What is CAT.NET and why should I use it?

This article explains how to integrate CAT.NET

CAT.NET is a binary code analysis tool, that helps identify common variants of certain prevailing vulnerabilities, that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection.

CAT.NET can be integrated as a 3rd-party analyzer in SPCAF.

Even though the development of CAT.NET has been discontinued by Microsoft in 2009, it is still a valid and helpful tool to analyze SharePoint projects. Unfortunately, the performance of CAT.NET analysis is very poor, therefore we recommend to run it for example in a team build, where the delay has minimal impact on the developer's productivity.

The 2.0 CTP of Cat.NET can be downloaded from Microsoft Connect:

Troubleshooting issues with CAT.NET with SPCAF

There can be several reasons why CAT.NET may not be recognized by SPCAF. Below are the main causes, a brief explanation of the cause and what is required to remedy the problem:

  • Features for SCPAF may not have been installed.
    • During the installation of SPCAF, it is possible to disable the installation of the CAT.NET integration. Check if "SPCAF.integration.CATNET.dll" exists in the SCAF Installation directory.
  • Features are installed but disabled in a ruleset.
    • SPCAF can run with rulesets and it is possible that features are disabled in these rulesets. Make sure that the feature is enabled in the ruleset you are using.
  • CAT.NET.exe can not be found.
    • SPCAF looks for CAT.NET.exe in the default installation directory. If CAT.NET was installed in an alternative location you will need to use the settings editor to set the full path to the .exe.

For more details on these issues, causes and fixes please click here.