Parasoft dotTEST extension for Visual Studio Code

The dotTEST extension for Visual Studio Code provides integration with the static analysis capabilities of Parasoft dotTEST. It allows you to analyze your code and review the results directly in Visual Studio Code. The extension requires Parasoft dotTEST to be installed and licensed.

• Features
• Requirements
• Getting Started
• Working with the dotTEST Extension
• About Parasoft dotTEST
• References
• Data and Telemetry

Features

• Find bugs in your code to comply with coding best practices and security standards, such as CWE Top 25, OWASP Top 10, PCI DSS, and more.
• Run static code analysis on your workspace, a project or solution, or a single source file.
• Review analysis results in the Problems view and the code editor.
• Suppress unwanted findings.
• Load analysis results directly from external report files, such as CI execution reports.

Requirements

Before you test your code with the dotTEST extension, you need to download, install, and license Parasoft dotTEST. For download and licensing information, or getting a free trial of Parasoft dotTEST, please contact us at info@parasoft.com or via our website.

dotTEST extension requires source code to be compiled before running static analysis.

Getting Started

1. Ensure that Parasoft dotTEST is installed and licensed.
   See Installing and licensing dotTEST.
2. Open a folder in Visual Studio Code.
   To become familiar with the capabilities of the extension, you can use the BankExample folder shipped with Parasoft dotTEST. The folder is available in the location you selected when deploying dotTEST examples; see Deploying Examples.
3. Open the Command Palette and choose dotTEST: Quick Start or click dotTEST on the status bar at the bottom.
   The Quick Start menu offers easy access to the basic configuration options.
4. Choose Select dotTEST installation... and select the location where Parasoft dotTEST is installed.
5. Choose Select test configuration... and select a test configuration you want to use.
   A test configuration is a set of static analysis rules designed to cover a security standard or best coding practices.
   By default, the 'Recommended Rules' built-in test configuration is configured. See Built-in test Configurations for information about available test configurations.
6. Choose Analyze project... to run static analysis on the project you opened.
7. Review the results in the Problems view and the code editor.
   You can open the rule documentation to learn more about the problem. See Viewing rule documentation.

Working with the dotTEST Extension

• Parasoft dotTEST extension for Visual Studio Code
  • Features
  • Requirements
  • Getting Started
  • Working with the dotTEST Extension
    • Building Solutions and Projects
    • Running Static Analysis
    • Suppressing Violations
    • Explaining Violations Using AI
      • Requirements:
      • How to Use:
      • AI Guidance Disclaimer
    • Mapping Violation Severity
    • Removing Violations from the Problems View
    • Viewing Rule Documentation
    • Importing Results from a Local File or URL
    • Importing Results from DTP
    • Importing Results from GitHub, GitLab and Azure DevOps
    • Clearing saved credentials
  • About Parasoft dotTEST
    • Installing and Licensing dotTEST
    • Customizing Parasoft dotTEST
  • References
  • Data and Telemetry
  • About

Building Solutions and Projects

Before you run static analysis with dotTEST extension, the source code you want to analyze must be compiled into binaries. By default, dotTEST extension assumes that your solution or project is built with the solution or project configuration set to Debug and the target platform set to Any CPU. If your source code was built with these options set to values other than the defaults, you need to manually specify the configuration and the target platform of your solution or project:

1. Open Extension settings.
2. Modify the command line pattern for running dotTEST by adding the following options:

• -solutionConfig [solution configuration] or -projectConfig [project configuration]
• -targetPlatform [target platform for your solution or project]

Running Static Analysis

• Analyzing a project
  To analyze all source files in a project, choose dotTEST: Analyze project from the Command Palette.

• Analyzing selected files
  To analyze selected files, right-click the file(s) you want to analyze in the Explorer view and choose dotTEST: Analyze Selected File(s) from the menu.

• Analyzing the active file
  To analyze the file you are working on in the editor, click the dotTEST: Analyze Active File icon in the upper right corner of Visual Studio Code or right-click anywhere in the code and choose dotTEST: Analyze Active File from the menu.

To cancel the analysis before it completes, choose dotTEST: Cancel Running Analysis from the Command Palette or click Running dotTEST... in the status bar at the bottom and confirm when prompted.

By default, the open editors are automatically saved before analysis. To disable automatic file saving, go to Extensions> dotTEST> Extension Settings> Save Before Run.

Suppressing Violations

You can suppress a violation to prevent it from being reported in subsequent analysis runs.

1. Right-click a violation in the Problems view.
2. Enter the reason for suppression when prompted.
3. Choose where you want to store the suppression. The following options are available:

• Use suppression file - The suppression will be added to a parasoft.suppress file in the same directory where the source file is located.
• Use in-code suppressions - The suppression will be added as a comment in the source file.

