Versions Compared

Old Version 2

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 3

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

  • cert-compliance.json: This model file describes how the CERT C and CERT C++ profiles render the data. 
  • cert-c.json: This is the default profile that renders data according to the cert-compliance.json model. This profile should be enabled to generate compliance audit reports.
  • cert-c-likelihood.json: This profile provides metric information for key performance indicator (KPI) calculations. It renders data according to the KPI.json model.
  • cert-c-remediation-cost.json: This profile provides metric information for KPI calculations. It renders data according to the KPI.json model.

See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack.

KPI.json

This profile extends the Key Performance Indicator artifact so that metrics widgets can show metrics information related to CERT C guidelines. The profile renders the data calculated by the cert-c-likelihood.json and cert-c-remediation-cost.json profiles.

Image Removed

Info
titleKey Performance Indicator Extension is Required

In order to leverage the metrics calculations enabled by the KPI assets, install and deploy the Key Performance Indicator artifact. This artifact ships with the Security Compliance Pack, but you can contact your Parasoft representative to download a standalone instance of the artifact.

Cross-reference PDF

For your convenience, a PDF that shows the association between Parasoft rules and CERT guidelines is located in the <PACK>/rules/cpptest directory.  

package.json

This file describes the contents of the extension.

Info
titleRule Map and Test Configuration

Parasoft static and flow analysis rules normally report violations according to a category (for example, Possible Bug, Interoperability, etc.) and severity (1-5). In order to view code analysis violations as CERT C guideline violations, DTP requires a rule map file that realigns Parasoft rules to report violations according to CERT C guidelines. In addition, the code analysis tool (C/C++test) needs a test configuration file that ensures that only the rules related to the remapped CERT C rules are executed. These files are shipped with C/C++test.

Deploying the CERT Compliance Assets

The CERT C Compliance artifacts are installed as part of the Security Compliance Pack (see Installation for instructions). After installing the artifact, you must deploy the assets to your DTP environment. 

Info
titleCERT C, CERT C++, and CERT for Java

If you are already using the CERT C++ Compliance or CERT for Java Compliance artifact, you do not need to perform this step. All of these artifacts use the same DTP Workflow.

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + icon to add a new tab) and choose Import from the ellipses menu.
  6. Choose Local > Flows > Workflows > Security > CERT Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

You can now add the CERT C Compliance dashboard and widgets. 

Adding the CERT C Compliance Dashboard

The CERT C dashboard template will be available after installing the Security Compliance Pack. If you do not see dashboard template, restart DTP (see Stopping DTP Services and Starting DTP Applications).  

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted. 
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    1. Choose the filter associated with your project in the filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See DTP Concepts for additional information.
    2. Specify a range of time from the Period menu. 
    3. Specify a range of builds from the Baseline Build and Target Build menus.  
    Image Removed
  3. Enable Create dashboard from a template and choose the SEI CERT C Compliance dashboard from the associated menu.
  4. Click Create to finish adding the dashboard.

If you have already executed C/C++test on your project using the SEI CERT C test configuration, most widgets will render data as soon as the dashboard is added. You can immediately begin working with the data to help you track your compliance goals (see Viewing CERT C Compliance Widgets). Additional steps, however, are necessary to use the Remediation Cost and Likelihood Score widgets, which rely on calculations executed by the KPI extension. See Enabling the CERT KPI Widgets for instructions.

Manually Adding the CERT C Widgets

You can manually add the CERT C widgets to an existing dashboard. See Adding Widgets for generation instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the SEI CERT category.

Image Removed

The following configurations are available:

Scroll Table Layout
widths30%,70%

...

This rule specifies which type of guideline you want to view in the widget. Choose either Rule, Recommendation, or All from the menu. See Background for additional information about guideline types. This setting is available for the following widgets:

  • CERT Compliance - Guidelines by Status
  • CERT Levels - Target
  • CERT Violations by Category - TreeMap

...

