|
| 1 | +--- |
| 2 | +title: Microsoft Security Code Analysis releases |
| 3 | +description: This article describes upcoming releases for the Microsoft Security Code Analysis extension |
| 4 | +author: sukhans |
| 5 | +manager: sukhans |
| 6 | +ms.author: terrylan |
| 7 | +ms.date: 04/14/2020 |
| 8 | +ms.topic: article |
| 9 | +ms.service: security |
| 10 | +services: azure |
| 11 | + |
| 12 | +ms.assetid: 521180dc-2cc9-43f1-ae87-2701de7ca6b8 |
| 13 | +ms.devlang: na |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.workload: na |
| 16 | +--- |
| 17 | + |
| 18 | +# Microsoft Security Code Analysis releases and roadmap |
| 19 | + |
| 20 | +Microsoft Security Code Analysis team in partnership with Developer Support is proud to announce recent and upcoming enhancements to our MSCA extension. Please see Roadmap below. |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | +## Credential Scanner v2.0: Released on April 1, 2020 |
| 25 | + |
| 26 | +### Innovations & Improvements |
| 27 | + |
| 28 | +- **Core Engine** |
| 29 | + |
| 30 | + - Average performance upgrade of 25% with near linear run times |
| 31 | + - Context/evidence based searching and ranking for increased accuracy |
| 32 | + - Improvements to general password detections and matching logic for obvious placeholders (for example, fakePassword) |
| 33 | + |
| 34 | +- **Coverage** - Support for 25+ secret types including the following top requested: |
| 35 | + |
| 36 | + - Fabric account certificate Passphrase |
| 37 | + - Client Secret/API Key |
| 38 | + - HTTP authorization header |
| 39 | + - Amazon S3 Client Secret Access Key |
| 40 | + - Azure Active Directory Client Access Token |
| 41 | + - Azure Function Master/API Key |
| 42 | + - Power BI Access Key |
| 43 | + - Azure Resource Manager template password pattern |
| 44 | + |
| 45 | +- **Outputs** |
| 46 | + |
| 47 | + - Support for SARIF 2.1 and CSV file output file formats |
| 48 | + |
| 49 | +## BinSkim v1.6.0: To be released on April 2020 |
| 50 | + |
| 51 | +### Improvements |
| 52 | + |
| 53 | +- FEATURE: Update to final SARIF v2 (version 2.1.16). This enables results caching when passing --hashes on the command-line, a significant performance improvement when recursively analyzing directories with multiple copies of scan targets. |
| 54 | +- BUG FIX: Fix typo in BA2021.DoNotMarkWritableSectionsAsExecutable output. |
| 55 | +- PERFORMANCE: Eliminate PDB loading for all non-mixed-mode for managed assemblies, including IL Library (ahead of time compiled) binaries. |
| 56 | +- FALSE NEGATIVE FIX: Verify that a PDB placed alongside a binary actually matches the binary under analysis |
| 57 | +- FEATURE: Provide --local-symbol-directories argument to specify additional (local, non-symbol-server) PDB look-up locations |
| 58 | +- FALSE POSITIVE FIX: Skip PDB-driven analysis for the generated .NET core native bootstrap exe (which is not user-controllable code). |
| 59 | + |
| 60 | +## What's next in FY20? |
| 61 | + |
| 62 | +- Java Security Analysis tool |
| 63 | +- Python Security Analysis tool |
| 64 | +- ES Lint to replace TS Lint for TypeScript and JavaScript |
| 65 | + |
| 66 | +## Next steps |
| 67 | + |
| 68 | +For instructions on how to onboard and install Microsoft Security Code Analysis, refer to our [Onboarding and installation guide](security-code-analysis-onboard.md). |
| 69 | + |
| 70 | +If you have more questions about the extension and the tools offered, check out our [FAQ page](security-code-analysis-faq.md). |
0 commit comments