required to get the activity integrated into a build.
Before you can make use of any of the
TFS 2010 community build activities you have to make sure they are available for the build system and on your development PC. Instructions for this process can be found in the
ALM Rangers build guide or in the
StyleCop page of this wiki. This page assumes the CatNetScan activity is available in the developers build process workflow toolbox.
The 2.0 CTP of Cat.NET can be downloaded from Microsoft Connect
One of these versions needs to be installed on the build agent PC, it should not matter which.
Add the activity to the workflow
The CatNetScan activity should added to the workflow. As the tool works with compiled assemblies it is probably best to place it just after the build workflows Compile and Tests block.
Setting the Properties
The following properties need to be set (as a minimum)
|(Required) – this is a comma separated list of assemblies to test. Wild cards can be used. A good starting option is to use
|(Required) – this is the XML file to dump the analysis results in. This is set as required as it is used by the activity to set return values and build messages based on the analysis results. A good default is
BuildDetail.DropLocation + "\Cat.NETReport.xml" as this places the report file in the build drop location
(If missed out you get no HTML report) – this is the nicely formatted analysis results. By default the report.xstl in the Cat.NEt program folder will be used for the transform. A good default is
BuildDetail.DropLocation + "\Cat.NETReport.htm" as this places the report file in the build drop location
The activity will try to look for the command line exe in it’s default location. If this fails a hard coded path can be entered in this property e.g.
Note: You can rename the CATNETCMDx64.exe to remove the X64 is it can be found by default , thus removing the need to set this arguement
The other properties of the activity match the command line arguments of the Cat.NET tools. For more details run CatNETCMD.EXE /?
Running the Build
When the build is run, and if a CAT.NET violation is found, such as a SQL Injection or XSS issue, then the build will fail and the number of issues will be listed in the build report summary. The details of the issues will be found in the XML and HTML report
files in the drops location (if using the setting above)
The activity also returns an out bool parameter AnalysisFailed to indicated if any issues were found, which can be used in the build workflow.