This rule specifies which priority level you want to view in the widget. Choose either L1, L2, or L3 from the menu. See Background for additional information about guideline priorities. This setting is available for the following widgets:

  • CERT Compliance - Guideline by Status
  • CERT Compliance - Percentage
  • CERT Violations by Category - TreeMap

...

Cross-reference PDF

For your convenience, a PDF that shows the association between Parasoft rules and CERT guidelines is located in the <PACK>/rules/cpptest directory.  

package.json

This file describes the contents of the extension.

Info
titleRule Map and Test Configuration

Parasoft static and flow analysis rules normally report violations according to a category (for example, Possible Bug, Interoperability, etc.) and severity (1-5). In order to view code analysis violations as CERT C guideline violations, DTP requires a rule map file that realigns Parasoft rules to report violations according to CERT C guidelines. In addition, the code analysis tool (C/C++test) needs a test configuration file that ensures that only the rules related to the remapped CERT C rules are executed. These files are shipped with C/C++test.

Deploying the CERT Compliance Assets

The CERT C Compliance artifacts are installed as part of the Security Compliance Pack (see Installation for instructions). After installing the artifact, you must deploy the assets to your DTP environment. 

Info
titleCERT C, CERT C++, and CERT for Java

If you are already using the CERT C++ Compliance or CERT for Java Compliance artifact, you do not need to perform this step. All of these artifacts use the same DTP Workflow.

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + icon to add a new tab) and choose Import from the ellipses menu.
  6. Choose Local > Flows > Workflows > Security > CERT Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

You can now add the CERT C Compliance dashboard and widgets. 

Adding the CERT C Compliance Dashboard

The CERT C dashboard template will be available after installing the Security Compliance Pack. If you do not see dashboard template, restart DTP (see Stopping DTP Services and Starting DTP Applications).  

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted. 
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    1. Choose the filter associated with your project in the filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See DTP Concepts for additional information.
    2. Specify a range of time from the Period menu. 
    3. Specify a range of builds from the Baseline Build and Target Build menus.  
    Image Added
  3. Enable Create dashboard from a template and choose the SEI CERT C Compliance dashboard from the associated menu.
  4. Click Create to finish adding the dashboard.

If you have already executed C/C++test on your project using the SEI CERT C test configuration, most widgets will render data as soon as the dashboard is added. You can immediately begin working with the data to help you track your compliance goals (see Viewing CERT C Compliance Widgets).

Manually Adding the CERT C Widgets

You can manually add the CERT C widgets to an existing dashboard. See Adding Widgets for generation instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the SEI CERT category.

Image Added

The following configurations are available:

Scroll Table Layout
widths30%,70%

TitleYou can rename the widget in the Title field. This setting is available for all widgets.
FilterChoose a specific filter or Dashboard Settings from the menu. See Configuring Filters for additional information. This setting is available for all widgets.
Target BuildChoose a specific build from the menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 
Type

This rule specifies which type of guideline you want to view in the widget. Choose either Rule, Recommendation, or All from the menu. See Background for additional information about guideline types. This setting is available for the following widgets:

  • CERT Compliance - Guidelines by Status
  • CERT Levels - Target
  • CERT Violations by Category - TreeMap
Level

This rule specifies which priority level you want to view in the widget. Choose either L1, L2, or L3 from the menu. See Background for additional information about guideline priorities. This setting is available for the following widgets:

  • CERT Compliance - Guideline by Status
  • CERT Compliance - Percentage
  • CERT Violations by Category - TreeMap
Compliance ProfileSpecify the compliance profile you want to use to view the data. In most cases, this should be the default profile shipped with the extension (see About the CERT Compliance Profile). This setting is available for all widgets.

Anchor
Viewing CERT C Compliance Widgets
Viewing CERT C Compliance Widgets
Viewing CERT C Compliance Widgets 

The following widgets are shipped with the CERT C Compliance DTP Workflow to help you achieve CERT C compliance goals.

