Friday, 5 October 2012

Reaching out to Microsoft regarding CAT.NET

After an intro, where is the email I just sent to the Microsoft guy who owns Cat.NET

Let's see what happens :)

Hi ....

It's nice to meet you, and I hope that you find interesting what we've doing with Cat.NET.

Basically we extracted the files that come from the Cat.NET v1.1 MSI installer and:
  1. Used reflection to access the Cat.NET engine directly and fire scans using pre-loaded assemblies
  2. Found a way to run Cat.NET outside VisualStudio (as a stand-alone application)
  3. Created a Cat.NET based VisualStudio Extension for the TeamMentor product I'm developing for SI,  which hooks into the VisualStudio compilation process, fires a scan on build and shows the Cat.NET results in the Error List view (hyperlinked to the TeamMentor Guidance)
  4. Found a way to use Cat.Net with Roslyn, and packaged the whole thing (Gui, referenced dlls and  required Cat.NET files) into 1 (one) executable file that is all the user needs to run Cat.NET in their box (this about the power of distributing custom scanners this way)
Note: If you only have time to look at three things from this email, the best ones are:
But if you are curious and have a couple minutes to spare, I've written a number of blog posts that show these ideas/PoCs in action and my thinking so far (sorted by chronological order so you can see the evolution):
I know this is a long list of links, but hopefully they show the effort so far, and the fact that Cat.NET is good enough for the problems we are currently solving. For example:
  • finding the best way to show TeamMentor guidance for findings,
  • improving Scanning Rules,
  • adding support for Frameworks like ASP.NET MVC, 
  • etc... (see my post on the SAST challenges).

Yes, I'm aware of the limitations of the current engine, but ironically me and the others CCed on this list have been able to get better results from it than from other commercial vendors (after tweaking the rules and scanning workflow).

The reality is that although it would be great if you (and other at MSFT) joined the efforts in making Cat.NET even better, that is not necessary. We already have access to Cat.NET source code (via the 'Save source code' capabilities of tools like Reflector or ILSPY) so we can do it ourselves :)

FYI, I have asked (without much success) the SDL team on this MSDN forum question to allow the release/modification of Cat.NET code and its use on azure-like service.

So, what do you think of all of this?

I have lots of ideas for Cat.NET and would love to work with you in making them a reality.

Are you interested?