Alternatively, you can hover over a violation in the code editor to open the Quick Fix... menu and choose Suppress violation for [rule_ID] from the menu.

You can configure the dotTEST extension to always store suppressions either in code or in suppression files, without prompting you to choose. Go to Extensions> dotTEST> Extension Settings> Suppression Type to configure your preference.

See Suppressing the Reporting of Findings to find out more about suppressing static analysis violations reported by dotTEST.

Explaining Violations Using AI

You can leverage Parasoft AI assistant to explain static analysis violations and receive suggestions for fixing them. The assistant is integrated with GitHub Copilot Chat.

Requirements:

To use this feature, ensure that you have the following installed:

1. Complete Parasoft dotTEST Installation, including HTML rules documentation and a valid license for LLM Integration. For more information, refer to Installing and Licensing dotTEST.
2. GitHub Copilot Chat Extension for Visual Studio Code (github.copilot-chat)
3. Microsoft C# Extension for Visual Studio Code (ms-dotnettools.csharp)
4. Visual Studio Code version 1.92.0 or later

How to Use:

Option 1: From the Problems View

1. Right-click on a violation in the Problems view.
2. Select Explain violation of [rule_ID].

The explanation will be displayed in the Chat View.

Option 2: From the Code Editor

1. Hover over the code that contains the violation to bring up the Quick Fix... menu.
2. Select Explain violation of [rule_ID] from the list of available options.

The explanation will be displayed in the Chat View.

Option 3: Using the Chat View

You can also invoke the explain command directly from the Chat View. Use the following pattern:

@dottest /explain rule_ID file.ext:startLine:startColumn

AI Guidance Disclaimer

This extension includes features that allow you to interact with an AI model using GitHub Copilot Chat to assist in code development. While the AI aims to provide helpful and accurate suggestions, AI-generated answers can sometimes be incorrect or incomplete. Always verify the AI-generated code, recommendations, or explanations before applying them to your project to ensure they meet your requirements and standards.

Additionally, be aware that your organization may control or limit certain features of GitHub Copilot Chat. Depending on your organization's policies, responses from the AI may be filtered or restricted based on content or compliance requirements. Ensure you are familiar with your organization's policies on AI usage and data handling.

Mapping Violation Severity

By default, all dotTEST's violations are presented in the Problems View as Warnings. You can map dotTEST severity levels (1-5) to Visual Studio Code severity levels (Error/Warning/Information/Hint). Go to Extensions> dotTEST> Extension Settings> Severity Mapping to configure your mapping. Be sure to restart Visual Studio Code to apply the changes.

Removing Violations from the Problems View

• Removing one violation
  Choose Remove violation of [rule_ID] from the Quick Fix menu.

• Removing all violations
  Choose dotTEST: Remove All Violations from the Command Palette.

Viewing Rule Documentation

You can find out more about a reported problem in the documentation for the static analysis rule that was violated. Select a violation in the Problems view or the code editor and choose Show documentation for [rule_ID] from the Quick Fix menu.

Importing Results from a Local File or URL

You can import analysis results to Visual Studio Code from an external XML report files or zip archives generated by dotTEST during analysis (report.xml, coverage.xml, artifacts.zip). This may be particularly useful to import dotTEST static analysis or coverage results generated by CI pipelines. You can choose the following options from the Command Palette to import results:

• Choose dotTEST: Import Results From... > File and navigate to a local file.
• Choose dotTEST: Import Results From... > URL and enter the URL of a file. You can provide a HTTP or HTTPS URL that does not require authentication.

The imported findings are added to the current list of problems in the Problems view.

The imported coverage results are added to the documents. Choose dotTEST: Show Coverage... to change the coverage type or None to remove coverage markers.

Importing Results from DTP

If your organization uses Parasoft DTP in the development testing workflow, you can import analysis results to Visual Studio Code directly from DTP.

First import:

1. Choose dotTEST: Import Results from... > DTP from the Command Palette.
2. Enter the full address of your DTP. Examples: dtp.acme.com, dtp.acme.com:8443, https://dtp.acme.com:443/deployment/root.
3. Enter your DTP user name.
4. Enter your password. The password is not stored on disk and needs to be re-entered after restarting Visual Studio Code.
5. Select a filter. Filters are identifiers used in DTP for organizing data; see the DTP User Guide for details. The import will begin immediately.

Subsequent imports:

1. Choose dotTEST: Import Results from... > DTP from the Command Palette.
2. Choose one of the following options:
   • Import results using previous settings immediately starts the import using the data you configured for the previous import.
   • Update settings... allows you to update the data for import (DTP host name, user name, password, filter).

