NAV Navbar
Logo pro
PS

Professional Edition

The following instructions will get your development teams up and running with the Puma Scan Professional Edition. In less than 15 minutes, the Puma’s static analysis rules can be running as code is written within your organization.

Release Notes

0.7.2

Version 0.7.2 is a minor release with the following changes:

0.7.1.1

Version 0.7.1 is a minor release with the following changes:

0.7.1.0

Version 0.7 is a minor release with the following improvements:

0.7

Version 0.7 is a minor release with the following improvements:

0.6

Version 0.6 is a minor release to fix the following items:

0.5.2.2

Version 0.5.2 is a patch release to fix the following items:

Known issue(s)

0.5.2

Version 0.5.2 is a patch release to fix the following items:

Known issue(s)

0.5.1

Version 0.5.1 is a patch release to fix the following items:

0.5

Version 0.5 is the first official professional beta release and includes the following advanced features:

See the Rules Documentation for details on the current rule support.

Prerequisites

Visual Studio


# Chocolatey powershell command to install Visual Studio Community edition
choco install visualstudio2017community

Roslyn code analyzer extensions are supported by Visual Studio 2015 and higher. Either install Visual Studio Community or a licensed version from your MSDN Subscription account.

Alternatively, PC’s configured with the Chocolatey can install the Visual Studio Community package.

End User Installation Steps

1) Install Visual Studio Extension

The Puma Scan Professional Visual Studio Extension installs the security rules in a single instance of Visual Studio on a users local workstation. A single user license is allowed to be installed on up to three (3) workstations owned by an individual.

To install the Visual Studio extension, open the Tools menu and select the Extensions and Updates… menu item. In the Online > Visual Studio Marketplace, search for “Puma Scan Professional” and download the extension.

Or, directly download the VSIX file from the Visual Studio Marketplace.

2) Download Your License File

Figure 1: Puma Scan’s license management screen.

Sign in to the Puma Scan portal and download your license file. See Figure 1 for details.

3) Install License File

The Settings.json file identifies the directory that contains the license file.

{
  "GeneralSettings": {
    "LicenseFileDirectory": "C:\\Users\\Bobby\\Licenses"

Copy the downloaded Puma license file to the scanner’s default working directory:

%appdata%\Microsoft\VisualStudio\Puma.Security.Rules

Once the scanner has run, the Puma.Security.Rules directory will contain a Settings.json file. You can configure the scanner to look in a different location for the license file by changing the GeneralSettings:LicenseFileDirectory property. NOTE: The backslash must be escaped in the directory path (eg. \\ instead of \).

See the Configuration Documentation for the full documentation.

4) Enable Full Solution Analysis

Figure 2: Enabling full solution analysis

Starting with Visual Studio 2015 Update 3, live code analysis in the IDE is disabled by default to improve performance. For the rules to execute against your code, do the following:

See Figure 2 for details.

5) Optional: Enable Additional File Analysis

The following XML snippet shows an example project file’s main “PropertyGroup” with the required “AdditionalFileItemNames” element adding all content files for analysis.

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  <PropertyGroup>
    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
    <ProductVersion></ProductVersion>
    <SchemaVersion>2.0</SchemaVersion>
    <ProjectGuid>{C4DAED55-B428-4A9E-9664-2FCB2EB39D4E}</ProjectGuid>
    <ProjectTypeGuids>{349c5851-65df-11da-9384-00065b846f21};{fae04ec0-301f-11d3-bf4b-00c04f79efbc}</ProjectTypeGuids>
    <OutputType>Library</OutputType>
    <AppDesignerFolder>Properties</AppDesignerFolder>
    <RootNamespace>MyAwesomeProject</RootNamespace>
    <AssemblyName>MyAwesomeProject</AssemblyName>
    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
    <MvcBuildViews>false</MvcBuildViews>
    <UseIISExpress>true</UseIISExpress>
    <IISExpressSSLPort>44300</IISExpressSSLPort>
    <IISExpressAnonymousAuthentication />
    <IISExpressWindowsAuthentication />
    <IISExpressUseClassicPipelineMode />
    <!-- ADD THE FOLLOWING ADDITIONAL FILE NAMES ELEMENT -->
    <AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
    <TargetFrameworkProfile />
  </PropertyGroup>

To enable Puma’s non-code file analyzers (e.g. configuration and view markup files), you must manually edit each project file (.csproj and .vbproj) and add a new “AdditionalFileItemNames” element to the project’s main “PropertyGroup”. See the associated code examples for details.

After enabling the non-code file analyzers, you will notice there are still some limitations for analysis in non-code files:

More details on this limitation and related ticket to treat non-code files as first class citizens can be found here: https://github.com/dotnet/roslyn/issues/11097

6) Optional: Puma Prey Test Scan

Clone the puma-prey repository to test the Puma Scan rules.

git clone https://github.com/pumasecurity/puma-prey.git

Figure 3: Example Puma Scan warnings will display in the Error List window

To verify your installation is successful, feel free to scan our Puma Prey vulnerable application. This source code contains a number of vulnerabilities that will cause Puma Scan analysis results to appear in the Error List Window.

PS