CERT Compliance - Status

This widget provides an overview of the project's CERT compliance status.  

Image Added

By default, the widget shows Rules and Recommendations, as well as all priority levels. You can add multiple instances of the widget and configure different combinations to create robust views of the compliance status. Click on the widget to open the CERT C Compliance Report

CERT Levels - Target

This widget provides an overview of the compliance status for each priority level in a tooltip for the target build. The tooltip also includes applicable deviations. Click on the widget to open the CERT C Compliance Report

Image Added

CERT Compliance - Status by Level

The widget shows the overall compliance status, as well as the compliance status for each CERT C level. You can add multiple instances of the widget configured to use a different profile, for example, a profile with disabled guidelines, to view your current compliance status. Click on the widget to open the CERT C Compliance Report

Image Added

The code can be compliant with deviations and violations that have been deemed acceptable. See Deviation Report for additional information about deviations.

Image Added Image Added

The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in C/C++test and re-run analysis.

CERT Compliance - Percentage Widget

This widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profileClick on the widget to open the CERT C Compliance Report.

Image Added

CERT Compliance - Guidelines by Status

This widget shows the compliance status for a specific Rule or Recommendation per priority level. You can add multiple instances of the widget configured to different type/priority level combinations to help you understand your compliance status from different perspectives.

Image Added

The pie chart can represent up to four different guideline statuses for the selected category:

Scroll Table Layout
widths30%,70%

GreenGuidelines your code is in compliance with for the selected type and level.
Yellow

Guidelines that your code is deviating from but are still considered compliant.

A deviation is when the guideline is not being followed according to the Parasoft static analysis rule but is considered acceptable because it does not affect the safety of the software. Deviations represent Parasoft static analysis rules that have been suppressed.

Orange

Guidelines that your code is considered compliant with, even though the static analysis rules that enforce them contain violations. Only Recommendations can have this status.

RedGuidelines that your code is not compliant with.

You can perform the following actions:

  • Mouse over a pie slice to view details.
  • Click on a section to open the CERT C Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of violations counter to open the CERT C Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of deviations counter to open the Deviation Report filtered by the type and priority.

CERT Violations by Category - TreeMap Widget

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according to the priority level:

  • Red tiles represent L1 violations.
  • Yellow tiles represent L2 violations. 
  • Green tiles represent L3 violations.

The Parasoft rule(s) enforcing compliance with the guidelines are also presented. Tiles are proportional to the number of static analysis violations reported for each rule. 

Image Added  

The widget uses the hierarchy established in the model profile to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule/guideline/category.

Click on a rule to see the violation in the Violations Explorer.

CERT Compliance by Priority

This widget is an implementation of the standard Compliance By Category widget shipped with DTP. It shows the number and percentage of rules in compliance grouped by rule categories.

Image Added

 Click on an entry in the table to open the Violations by Compliance Category report. 

Top 5 CERT Categories

This widget is an implementation of the standard Categories - Top 5 Table Compliance widget shipped with DTP. It shows the five CERT guideline categories with the most violations.

Image Added

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

Top 5 CERT Guidelines 

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guidelines with the most violations.

Image Added

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

CERT Analysis Compliance

This widget is an implementation of the standard Rules in Compliance - Summary widget shipped withe DTP. This widget shows the following information:

  • How many static analysis rules for the selected compliance standard were enabled during code analysis.
  • How many violations were reported.
  • The overall percentage of rules that did not report violations.
  • The change in number of violations from the baseline build to the target build as a percentage (if applicable).

Image Added

 Click on the widget to open the Violations by Compliance Category report. 

Anchor
Viewing CERT C Compliance Reports
Viewing CERT C Compliance Reports
Viewing CERT C Compliance Reports

The CERT Compliance Report provides an overview of your CERT compliance status and serves as the primary document for demonstrating compliance.

