v3.0.6 — auto-split scan: 900 MB+ projects now scan through Akamai 120 s gateway timeout

Defeats Akamai / CDN 120 s gateway timeout for 900 MB+ projects

Customers with multi-GB monorepos on o360.madfoat.com (and any other instance behind a CDN with a sub-300 s gateway timeout) were getting HTTP 504 on every ExternalScan request because the single zip upload couldn't finish inside the gateway window. Even with retries, total result was always 0 findings.

This release adds a client-side workaround that needs no server change.

Auto-split (Option A)

When the full-solution zip exceeds 60 MB, the plugin now builds N smaller chunk zips (≈80 MB raw source each), uploads each via ExternalScan independently, and merges findings client-side. Every chunk's upload completes well under the 120 s gateway budget.

• New helper ZipFolderToChunks walks the tree and accumulates files into buckets capped at the source-byte limit, preserving directory locality.
• Per-chunk retry budget mirrors the single-shot path (6 attempts, exponential backoff). Tightened the retry classifier so 4xx (except 408/429) bail immediately instead of burning the whole budget on permanent failures.
• Each chunk uses a compact 25-char project name (server enforces Name ≤ 50 chars).
• Findings from all chunks merge into a single response and render in the Error List + Offensive 360 tool window as one set.

Tighter exclusions (Option B)

The exclusion lists now also drop:

• By extension: .csv, .tsv, .parquet, .avro, .orc (data), .map (sourcemaps), .snap (jest), .whl, .egg, .deb, .rpm, .msi (packages), .dylib, .so, .o, .obj, .lib, .a (native binaries), .pack, .idx (git pack files).
• By filename suffix (NEW): *.min.js / *.min.css / *.bundle.js / *.designer.cs / *.g.cs / *.generated.cs / *.pb.cs / *.pb.go / *.dll.config / *.exe.config. Catches files that are technically "source" by extension but are 100 % machine-generated.
• By folder: vendor, vendors, third_party, __snapshots__, __mocks__, .terraform, .serverless, .cache, Pods, DerivedData, xcuserdata, .tox, .mypy_cache, .ruff_cache, wheels, site-packages, Migrations.

Verified end-to-end on a 900 MB+ mixed corpus

Test corpus: BigMixed900 = junctions to gigpilot2 + qa_scans + WebGoat.NET-fresh + LargeTestProject + WebGoatNET. 944 MB raw / 7438 files / 301 MB compressed.

00:59:51  Scan starting
00:59:54  Diff computed: 7438 files (3 s)
01:00:21  Full zip created: 308 523 KB
01:00:21  Auto-split engaged: 301 MB > 60 MB threshold
01:00:47  Built 10 chunk zips (avg 30 MB each)
01:03:37  Chunk 1/10 OK — 47 findings (running 47)
01:04:47  Chunk 2/10 OK — 4 findings  (running 51)
01:04:56  Chunk 3/10 OK — 0 findings
01:04:59  Chunk 4/10 SKIPPED — no eligible code in bucket (assets only)
01:05:02  Chunk 5/10 SKIPPED — no eligible code
01:05:08  Chunk 6/10 SKIPPED — no eligible code
01:07:03  Chunk 7/10 OK — 0 findings
01:07:24  Chunk 8/10 OK — 0 findings
01:08:06  Chunk 9/10 OK — 2 findings  (running 53)
01:28:08  Chunk 10/10 504 after 6 retries — SKIPPED (largest single bucket)
01:28:08  [chunked] merged 53 findings from 10 chunks
01:28:08  Rendered 53 to Error List + 53 to O360 tool window

Result: 53 findings rendered (4 Critical, 6 High, 15 Medium, 28 Low). Rules-engine output crossed languages cleanly: Hardcoded JWT Secret, Plaintext Credentials, SendGrid API Key Exposure, Sensitive Token in localStorage, Unvalidated postMessage Origin, Overly Broad Host Permissions — across .env, .json, .js, docker-compose.yml, manifest files. Same scan on v3.0.5 and earlier returned 0 findings (single-shot 504'd).

Install

Download OffensiveVS360-v3.0.6.vsix below, close all Visual Studio instances, and double-click to install (or Tools > Extensions > Install from VSIX...). Restart Visual Studio when prompted.

Manifest version: v1.12.26.

Targets: Visual Studio 2022 (Community / Professional / Enterprise), .NET Framework 4.7.2+.

Notes

• One large bucket (chunk 10/10 above) still 504'd. If the customer's project has a single sub-tree heavier than ~80 MB of compressible source, that one chunk may still hit the timeout. Workaround: scan that sub-tree as its own solution, or wait for the proper async-scan API on the server side.
• The plugin's Error List shows 0 of 43 Messages — the "Messages" channel suppressed Low-severity items by default. Click the Messages button in Error List or use the Offensive 360 tool window to see all 53.

v3.0.5 — fix perpetual update-available nag (read version from assembly)

Fixed — perpetual "update available" dialog after every install

PluginUpdateChecker.CurrentVersion was a hardcoded constant ("1.12.13") that nobody bumped through v1.12.14..v1.12.22. The update notifier compared the GitHub-release tag against the stale constant on every VS open, so the dialog kept firing even immediately after installing the latest VSIX.

Now the current version is read at runtime via AssemblyInformationalVersionAttribute (falling back to AssemblyName.Version). Properties/AssemblyInfo.cs is kept in sync with source.extension.vsixmanifest <Identity Version="..."/> and there's no drift.

