Click here to view special pricing

Puma Scan Installation Instructions

End User Edition licenses can be installed on up to three (3) workstations owned by a single named user.

Server Edition licenses can be installed on one (1) build server and activated on up to three (3) build agents.

The Community Edition is free and open source to help organizations of all sizes scan their code for security vulnerabilities.

END USER EDITION

Installation Guide

The Puma Scan End User Edition allows individual users to scan their .NET C# code for vulnerabilities inside of Visual Studio. Puma Scan's security analyzers are installed through a Visual Studio Extension, which is activated by purchasing a license file from the Puma Scan Portal. End User license files can be activated on up to three (3) workstations owned by a single user.

Step 1

Purchase & Download Your License File

  • Create an account (if you do not have one) in the Puma Scan Portal
  • Sign In to the Puma Scan Portal
  • Press the Buy Now button to purchase a Puma Scan Pro: End User License
  • Browse to the My Profile screen
  • Press the Licenses tab to view and download your license file

Step 2

Install Visual Studio Extension

  • In Visual Studio, open the Tools menu and select the Extensions and Updates… menu item.
  • In the Online > Visual Studio Marketplace, search for “Puma Scan” and download the Puma Scan Professional extension.



Step 3

Install License File

  • Create a new directory at the following location:

      %appdata%\Microsoft\VisualStudio\Puma.Security.Rules
    

    If you have run Puma Scan before, this directory may already exist. You can skip to the next step if this is the case.

  • Copy the Puma Scan license file downloaded in Step 1 above to the new Puma.Security.Rules directory.

Step 4

Enable Full Solution Analysis

Starting with Visual Studio 2015 Update 3, live code analysis in the IDE is disabled by default to improve performance. For the rules to execute against your code, do the following (see image below for details):

  • Open the Tools > Options dialog box
  • Choose Text Editor > C# > Advanced
  • Check the “Enable full solution analysis” option

Step 5

Optional: Enable Additional File Analysis

To enable Puma’s non-code file analyzers (e.g. configuration and view markup files), you must manually edit each project file (.csproj and .vbproj) and add a new “AdditionalFileItemNames” element to the project’s main “PropertyGroup”.

The following XML snippet shows an example project file’s main “PropertyGroup” with the required “AdditionalFileItemNames” element adding all content files for analysis.

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
      <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
      <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
      ...
      <!-- ADD THE FOLLOWING NEW ELEMENT -->
      <AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
   </PropertyGroup>

You must do this for every project (.csproj, .vbproj) file in a solution.

After enabling the non-code file analyzers, you will notice there are still some limitations for analysis in non-code files:

  • Error list navigation (e.g. double clicking on the warning) to a non-code file is not supported. For now, Puma inserts the file path and offending line of code in the diagnostic message displayed in the error list.

  • Non-code files do not have the same “spellcheck” support as code files. (e.g. no light bulbs, squiggles, or code fix suggestions)

  • Rule suppression for non-code warnings is not yet supported (coming in Q3 2018)

  • More details on this limitation and related ticket to treat non-code files as first class citizens can be found here: https://github.com/dotnet/roslyn/issues/11097

Step 6

Optional: Puma Prey Test Scan

To verify your installation is successful, feel free to scan our Puma Prey vulnerable application. This source code contains a number of vulnerabilities that will cause Puma Scan analysis results to appear in the Error List Window.

  • Clone the puma-prey repository to your local development machine, as shown in the following git clone command:

      git clone https://github.com/pumasecurity/puma-prey.git
    
  • In Visual Studio, open the PumaPrey.sln file.

  • Wait a few moments for Puma Scan to display vulnerabilities in the Error List window. See image for an example.

Step 7

Optional: Puma Scan Custom Configuration

After Puma Scan successfully runs for the first time, the Puma.Security.Rules directory will contain a Settings.json file. The Settings.json file contains all of the configuration options for controlling how Puma Scan runs. See the Configuration Guide for details on configuring Puma Scan.

You must restart Visual Studio after modifying the Settings.json file for configuration changes to take effect.

SERVER EDITION

Installation Guide

The Puma Scan Server Edition allows development teams to scan their .NET C# code for vulnerabilities in their build pipelines. Puma Scan's security analyzers are installed on the build server, which is activated by purchasing a server edition license file from the Puma Scan Portal. Server Edition license files can be activated on up to three (3) build agents. Additional build agents can be purchased in packages of three (3) to meet your needs.

Step 1

Purchase and Download Your License File

  • Create an account (if you do not have one) in the Puma Scan Portal
  • Sign In to the Puma Scan Portal
  • Press the Buy Now button to purchase a Puma Scan Pro: Server License
  • Browse to the My Profile screen
  • Press the Licenses tab to view and download your license file

Step 2

Download Installer Package

  • Sign In to the Puma Scan Portal
  • Browse to the My Profile screen
  • Press the Downloads tab to view and download the latest installer version

Step 3

Build Agent Prerequisites

The Puma Scan Server Edition currently only supports Windows build agents. The installer will automatically install the following packages during installation if they do not exist:

  • .NET Framework 4.7.1

The installer will prompt the user to manually install the following packages and the server edition will not run correctly until the packages exist:

  • Build Tools for Visual Studio 2017

    • To install the Build Tools, browse to the Downloads For Visual Studio screen.

