Back to Resources

Professional Edition 0.9.6 (January 2020)

Professional Edition 0.9.6 Release Notes

Puma Scan’s 0.9.6 release is an update for the Puma Scan End User, Server, and Azure DevOps Editions.

System Requirements

  • End User Edition requires Visual Studio v15.9 or higher.

  • Server Edition requires a Windows Server with the following:

    • .NET Framework v4.7.2

    • The Build Tools for Visual Studio 2017 and 2019 are both supported. Ensure you have at least 1 of the following installed:

      • Build Tools 2017 version 15.8 or higher

      • Build Tools 2019 version 16.4 or higher

  • Azure DevOps Edition requires a hosted Azure Build Pipeline using the vs2017-win2016 or windows-2019 build agent.

Framework Enhancements

  • New Rule: SEC0038 - Directory Listing Enabled detects web applications with directory browsing enabled.

  • Rule Enhancement: SEC0107 - SQL Injection: ADO.NET now supports configurable custom sinks in the scan configuration. For example, the following configuration raises an issue when the IBM.Data.DB2.DB2Command object creation expression (i.e. constructor) is invoked with tainted data in the first argument:

      "CustomSinks": [
        {
          "RuleIds": [ "SEC0107" ],
          "Flag": "Database",
          "Syntax": "ObjectCreationExpressionSyntax",
          "Namespace": "IBM.Data.DB2",
          "Type": "DB2Command",
          "Arguments": [
              0
          ]
        }
      ]
    


  • Rule Enhancement: SEC0104 - Unencoded WebForms Property now supports configurable custom sinks in the scan configuration. For example, the following configuration raises an issue when the Telerik.Web.UI.RadLabel.Text property is set with tainted data:

      "CustomSinks": [
        {
          "RuleIds": [ "SEC0104" ],
          "Flag": "Database",
          "Syntax": "MemberAccessExpressionSyntax",
          "Namespace": "Telerik.Web.UI",
          "Type": "RadLabel",
          "Property": "Text",
          "Method": "set"
        }
      ]
    


  • Rule Enhancement: SEC0131 - Hard-Coded Secret was enhanced to find hard-coded secrets in object creation and assignment expression objects.

End User Edition

  • Bug fix: Corrected an issue causing intermittent exceptions when generating vulnerability reports.

Server Edition

This is a breaking update for the Server Edition if you are targeting the Build Tools for Visual Studio 2019. Upgrading to Server Edition v0.9.6 requires you be running at least version 16.4 of the 2019 Build Tools.

  • Bug fix: Upgraded the MSBuild v16 library from 16.0 to 16.4 to correct a GetPathsOfAllDirectoriesAbove exception being thrown on the latest version of the Build Tools for Visual Studio 2019 (16.4+).

Azure DevOps Edition

  • Bug fix: Corrected a file path parsing error causing reports to show incorrect file paths.

  • Bug fix: Upgraded the MSBuild v16 library from 16.0 to 16.4 to correct a GetPathsOfAllDirectoriesAbove exception being thrown on the latest version of the windows-2019 build agent.