The insides of CATScan

How does CATScan work?

In three steps,
  1. Each build calls CAT.NET tool as an MsBuild task.
  2. CAT.NET scans all the binaries built by Team Build to produce a security code review report in xml and html format.
  3. Custom console application uses WSS List web service to upload the security code review scan report file(s) to the Team portal belonging to the Team Project.

What modifications are required on Team Build?

Visual Studio Team Build targets file Microsoft.TeamFoundation.Build.targets is called whenever a build is executed in Team Build.
  • This file is injected with the CAT.NET task information for calling like this
_<!-- Cat.Net declarations--->
<UsingTask TaskName="CatNetScan" AssemblyFile="$(ProgramFiles)\Microsoft\Cat.Net\TeamBuildCATNET.dll"/>_
* *EnableSecurityAnalysis* flag is used to check if CAT.NET scanning is turned *on*. This variable can be set from each TFSBuild.proj file and modifying this targets file is not essential.
_<!--Security Code analysis check-->
<EnableSecurityAnalysis>true</EnableSecurityAnalysis>_
* I then override the AfterDropBuild target with the conditional check for EnableSecurityAnalysis flag to call the CAT.NET task
<!-- Override the target *AfterDropBuild* to execute custom tasks after copying files to the drop location -->
_<Target
Name="AfterDropBuild"
Condition=" '$(EnableSecurityAnalysis)'=='true' "
>
<MakeDir
Directories="$(DropLocation)\$(BuildNumber)\Reports" />
<BuildStep
TeamFoundationServerUrl="$(TeamFoundationServerUrl)"
BuildUri="$(BuildUri)"
Message="Creating Reports folder"
Status="Succeeded" />
<ItemGroup>
<CatNetScanFiles Include="$(DropLocation)\$(BuildNumber)\**\*.dll;$(DropLocation)\$(BuildNumber)\**\*.exe" />
</ItemGroup>
<PropertyGroup>
<CatNetPath>$(ProgramFiles)\Microsoft\Cat.net</CatNetPath>
<CatNetConfig>$(ProgramFiles)\Microsoft\Cat.net\Config</CatNetConfig>
<CatNetRules>$(ProgramFiles)\Microsoft\Cat.net\Rules</CatNetRules>
<CatNetReports>$(DropLocation)\$(BuildNumber)\Reports</CatNetReports>
</PropertyGroup>
<BuildStep
TeamFoundationServerUrl="$(TeamFoundationServerUrl)"
BuildUri="$(BuildUri)"
Message="Calling Cat.Net"
Status="InProgress">
<Output TaskParameter="Id" PropertyName="StepId"/>
</BuildStep>
<CatNetScan
CatNetPath="$(CatNetPath)"
ConfigPath="$(CatNetConfig)"
ReportHtmlFile="$(CatNetReports)\$(BuildNumber)CatNetReport.html"
ReportXmlFile="$(CatNetReports)\$(BuildNumber)CatNetReport.xml"
RulePath="$(CatNetRules)"
ScannedFiles="@(CatNetScanFiles)"
/>
<BuildStep
TeamFoundationServerUrl="$(TeamFoundationServerUrl)"
BuildUri="$(BuildUri)"
Message="Cat.Net scan"
Id="$(StepId)"
Status="Succeeded" />
<OnError ExecuteTargets="MarkBuildStepFailed"/>
</Target>
<Target Name="MarkBuildStepFailed" >
<BuildStep
TeamFoundationServerUrl="$(TeamFoundationServerUrl)"
BuildUri="$(BuildUri)"
Id="$(StepId)"
Message="Cat.Net scan failed"
Status="Failed" />
</Target>_
There is not much up there although you may see a large number of statements. To break it up:
  • I use built in task MakeDir to create a Reports folder in the drop share to copy all the CATScan report files. This is not essential but just neater so the reports are available on the drop share as well as WSS. There is some logic here which I will explain later.
  • Next I collect all the binaries i.e. exe and dlls from the drop location folder in an itemgroup CatNetScanFiles,
  • Setup CAT.NET configuration paramters using PropertyGroup and
  • Call CatNetScan task with the relevant config parameters.
  • I also use a series of BuildStep tasks for tracking the status of each task so there is a visible indication of each task executing in the build summary screen in VSTFS client.

What does the WSSLists console application look like?
Finally, I call a custom console application WSSLists.exe which is nothing but a simple wrapper to call the TFS WSS lists.asmx http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
  • MSDN Webcast: Software Security with Static Code Analysis Using CAT.NET (Level 200) http://blogs.msdn.com/cisg/archive/2009/02/16/msdn-webcast-software-security-with-static-code-analysis-using-cat-net-level-200.aspx
  • AntiXSS Library V3.0 - this is the proposed solution for most of the problems reported by CAT.NET http://www.codeplex.com/AntiXSS/

    Use the above script to get your Team Build to scan all your code and report your findings. Let me know if you encounter any issues. The full source code with complete working sample will be uploaded shortly.




  • Last edited Apr 13, 2010 at 6:13 AM by yogz, version 2

    Comments

    No comments yet.