    • In the All Downloads list, locate the Build Tools for Visual Studio 2017 item and press the download button.

    • Run the Build Tools installer, making sure to enable the Workloads: .NET Core Build Tools and Individual Components: NuGet Targets and Build Tasks options (see screenshots below)

      Enabling the Workloads: .NET Core Build Tools option



      Enabling the Individual Components: NuGet Targets and Build Tasks option

Step 4

Run Installer Package

  • Browse to the Downloads directory and run the PumaScanPro_ServerEdition_X.Y.Z.exe installation package.

Step 5

Complete The Installation Wizard

  • To install Puma Scan Professional, you are required to accept the End User License Agreement (EULA). You can view the full EULA here
  • The installer defaults to C:\Program Files (x86)\Puma Security\Puma Scan Pro for the installation directory. To avoid permissions problems and path errors invoking the analyzers from the command line, we recommend installing the Puma Scan Server Edition into the tools directory used by your build agent. Avoid using whitespace in the directory name. For example, a recommend install path for TFS users would be C:\TfsBuildAgent\externals\puma-scan-pro\



  • During the installation wizard, you will need to select the directory containing the Puma Scan Pro Server license file downloaded in Step 1 previous step. The installer defaults to the current user’s Downloads folder. If you moved your license to a different location, you will need to choose the alternate location
  • To start the installation, double click the PumaScanPro_ServerEdition_X.Y.Z.exe file
  • Complete the installation wizard and ensure no errors occur during the install

COMMUNITY EDITION

Installation Guide

The Puma Scan Community Edition is a free, open source security scanner for .NET C# code. We encourage you to start by exploring the GitHub Repository. Feel free to fork, customize, and contribute rules that you would like to share with the development community. Please report all issues using the GitHub project and our team will respond as time allows.

Step 1

Install Puma Scan Community Extension

  • In Visual Studio, open the Tools menu and select the Extensions and Updates… menu item.
  • In the Online > Visual Studio Marketplace, search for “Puma Scan” and download the free community extension.



Step 2

Enable Full Solution Analysis

Starting with Visual Studio 2015 Update 3, live code analysis in the IDE is disabled by default to improve performance. For the rules to execute against your code, do the following (see image below for details):

  • Open the Tools > Options dialog box
  • Choose Text Editor > C# > Advanced
  • Check the “Enable full solution analysis” option

Step 3

Optional: Enable Additional File Analysis

To enable Puma’s non-code file analyzers (e.g. configuration and view markup files), you must manually edit each project file (.csproj and .vbproj) and add a new “AdditionalFileItemNames” element to the project’s main “PropertyGroup”.

The following XML snippet shows an example project file’s main “PropertyGroup” with the required “AdditionalFileItemNames” element adding all content files for analysis.

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
      <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
      <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
      ...
      <!-- ADD THE FOLLOWING NEW ELEMENT -->
      <AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
   </PropertyGroup>

You must do this for every project (.csproj, .vbproj) file in a solution.

After enabling the non-code file analyzers, you will notice there are still some limitations for analysis in non-code files:

  • Error list navigation (e.g. double clicking on the warning) to a non-code file is not supported. For now, Puma inserts the file path and offending line of code in the diagnostic message displayed in the error list.

  • Non-code files do not have the same “spellcheck” support as code files. (e.g. no light bulbs, squiggles, or code fix suggestions)

  • Rule suppression support is not yet supported

  • More details on this limitation and related ticket to treat non-code files as first class citizens can be found here: https://github.com/dotnet/roslyn/issues/11097

Step 4

Optional: Puma Prey Test Scan

To verify your installation is successful, feel free to scan our Puma Prey vulnerable application. This source code contains a number of vulnerabilities that will cause Puma Scan analysis results to appear in the Error List Window.

  • Clone the puma-prey repository to your local development machine, as shown in the following git clone command:

      git clone https://github.com/pumasecurity/puma-prey.git
    
  • In Visual Studio, open the PumaPrey.sln file.

  • Wait a few moments for Puma Scan to display vulnerabilities in the Error List window. See image for an example.

Want to collect more data? Check out our Server Data Plans.

 

Contact Us

650 S Prairie View Dr.
Suite 125, #151
West Des Moines, IA 50266
Technical or Installation Questions
support [at] pumascan [dot] com
More information or to get a quote
sales [at] pumascan [dot] com
Your message has been sent. Our team will contact you shortly.
There was an error sending your message. Please contact support for assistance.
Please enter your name.
Please enter your email address.
Please enter a subject.
Please enter a message.