Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 2

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

In terms of risk analysis, CERT uses three metrics to help quantify weaknesses:

  • the The severity of the consequences associated with a failure to comply with the rule.
  • the The likelihood that a coding flaw introduced by ignoring the rule will result in an exploitable vulnerability.
  • the The remediation cost associated with complying with the rule.

The metrics are used to prioritize violations into three levels: L1 (highest priority), L2, and L3. The CERT for Java Compliance extension configures your DTP implementation to show static analysis violations according to their CERT for Java priority, guideline, type, and guideline category.

...

  1. Install the Security Compliance Pack into DTP Extension Designer.
  2. Deploy the CERT for Java Compliance artifact into your DTP environment. This also deploys CERT for Java Compliance extension assets.
  3. Analyze code with Jtest using the CERT for Java test configuration and report violations to DTP. You can configure Jtest to use the local test configuration or the test configuration shipped with the Security Compliance Pack. The test configuration and rulemap.xml file configures analysis rules to report violations according to CERT for Java guidelines.
  4. Add the CERT for Java Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of CERT for Java guidelines.
  5. Interact with the widgets and reports to identify code that needs to be fixed, as well as print out the reports for auditing purposes.
Note
titleAchieving 100% Compliance

CERT for Java is currently a work in progress , and includes guidelines that are incomplete and/or subject to change. As a result, DTP will report 100% compliance against only those guidelines that are mapped to a Parasoft static analysis rule.

...

Info
titleRule Map and Test Configuration

Parasoft static and flow analysis rules normally report violations according to a category (e.g.for example, Possible Bug, Interoperability, etc.and so on) and severity (i.e., 1-5). In order to view code analysis violations as CERT for Java guideline violations, DTP requires a rule map file that realigns Parasoft rules to report violations according to CERT for Java guidelines. In addition, the code analysis tool (Jtest) needs a test configuration file that ensures that only the rules related to the remapped CERT for Java rules are executed. These files are shipped with Jtest.

...

Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack. The following profiles are included with the CERT for Java artifact.

  • cert-compliance.json: This model file describes how the CERT for Java profiles render the data.
  • cert-java.json: This is the default profile that renders data according to the CERT Compliance cert-compliance.json model. This profile should be enabled to generate compliance audit reports.
  • cert-java-likelihood.json: This profile provides metric information for key performance indicator (KPI) calculations. It renders data according to the KPI.json model.
  • cert-java-remediation-cost.json: This profile provides metric information for KPI calculations. It renders data according to the KPI.json model.

...

This profile extends the Key Performance Indicator artifact so that metrics widgets can show metrics information related to CERT for Java guidelines. The profile renders the data calculated by the cert-java-likelihood.json and cert-java-remediation-cost.json profiles.

Info
titleKey Performance Indicator Extension is Required

In order to leverage the metrics calculations enabled by the KPI assets, install and deploy the Key Performance Indicator artifact.

...

For your convenience, a PDF that shows the association between Parasoft rules and CERT guidelines is located in the <PACK>/rules/jtest directory.  

package.json

This file describes the contents of the extension.

...

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
     
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + button icon to add a new tab) and choose Import the vertical ellipses menu.
  6. Choose Local> Flows> Workflows> Security> Local > Flows > Workflows > Security > CERT Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

...

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted. 
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    1. Choose the filter associated with your project in the filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See DTP Concepts for additional information.
    2. Specify a range of time from the Period drop-down menu. 
    3. Specify a range of builds from the Baseline Build and Target Build drop-down menus. 
  3. Enable the Create dashboard from a template option and choose the SEI CERT Oracle Coding Standard for Java Compliance template from the associated menu.
  4. Click Create to finish adding the dashboard.

...

TitleYou can rename the widget in the Title field. This setting is available for all widgets.
FilterChoose a specific filter or Dashboard Settings from the drop-down menu. See Configuring Filters for additional information. This setting is available for all widgets.
Target BuildChoose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 
Type

This rule specifies which type of guideline you want to view in the widget. Choose either Rule, Recommendation, or All from the drop-down menu. See Background for additional information about guideline types. This setting is available for the following widgets:

  • CERT Compliance - Guidelines by Status
  • CERT Levels - Target
  • CERT Violations by Category - TreeMap
Level

This rule specifies which priority level you want to view in the widget. Choose either L1, L2, or L3 from the drop-down menu. See Background for additional information about guideline priorities. This setting is available for the following widgets:

  • CERT Compliance - Guideline by Status
  • CERT Compliance - Percentage
  • CERT Violations by Category - TreeMap
Compliance ProfileSpecify the compliance profile you want to use to view the data. In most cases, this should be the default profile shipped with the extension (see CERT for Java Compliance Profile). This setting is available for all widgets.