Image Added

You can perform the following actions:

  • Use the menus to sort by the following criteria:
    • Guideline type: Rule, Recommendation, or All 
    • Priority level: L1, L2, L3, or All
    • Compliance status: All, No Rules Enabled, Compliant, Compliant With Deviations, Compliant With Violations, Not Compliant, Missing Rule(s) in Analysis
  • Click on a guideline link in the Guideline column to open the Conformance Enforcement Plan. The link goes directly to the specific guideline so that you can review the Parasoft code analysis rule or rules enforcing the guideline. 
  • Click a link in the # of Violations column to view the violations in the Violations Explorer.
  • Click a link in the # of Deviations column to view the suppressed violations in the Violations Explorer.
  • Open one of the CERT Compliance sub-reports.
  • Click Download PDF to download a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

The CERT Compliance Report contains four supporting reports:

Table of Content Zone
maxLevel2
minLevel2
locationtop

Conformance Testing Plan

The Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile.

Image Added

Deviation Report 

Your code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the C/C++test documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.

Click the Deviation Report link in the CERT Compliance Report to open the Deviation Report. 

Image Added

The Deviations Report shows all guideline IDs and headers, but guidelines that have been suppressed will show additional information. You can perform the following actions:

  1. Filter the report by type (Rule, Recommendation, All).
  2. Filter the report by level (L1, L2, L3).
  3. Enable Only Deviations to only show deviations.
  4. Enable Hide Modification History to exclude the modification history for deviations.

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.

Image Added

In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.  

Profiles

The Security Compliance Pack includes a profile associated with the core CERT C workflow.

Anchor
About the CERT Compliance Profile
About the CERT Compliance Profile
About the CERT Compliance Profile

The CERT C Compliance DTP Workflow ships with a default profile that includes information necessary for generating CERT compliance reports. The default profile shows the correlation between CERT guidelines and Parasoft code analysis rules and is suitable for most normal use cases.

Warning
titleDo not modify the CERT profile

We strongly advise against altering the default CERT C profile because doing so will affect any reports you may need to generate for auditing purposes.

 Image Added

If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CERT C guidelines to achieve your software quality and compliance goals

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the CERT Compliance model and choose the SEI CERT C 2018 profile. 

...

The Remediation Cost and Likelihood Score widgets are instances of the native Metrics - Summary DTP widget configured to present CERT-specific metrics data. When invoked, the KPI extension performs custom calculations according to the SEI CERT C Remediation Cost and SEI CERT C Likelihood KPI profiles and reports the processed data in the widgets. 

The build must have static analysis and metrics analysis data for the KPI extension to perform the calculation. Be sure that C/C++test has been executed with the Metrics and SEI CERT C Guidelines test configurations under the same build ID. The metrics analysis must also include data for the Logical Lines of Code metric (metricId METRIC.NOLLOCIF). The guidelines test configuration will run analysis that provides violations for both rules and recommendations. You can also run the SEI CERT C Rules test configuration if do not need to gather data for recommendations. Refer to the C/C++test documentation for details about setting the build ID and executing the Metrics test configuration.  

  1. Choose Extension Designer from the DTP settings (gear icon) menu and click the Services tab. 
  2. Choose a service category and a service for the extension. We recommend deploying the KPI extension to the DTP Workflows category.
  3. Open the vertical ellipses menu and choose Import > Local > Flows > Workflows > Security > Key Performance Indicator.
  4. Click anywhere in the space to drop the flow into the service tab and click Deploy.
  5. Click on the compliance category (DTP Workflows) and expand your service to expose the available endpoints.
    Image Removed
  6. Expand the Key Performance Indicator section and copy the endpoint. 
    Image Removed
  7. Send a REST request to the endpoint along with the required parameters. For example, you can execute the request in a browser, a cURL command, or add it to a script. The following table describes the required parameters:

...

