How To: Use CAT.NET V2.0 CTP
Syed Aslam Basha here from the Information Security Tools team.
As the installer name suggests CATNETV20CMD, CAT.NET V2.0 CTP is command line version only. CAT.NET v2.0 CTP analyses assemblies for vulnerabilities and configuration files for misconfigurations. You can open the rules files present at C:\Program files\Microsoft Information Security tools\Microsoft Code Analysis for .NET(CAT.NET) v2.0\Rules\ConfigRules, to get an understanding of configuration rules. Example, configrule for trace, if trace is enabled it will be shown in report.
1: <?xml version="1.0" encoding="utf-8"?>
2: <ConfigurationRule xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" typeName="Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel.ConfigurationRule, Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b9ded31be328441b" enabled="false" comparisionType="AttributeCheck" isAndConditions="false">
3: <Information cultureName="en-US">
4: <Category>Web Security</Category>
5: <Certainity>50</Certainity>
6: <Description>Trace is enabled which can lead to information disclosure</Description>
7: <Email>anilkr@microsoft.com</Email>
8: <Name>Trace enabled attribute is set to true</Name>
9: <Owner>Anil Revuru</Owner>
10: <Resolution>Set enabled attribute to false</Resolution>
11: <RuleId>WEBCONFSEC07</RuleId>
12: <SeverityLevel>High</SeverityLevel>
13: <Url></Url>
14: <Problem>Enabled attribute is set to true</Problem>
15: </Information>
16: <Conditions>
17: <Condition conditionId="42C400DF-5130-4FDB-9EE3-8C944D92BBC8" configurationPath="/configuration/system.web/trace" attributeName="enabled" attributeValue="true" comparisionOperator="Equals" />
18: </Conditions>
19: </ConfigurationRule>
20:
Steps to use CAT.NET v2.0:
Launch command prompt in administrator mode and go to C:\Program files\Microsoft Information Security tools\Microsoft Code Analysis for .NET(CAT.NET) v2.0.
Enter
CATNetCmd.exe /file:"D:\MyApplication\bin\Application.dll" /configdir:"D:\MyApplication" /report:"D:\MyApplication\ApplicationReport.xml" /reportxsloutput:"D:\MyApplicaiton\ApplicationReport.htm"
/file and /configdir switches are mandatory, file is the path to the assembly to analyze and configdir path to the web.config file to analyze. It analyzes all web.configuration files under the folder and reports the issues. Total 40 rules are loaded, 33 config rules and 7 data flow rules.
Following are the command-line options available
/file:<target>
Required. The path of an assembly file to analyze. Multiple file paths and wildcards are not supported. This is a required parameter./configdir:<target directory>
Required. The path to a directory which contains .NET configuration files for analysis./rules:<directory>
Optional. The path to a file or directory that contains analysis rule(s). The engine will use the default rules included with the product by default./report:<file>
Optional. The file to store the analysis report in. By default, the report will be saved in 'MicrosoftCodeAnalysisReport.xml' in the current working directory./reportxsl:<file>
Optional. The XSL file to use to transform the report. By default, the packaged XSL transform included in the product will be used./reportxsloutput:<file>
Optional. The output file to store the XSLT transform output in. By default, the HTML report will be saved in 'report.html' in the current working directory./verbose
Optional. Enables flag to display verbose message when displaying results.The CAT.NET report contains detailed information about dataflow and configuration analysis errors along with line numbers.
-Syed Aslam Basha ( syedab@microsoft.com )
Microsoft Information Security Tools (IST) Team
Test Lead