The 0.8 through 0.9 series transformed Puma Scan from a Visual Studio-only beta into a multi-platform scanning solution with .NET Core support, an Azure DevOps extension, advanced taint analysis, and CWE-mapped reporting.
Version 0.8.0 (September 2018)
Major update upgrading to .NET Compiler API v2.9 with official .NET Core support.
- Official .NET Core code analysis support
- First release dropping Visual Studio 2015 support (requires VS 15.8+)
- New PumaScan menu in Visual Studio for Report and About features
- Server Edition now supports .NET Standard and .NET Core project files
- New tainted sources for Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Http libraries
- New cleanse methods for System.Text.Encodings.Web and Microsoft.AspNetCore.Mvc
- Fixed data flow engine bug with foreach loop context
Version 0.8.1 (October 2018)
- Data flow analysis performance improvements
- Streamlined HTTPS calls to the licensing server
- Server Edition: ChangeDefaultPlatform.ps1 script for syncing solution and project platforms
Version 0.9.0.1 (December 2018)
Introduced the Azure DevOps extension and application-specific configuration.
- Azure DevOps marketplace extension launched
- New .pumafile for application-specific scanner configuration per repository
- False positive suppression via .pumafile Exceptions block
- Artifacts relocated to %appdata%\PumaSecurity\PumaScan directory
- Server Edition now supports scanning individual .csproj files
Version 0.9.1.0 (January 2019)
Version 0.9.2.0 (April 2019)
Major data flow / taint analysis engine improvements.
Versions 0.9.2.1 - 0.9.2.3 (May 2019)
- New rule: SEC0120 - Missing Authorize Attribute
- Enhanced report output with passing rules, scanner config, disabled rules, and false positives
- Fixed async/await data flow handling
- Fixed race condition when reading .pumafile settings
- Fixed Authorize analyzer performance issue
- Server Edition: command line switch for overriding license file directory
Version 0.9.4 (October 2019)
- Server and Azure DevOps editions upgraded to support Build Tools for Visual Studio 2019
- .NET Framework v4.7.2 now required
Version 0.9.5 (November 2019)
Version 0.9.6 (January 2020)
Version 0.9.7 (March 2020)
CWE mapping and enhanced reporting.
- All rules mapped to Common Weakness Enumeration (CWE) IDs
- JSON report schema upgraded from v1.0 to v1.1 with CWE, remediation, code examples, and references
- HTML reports include CWE Summary page
- New CSV export format
- Breaking change: JSON v1.0 schema parsers need updating for v1.1
Version 0.9.8 (April - May 2020)
- Rebuilt analyzer assemblies to target NETStandard 2.0
- SEC0107 - SQL Injection: ADO.NET data flow enhancement
- Server Edition: new –system-identification switch for offline license activation
- Azure DevOps: Unlimited scanning in a single organization
- SEC0019 and SEC0120: fixed false positives from inherited controller attributes
Version 0.9.9 (May 2020)
- New Dataflow Analysis Engine v2.0 available (opt-in)
- Visual Studio menu item for pausing and resuming analyzers
- Fixed report generation exception for warnings with missing source project
