Visual Studio Toolbox
18 New Tools and Extensions for Visual Studio
- By Terrence Dorsey
It's been too long since I've done a general-purpose round-up of new Visual Studio extensions -- almost eight months since Rounding Up the Newest Extensions for Visual Studio 2017. As always happens when I dive back into the extensions pool, there's an amazing variety of new, incredibly useful tools for your favorite development environment. In this round up I've found tools that will help you with security code analysis and mitigation, handy code generators and comment utilities, console app templates and libraries, and help for keeping command-line arguments under control.
Note that the vast majority of these tools and extensions are created by your fellow developers and shared for free. If you like the tools, please let them know and give a rating and recommendation in Visual Studio Marketplace.
Application security is incredibly important. You have to assume that someone is trying to hack your app, your customer's data, or both. So security focused code analysis ought to be part of your game plan.
Security Code Scan, by Jaroslav Lobačevski and Philippe Arteau, is a static security code analysis tool for your .NET Framework projects. It scans for SQL injection problems, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), taint analysis to track user input data and more. You can configure Security Code Scan to analyze your project in the background or at build time, and you can install it as a Visual Studio Extension or as a NuGet package.
The Security IntelliSense extension, by the AzSDK team, provides inline security suggestions and fixes for Azure-related C# source code and XML config files, along with suggestions and fixes for related web projects and authentication/cryptography. Security IntelliSense, currently in preview, can be used on its own, but is meant to be integrated as part of the Secure DevOps Kit for Azure, an end-to-end solution for secure DevOps continuous integration workflows.
Secure DevOps Kit (AzSK) CICD Extensions for Azure is another part of the Secure DevOps Kit for Azure toolchain, providing continuous integration/continuous deployment (CICD) task automation within Visual Studio. Currently two tasks are included: The ARM Template Checker ensures secure configuration for pipeline-based deployments that create ARM resources, and the Security Verification Tests provide automated security regression tests for cloud resources inside the CICD pipeline.
The AttackFlow extension for Visual Studio 2015 and 2017 provides integrated security static code analysis for your code as you work. Part of the larger AttackFlow Software Security Enterprise offering, AttackFlow gives you both vulnerability reporting and in-place mitigation suggestions. AttackFlow currently supports Java and C# code and frameworks including ASP.NET MVC, WebForms, Spring, JavaServer Pages (JSP) and servlets and Android. Support for Swift, PHP and C/C++ is under development. AttackFlow also integrates with Git and Team Foundation Server for secure analysis of team-based projects.
Fortify Security Assistant for Visual Studio, from MicroFocus, is another security static code analysis extension for Visual Studio 2017. The assistant displays security scan results in the default Error List window and can detect issues in C#, Razor, WebForms and configuration files. The download is a demo, but all features are unlocked for licensed Fortify Static Code Analyzer users. The full analyzer product adds support for additional languages including Java, C/C++, Swift and PHP, along with larger, frequently updated rulesets and integration with build tools, code repositories, bug tracking, ticketing systems for better development collaboration and a secure DevOps workflow. Content Fortify sales for licensing details.
The SAST extension takes advantage of Veracode's cloud-based rule engines to give you faster and more extensive scans with a larger, constantly updated ruleset, in-line remediation advice and eLearning tools, 1:1 consultations with Veracode's AppSec consultants and more. SAST covers more than 20 languages and 75 frameworks and provides APIs for integrations with over 20 popular IDEs, bug/issue tracker, build and deployment systems including TFS and Team Services, JIRA, Jenkins, Maven, Ant, Splunk and more. A free 30-day trial is available for Greenlight. Contact Veracode directly for a demo and licensing quote.
Contrast for Visual Studio, by Contrast Security, is another SaaS-based security static analysis tool, providing a Visual Studio extension that works directly with Contrast's cloud-hosted Contrast Assess Interactive Application Security Testing services to check your code in the development environment and provide instant feedback to help you fix vulnerabilities and defend your app against attacks. Contact Contrast for a demo and license terms.
Generating Code and Comments
After secure-by-default code, probably the next most useful thing is written-for-you code. So here are a few handy code generators and formatters.
Mapping Generator, by Cezary Piątek, is a simple extension for creating code signatures mapped from existing objects in your project. Unlike other tools that use Roslyn-based runtime mappings, Mapping Generator lets you generate a static map in your code that you can then review and edit. It's a nice, simple approach to the problem. For more details about the thinking behind this extension, see Piątek's Generate mapping code with Roslyn code fix provider blog post.
Scaleton, by Tobias Kiertscher, is a code generator for C# domain model classes that supports plain, immutable, or change tracking class definitions. There's a somewhat simplified list of supported interfaces, method overrides and model attributes, but it's definitely a good start.
Eldin Zenderink's CPPComment Generator is a quick and powerful XML Doc comment generator for your C++ projects. CPPComment Generator provides documentation comments like Microsoft XML Docs with the automation provided by the CPPTripleSlash extension, but extends the doc comments to include Class Names, whether the function is a constructor, parameters and their types, and the class's return type and whether the return type is a pointer. All you do is type "///" and let the extension do its work.
For your C# projects, Carl Reinke's Format Doc Comments does exactly what the name implies: it applies formatting and line wrapping to XML doc comments in the current code file. You can format only selected comments or all doc comments in the file. To customize some of the formatting options, take a look at Paul Harrington's Editor Guidelines extension.
EmptyLine Extention is kind of an anti-code generator. Instead of adding code, it removes empty lines in your code files. Any group of more than one empty line will be consolidated to a single empty line. You can rid the entire file of empty lines or only remove them from a selection. There's even an option to have Visual Studio auto-reformat the code.
Consoles and Command Lines
Andrew Whitechapel's new Console App Project Templates are a great starting point for any Windows Platform (UWP) console application that will run in a DOS or PowerShell console window. The templates support the traditional C++/CX and C++/WinRT project types, and now also include support for C#-based console applications added to Windows earlier this year. For details on building console applications see the documentation article Create a Universal Windows Platform console app.
For any application that takes command line arguments, Smart Commandline Arguments, by Markus Bulli, is an incredibly useful extension that adds a separate Commandline Arguments window to Visual Studio where you can view, edit, add, or delete command line arguments for the current project. The extension stores your command line arguments inside a JSON file alongside the existing project file. The extension works in Visual Studio 2015 and 2017 and supports command line arguments in C# .NET Framework and .NET Core projects, Visual Basic, F#, C/C++, Node.js and Python code files.
Max Zimmerman's CommandAndConquer library and CommandAndConquer.CLI.Template take a holistic to creating console applications, making them simpler in the process. CommandAndConquer uses the concepts of controllers and commands to build the classes and methods that make your application operate. Parameters, command line arguments, configuration, documentation and even error handling are addressed by the CommandAndConquer library. Pretty neat stuff and I'll definitely be diving further into the capabilities of this system.
Finally, if your target console is a Linux or Mac OS terminal or Windows Subsystem for Linux, you might appreciate BashSyntax, by Anthony Berkow. It's a simple text classifier that provides basic syntax highlighting for Bash scripts in Visual Studio. It associates Bash scripts with both the .sh file name extension and, if there's no extension (which is common for bash scripts), it looks for #!/bin/bash on the first line of the file. Highlighting is available for builtins, commands, keywords, numbers, operators, strings and comments.