With the new build of CAT.NET available on connect.microsoft.com you must have noticed that the new version includes only a command line tool. We we will be releasing the Visual Studio rules as part of Beta1 release. So lets look at how we can use the command line version to analyze binaries and configuration files for insecure configuration.
After the installation click on Windows Start Menu and go to All Programs –> Microsoft Information Security –> Code Analysis for .NET (CAT.NET) v2.0 and select CAT.NET v2.0 Command Prompt. This will launch a command window and display all the command line options as shown below.
If you notice /file and /configdir are both required switches which are path to binary file and path to directory with .config files respectively. Optionally /report and /reportxsloutput are paths to report.xml and report.htm files which are outputs from cat.net analysis. Here is a sample command that runs the analysis on the sample application that is part of Anti-XSS distribution that identifies Cross Site Scripting vulnerabilities and some insecure configuration in web.config.
CATNetCmd.exe /file:"c:\AntiXss\Sample Application\bin\SampleApp.dll" /configdir:"C:\AntiXss\Sample Application" /report:"C:\AntiXss\SampleAppReport.xml" /reportxsloutput:"C:\AntiXss\Sample AppReport.htm"
In essence you should be using /file, /configdir, report and /reportxsloutput for your analysis. There are total 40 rules loaded by the engine which includes 33 config rules and 7 data flow rules. Generated report includes targets, time taken for analysis, summary of violations and violations details. Here is the report generated by the above sample command.
Configuration issues provide line numbers and violation xml in the report. Similarly data flow analysis rules provide the entry point and additional data to identify where the error is occurring. These will be dramatically improved in Beta1 to provide more detailed information on where violation has occurred and specific data flow paths in case of data flow rules. Keep checking our blog site for more information on CAT.NET tool.