Let's see what happens :)
It's nice to meet you, and I hope that you find interesting what we've doing with Cat.NET.
Basically we extracted the files that come from the Cat.NET v1.1 MSI installer and:
- Used reflection to access the Cat.NET engine directly and fire scans using pre-loaded assemblies
- Found a way to run Cat.NET outside VisualStudio (as a stand-alone application)
- Created a Cat.NET based VisualStudio Extension for the TeamMentor product I'm developing for SI, which hooks into the VisualStudio compilation process, fires a scan on build and shows the Cat.NET results in the Error List view (hyperlinked to the TeamMentor Guidance)
- Found a way to use Cat.Net with Roslyn, and packaged the whole thing (Gui, referenced dlls and required Cat.NET files) into 1 (one) executable file that is all the user needs to run Cat.NET in their box (this about the power of distributing custom scanners this way)
- btw, you can download this executable from TM - RealTime Security Scan v1.4.exe
- The video at Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)
- The "Custom Cat.NET GUI executable": TM - RealTime Security Scan v1.4.exe
- The "Cat.NET + TeamMentor" Extension at VisualStudio Gallery: TeamMentor VisualStudio with CatNet
But if you are curious and have a couple minutes to spare, I've written a number of blog posts that show these ideas/PoCs in action and my thinking so far (sorted by chronological order so you can see the evolution):
- Video: Injecting TeamMentor into Cat.Net running inside VisualStudio
- Video: Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST)
- Using Roslyn to Load and (quickly) Compile C# Solution files (outside VisualStudio)
- Using/Consuming Cat.Net's engine inside the O2 Platform (and outside VisualStudio)
- New Reddit Community for Cat.Net
- Running Cat.NET SAST Scanner outside VisualStudio
- Real-Time C# Solution Compilation and Security Scanning (using Roslyn and Cat.NET)
- Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)
- CatNet in VisualStudio with TeamMentor - Final Beta version
- What am I doing with Cat.NET?
- What are the challenges with SAST that don't need a better engine
I know this is a long list of links, but hopefully they show the effort so far, and the fact that Cat.NET is good enough for the problems we are currently solving. For example:
- finding the best way to show TeamMentor guidance for findings,
- improving Scanning Rules,
- adding support for Frameworks like ASP.NET MVC,
- etc... (see my post on the SAST challenges).
Yes, I'm aware of the limitations of the current engine, but ironically me and the others CCed on this list have been able to get better results from it than from other commercial vendors (after tweaking the rules and scanning workflow).
The reality is that although it would be great if you (and other at MSFT) joined the efforts in making Cat.NET even better, that is not necessary. We already have access to Cat.NET source code (via the 'Save source code' capabilities of tools like Reflector or ILSPY) so we can do it ourselves :)
FYI, I have asked (without much success) the SDL team on this MSDN forum question to allow the release/modification of Cat.NET code and its use on azure-like service.
So, what do you think of all of this?
I have lots of ideas for Cat.NET and would love to work with you in making them a reality.
Are you interested?