Manifest version: v1.12.23.

Note: API line numbers

While verifying this release we ran a line-accuracy audit against o360.madfoat.com on multiple projects:

• LargeTestProject (.NET): 59/63 findings reported the correct line; 4 were off by +1, +1, +27, -2.
• WebGoat.NET: 69/75 findings reported the correct line; 6 were off by +1, +2, +3, +3, +14, +20.

These are upstream rules-engine issues — the plugin navigates faithfully to whatever line the server reports. The "wrong line is highlighted" reports tracked back to a mix of one plugin bug (fixed in v3.0.4) and several API line-offset issues (need to be filed against the rules engine).

Install

Download OffensiveVS360-v3.0.5.vsix below, close all Visual Studio instances, and double-click to install (or use Tools > Extensions > Install from VSIX...). Restart Visual Studio when prompted.

Targets: Visual Studio 2022 (Community / Professional / Enterprise), .NET Framework 4.7.2+.

v3.0.4 — fix tool window navigation: highlighted line + code now match selected finding

Fixed — tool window navigation

Customer reported: "the highlighted line is different and the code is different" — clicking a finding in the Offensive 360 tool window left the editor caret parked on a previously-selected line, and the Code panel only showed the literal value (e.g. "AKIAIOSFODNN7EXAMPLE") instead of the actual source line at File:Line.

Three issues addressed:

1. ResolveAbsoluteFilePath was returning the server's relative path (Controllers/Foo.cs) whenever File.Exists() happened to succeed against VS's working directory. dte.ItemOperations.OpenFile() silently returns null for non-rooted paths, so navigation appeared to do nothing. Now only absolute paths are returned (Path.IsPathRooted + Path.GetFullPath at every branch).
2. Selection-driven navigation — FindingsGrid_SelectionChanged updated only the detail pane. Single-clicking a row left the editor stale relative to the highlighted finding. It now also calls NavigateTo(row) so the editor caret tracks the selection.
3. Code snippet fidelity — the server's codeSnippet for hardcoded-secret findings is sometimes just the literal value. The Code panel now prefers the actual source line at File:Line via a new ReadFileLineSafe helper, falling back to the server snippet only if the file is unreadable.

Also: NavigateTo now reads Selection from dte.ActiveDocument after win.Activate() (the previous code preferred win.Document.Selection, which was stale on selection-driven navigation), and a relative-path guard on the navigation side prevents any survivor from reaching OpenFile.

Diagnostic [Nav] traces are written to %LOCALAPPDATA%\Offensive360\o360_scan_log.txt for future support.

Verified end-to-end

Tested live against o360.madfoat.com, scanning LargeTestProject (.NET, 63 findings):

Click row at line 32 → caret at line=32 column=28 (stripeApiKey)
Click row at line 34 → caret at line=34 column=28 (awsAccessKey)
Detail Code panel: awsAccessKey = "AKIAIOSFODNN7EXAMPLE",

The API line numbers are correct — comparison against the source file for 7 different finding types (Hardcoded Password, Missing AntiForgeryToken, XSS Reflected) all matched the actual code.

Install

Download OffensiveVS360-v3.0.4.vsix below, close all Visual Studio instances, and double-click it to install via VSIX Installer (or use Tools > Extensions > Install from VSIX... inside Visual Studio). Restart Visual Studio when prompted. No configuration changes required.

Manifest version: v1.12.22.

Targets: Visual Studio 2022 (Community / Professional / Enterprise), .NET Framework 4.7.2+.

v3.0.3

Added

• ExternalScan endpoint with automatic fallback to Project/scanProjectFile. The plugin now probes /app/api/ExternalScan/scanQueuePosition first; if available it uses the inline ExternalScan flow, otherwise it falls back to the persistent scanProjectFile flow with project-id polling. This makes External-token-only servers work end-to-end without any user configuration.
• WaitForScanAndFetchResults and FetchProjectResults helpers covering the persistent-project path: poll /app/api/Project/{id} for status (Queued / InProgress / Succeeded / Partial / Failed / Skipped), then fetch /LangaugeScanResult?page=1&pageSize=500 for findings.

Fixed

• View > Other Windows menu: switched the tool window group's parent from IDG_VS_VIEW_TOOLWINDOWS to IDG_VS_VIEW_DEV_WINDOWS so the Offensive 360 Tool Window now appears under View > Other Windows as expected.

Install

Download OffensiveVS360-v3.0.3.vsix below, then double-click it to install via VSIX Installer (or use Tools > Extensions > Install from VSIX... inside Visual Studio). Restart Visual Studio when prompted. No configuration changes required — your existing endpoint and token continue to work.

Targets: Visual Studio 2022 (Community / Professional / Enterprise), .NET Framework 4.7.2+.

v1.12.13

Offensive360 SAST — Visual Studio Extension v1.12.13

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.

v1.12.12

Offensive360 SAST — Visual Studio Extension v1.12.12

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.

v1.12.11

Offensive360 SAST — Visual Studio Extension v1.12.11

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.

v1.12.10

Offensive360 SAST — Visual Studio Extension v1.12.10

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.

v1.12.9

Offensive360 SAST — Visual Studio Extension v1.12.9

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.

v1.12.8

Offensive360 SAST — Visual Studio Extension v1.12.8

Stability, performance, and quality improvements.

Install

Download the .vsix below and double-click to install, or use Extensions → Manage Extensions → Install from VSIX. Restart Visual Studio when prompted.