In this section:

Why Use CVE Match?

Given a large (or even small) number of violations for the same rule with the same severity, how can developers know which violations to prioritize first? Which violations to pay more or deeper attention to? How can developers not inadvertently miss a critical security issue while going through a set of violations?  

DTP can recommend a CVE match associated with a violation to assist developers when facing the above questions.

What is CVE Match?

CVE match is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.

CVE match can be calculated only for violations that are found within a method (or function body). It is not available if the violation is found outside of a method.

To calculate CVE match, a model was trained on code samples containing CVEs. For the java model, over 400 CVEs are covered representing 88 different CWEs including, but not limited to, the 18 most common CWEs:

CWE-20CWE-22CWE-74CWE-79CWE-89CWE-94
CWE-190

CWE-200

CWE-287CWE-352

CWE-400

CWE-444
CWE-502CWE-611CWE-770CWE-862CWE-863CWE-918

The diagram below illustrates how DTP, the CVE Match model, and OpenAI embeddings API work together.

Attribution

The model was trained using data sourced from the National Vulnerability Database provided by the National Institute of Standards and Technology, along with source code samples extracted from public repositories on GitHub.

This product uses data from the NVD API but is not endorsed or certified by the NVD.

Supported Tools

CVE match can be calculated for static analysis violations from Jtest only. C/C++test and dotTEST are currently not supported.

Prerequisites

OpenAI Settings

OpenAI settings must be configured in order to calculate CVE match for violations. See Using DTP with OpenAI for more information.

Source Code View Configuration

DTP must be configured to display source code in the Violations Explorer. See Source Code View Configuration Overview for more information.

Jtest

In order to calculate CVE match for Jtest violations, one of the following conditions must be met:

  1. Jtest is configured to send advanced metadata to DTP for machine learning. This setting is disabled by default, but it can be enabled under the Advanced Settings on the Static Analysis Settings tab in your Jtest test configurations. See the Jtest documentation at https://docs.parasoft.com/ for more information.
  2. Metrics analysis is run in addition to static analysis and both reports are sent to DTP. During the metrics analysis, one of the following metrics must be enabled:
    • METRIC.CLLOCRIM

    • METRIC.NOBLIM

    • METRIC.NOCLIM

    • METRIC.NOLLOCIM

    • METRIC.NOMCIM
    • METRIC.NOPAR
    • METRIC.NOPLIM

    • METRIC.NORET

    • METRIC.NOSLIM

Operating System Requirements

Older Linux operating systems (CentOS 7.x and older) might be missing some libraries that are needed by the CVE Match model. In these situations, when you try to calculate the CVE Match you might see an error message, "The CVE Match model is not loaded. See logs for more information." Check the logs for more information about the missing library. Note: the error is created when the first missing library is encountered. If multiple libraries are missing, you might get this error multiple times.

Microsoft Visual C++ Redistributable package (2019 or higher) is required by the CVE Match model on Windows. Unless you have disabled Windows updates, this package should already be installed on your system.

Calculating CVE Match

To calculate the CVE match for a violation, select it in the Violations Explorer and click Get Recommendations on the Prioritizations tab.

If the prerequisite conditions have been met, the CVE match will be added to the Recommendations section. If one or more prerequisite conditions have not been met, there will be an info icon to the left of the Recommendations label that you can hover over for details.

Note: CVE match does not use the OpenAI LLM APIs. CVE Match uses OpenAI integration solely for the purpose of the method source code embedding. The cost of calls to the embeddings API are much lower than calls to the LLM APIs. DTP only allows calculating CVE match for one violation at a time.  


  • No labels