...

  1. Choose Extension Designer from the DTP settings (gear icon) menu and click the Services tab. 
  2. Choose a service category and a service for the extension. We recommend deploying the KPI extension to the DTP Workflows category.
  3. Open the vertical ellipses menu and choose Import> Import > Local > Workflows > Workflows> Security> Security > Key Performance Indicator.
  4. Click anywhere in the space to drop the flow into the service tab and click Deploy.
  5. Click on the compliance category (i.e., DTP Workflows) and expand your service to expose the available endpoints.  
  6. Expand the Key Performance Indicator section and copy the endpoint. 
  7. Send a REST request to the endpoint along with the required parameters. You can execute the request in a browser, using a cURL command, or add it to a script. The following table describes the required parameters:

...

filterId

The filter ID for the project that the calculations will be performed on. You can quickly get the filter ID from URL of your dashboard.
 

You can also get the filter ID from the the Filters settings in DTP administration (see Configuring Filters).

profileProfile name with the rules and weights to use for the calculations.
buildIdThe build id for which the calculations will be performed on. If no build ID is provided, this parameter defaults to the latest build.

...

Metrics-related calculations are long-running processes and may take several minutes to execute depending on how much data you have to process. After the calculation completes, refresh the widgets (if already on your dashboard) to view the data. The KPI extension only needs to be deployed once, but you must invoke the API separately for each profile, i.e., such as SEI CERT Oracle Coding Standard for Java Likelihood and SEI CERT Oracle Coding Standard for Java Remediation Cost.

For additional views of the metrics, you can manually add instances of the native Metrics - Summary DTP DTP widget to your dashboard and configure them to use the SEI CERT Oracle Coding Standard for Java Likelihood and SEI CERT Oracle Coding Standard for Java Remediation Cost metrics, as well as set the aggregation value:.

You can click on a widget to open the Single Metric Overview Report.

...

The widget shows the overall compliance status, as well as the compliance status for each CERT level. You can add multiple instances of the widget configured to use a different profile, e.g.for example, a profile with disabled guidelines, to view your current compliance status. Click on the widget to open the CERT for Java Compliance Report.

...

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according the priority level:

  • red Red tiles represent L1 violations.
  • yellow Yellow tiles represent L2 violations violations.
  • green Green tiles represent L3 violations.

The Parasoft rule(s) enforcing violations are also presented. Tiles are proportional to the number of static analysis violations reported for each rule. 

...

The widget uses the hierarchy established in the model profile to to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule-guidline-/guideline/category.

Click on a rule to see the violation in the Violations Explorer.

...

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guideline categories with the most violations.

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

...

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guidelines with the most violations.

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

...

This widget is an implementation of the standard Rules in Compliance - Summary widget shipped withe DTP. This widgets shows the following information:

  • how How many static analysis rules for the selected compliance standard were enabled during code analysis.
  • how How many violations were reported.
  • the The overall percentage of rules that did not report violations.
  • the The change in number of violations from the baseline build to the target build as a percentage (if applicable).

Click on the widget to open the Violations by Compliance Category report.

...

You can perform the following actions:

  • Use the drop-down menus to sort by the following criteria:
    • Guideline type: Rule, Recommendation, or All 
    • Priority level: L1, L2, L3, or All
    • Compliance status: All, No Rules Enabled, Compliant, Compliant With Deviations, Compliant With Violations, Not Compliant, Missing Rule(s) in Analysis
  • Click on a link in the # of Violations to view the violations in the the Violations Explorer.
  • Click on a link in the # of Deviations to view the suppressed violations in the the Violations Explorer.
  • Open one of the CERT Compliance sub-reports.
  • Click Download PDF to download a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

...

Table of Content Zone
maxLevel2
minLevel2
locationtop

Conformance Testing Plan

The Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile. Click on a guideline to view the CERT documentation on the CERT website.

Deviation Report 

Your code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.

Click on the Deviation Report link in the CERT Compliance Report to open the Deviation Report.  

The Deviations Report shows all guideline IDs and headers, but guidelines that have been suppressed will show additional information. You can perform the following actions:

  1. Filter the report by type (Rule, Recommendation, All).
  2. Filter the report by level (L1, L2, L3).
  3. Enable the Only Deviations option to only show deviations.
  4. Enable the Hide Modification History option to exclude the modification history for deviations   .   

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.

In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.  

...