If you want to delete the previously entered credentials, choose dotTest: Clear Saved Credentials... > DTP.

The imported results are added to the current list of problems in the Problems view.

Importing Results from GitHub, GitLab and Azure DevOps

You can import analysis/coverage results from GitHub, GitLab and Azure DevOps if the workflow for your GitHub project, or the pipeline for your Gitlab or Azure DevOps project is customized to run dotTEST.

• See https://github.com/marketplace/actions/run-parasoft-dottest for details on how to modify your GitHub workflow to run dotTEST.
• See https://gitlab.com/parasoft/dottest-gitlab for details on how to modify your GitLab pipeline to run dotTEST.
• See https://marketplace.visualstudio.com/items?itemName=parasoft.dottest-azure-devops for details on how to modify your pipeline in Azure DevOps to run dotTEST.

To import results from GitHub:

1. Choose dotTEST: Import Results from... > GitHub from the Command Palette.
2. Sign in to your GitHub account when prompted by Visual Studio Code. The prompt will not appear if you've already signed in.

To import results from GitLab:

1. Choose dotTEST: Import Results from... > GitLab from the Command Palette.
2. Enter the host and token associated with your GitLab account. The prompt will not appear if you've already entered this information.
3. If you want to delete the previously entered credentials, choose dotTest: Clear Saved Credentials... > GitLab.

To import results from Azure DevOps:

1. Choose dotTEST: Import Results from... > Azure DevOps from the Command Palette.
2. Install the Azure Account extension when prompted and sign in to your Azure DevOps account. The prompts will not appear if the extension is already installed and you're signed in.

The import will begin immediately if the artifact that contains the report.xml, coverage.xml or coverage.index file with analysis results is automatically detected. Otherwise, you will be asked to enter additional information to specify the report/coverage file from which you want to import results. Depending on your GitHub/GitLab/Azure DevOps account, you may need to specify the repository and branch where the results are stored, the workflow/pipeline that generates the artifact with results, the name of the artifact, and the report file.

Clearing saved credentials

To clear all previously saved credentials:

Choose dotTest: Clear Saved Credentials... > All from the Command Palette.

About Parasoft dotTEST

Parasoft dotTEST uses a comprehensive set of static analysis techniques, including pattern-based analysis, dataflow analysis, metrics, and more, to help you verify code quality and ensure compliance with security standards.

Installing and Licensing dotTEST

If you do not have Parasoft dotTEST installed, request a download link and a Parasoft license at our website. dotTEST is distributed as an installation package.

To install and license Parasoft dotTEST:

1. Install Parasoft dotTEST to a desired location.
   • If you install dotTEST with an installation executable, run parasoft_dottest_[version].exe and follow the installation wizard.
   • If you install dotTEST from a ZIP distribution, extract the dotTEST installation package to the desired location; then install the .NET Framework and VC++ Redistributable Packages (x64 and x86) shipped in the [INSTALL_DIR]\bin\prerequisites directory.
2. Open the dottestcli.properties configuration file in the installation directory.
3. Configure the following license settings to configure a local license:
   • dottest.license.use_network=false
   • dottest.license.local.password=[the password you received from Parasoft]

For information about a network license and other details, see Setting the Parasoft License.

Customizing Parasoft dotTEST

You can customize Parasoft dotTEST by configuring the settings in the dottestcli.properties file shipped in the installation directory. Alternatively, you can use the dottestcli.properties file in your working directory to configure project-specific dotTEST settings:

1. Open the Command Palette and choose dotTEST: Quick Start or click dotTEST on the status bar at the bottom.
2. Choose Add local configuration file. This will copy the dottestcli.properties file from the installation directory to the working directory of your solution or project (for projects without a solution file) and open the file in the Visual Studio Code editor.
3. Modify project-specific configuration settings.

You can reopen the file by choosing Open local configuration file from the Quick Start menu.

See Parasoft dotTEST Configuration Settings for the list of available settings.

References

• Parasoft dotTEST User Guide
• Available test configurations

Data and Telemetry

Please help us improve Parasoft products by sending us usage data. The data will be used to improve the product’s user experience. You can change this setting at any time - this extension respects the telemetry.enableTelemetry and telemetry.telemetryLevel settings, which you can learn more about at https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting.
Parasoft will not collect any personally identifiable information that could potentially identify a specific individual. See Parasoft Privacy Policy to learn more.

About

dotTEST for Visual Studio Code - Copyright (C) 2024 Parasoft Corporation

Version: 2024.2.0 (10.7.1), Build: 20241028B508, Commit: 4e58a4f5d6b1a3da92aacaa073640f04d30b070f, Branch: master