The filter ID for the project that the calculations will be performed on. You can quickly get the filter ID from URL of your dashboard.

Image Removed 

You can also get the filter ID from the Filters settings in DTP administration (see Configuring Filters).

...

The build for which the calculations will be performed on. If no build ID is provided, this parameter defaults to the latest build.

You can get the build ID from the dashboard URL. The build ID is also shown in several widgets that appear in the CERT C Dashboard template, for example:
Image Removed 

Code Block
languagepowershell
titleExample API Call URL
http://framemaker:8314/categories/5ae39f928550880f5026fc80?filterId=3&profile=SEI%20CERT%20C%20Likelihood
Code Block
languagejs
titleExample of Successful Response
{
  "success": {
    "title": "KPI",
    "message": "Calculation has started for filter 'docs' using profile 'SEI CERT C Likelihood'. Check debug output for any errors during calculation."
  }
}

Metrics-related calculations are long-running processes and may take several minutes to execute depending on how much data you have to process. After the calculation completes, add the widgets to your dashboard to view the data. The KPI extension only needs to be deployed once, but you must invoke the API separately for each profile, such as SEI CERT C Likelihood and SEI CERT C Remediation Cost.

Image Removed

For additional views of the metrics, you can manually add instances of the native Metrics - Summary DTP widget to your dashboard and configure them to use the SEI CERT C Likelihood and SEI CERT C Remediation Cost metrics, as well as set the aggregation value.

Image Removed

You can click on a widget to open the Single Metric Overview Report.

...

The following widgets are shipped with the CERT C Compliance DTP Workflow to help you achieve CERT C compliance goals.

CERT Compliance - Status

This widget provides an overview of the project's CERT compliance status.  

Image Removed

By default, the widget shows Rules and Recommendations, as well as all priority levels. You can add multiple instances of the widget and configure different combinations to create robust views of the compliance status. Click on the widget to open the CERT C Compliance Report

CERT Levels - Target

This widget provides an overview of the compliance status for each priority level in a tooltip for the target build. The tooltip also includes applicable deviations. Click on the widget to open the CERT C Compliance Report

Image Removed

CERT Compliance - Status by Level

The widget shows the overall compliance status, as well as the compliance status for each CERT C level. You can add multiple instances of the widget configured to use a different profile, for example, a profile with disabled guidelines, to view your current compliance status. Click on the widget to open the CERT C Compliance Report

Image Removed

The code can be compliant with deviations and violations that have been deemed acceptable. See Deviation Report for additional information about deviations.

Image Removed Image Removed

The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in C/C++test and re-run analysis.

CERT Compliance - Percentage Widget

This widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profileClick on the widget to open the CERT C Compliance Report.

Image Removed

CERT Compliance - Guidelines by Status

This widget shows the compliance status for a specific Rule or Recommendation per priority level. You can add multiple instances of the widget configured to different type/priority level combinations to help you understand your compliance status from different perspectives.

Image Removed

The pie chart can represent up to four different guideline statuses for the selected category:

Scroll Table Layout
widths30%,70%

...

Guidelines that your code is deviating from but are still considered compliant.

A deviation is when the guideline is not being followed according to the Parasoft static analysis rule but is considered acceptable because it does not affect the safety of the software. Deviations represent Parasoft static analysis rules that have been suppressed.

...

Guidelines that your code is considered compliant with, even though the static analysis rules that enforce them contain violations. Only Recommendations can have this status.

...

You can perform the following actions:

  • Mouse over a pie slice to view details.
  • Click on a section to open the CERT C Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of violations counter to open the CERT C Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of deviations counter to open the Deviation Report filtered by the type and priority.

CERT Violations by Category - TreeMap Widget

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according to the priority level:

  • Red tiles represent L1 violations.
  • Yellow tiles represent L2 violations. 
  • Green tiles represent L3 violations.

The Parasoft rule(s) enforcing compliance with the guidelines are also presented. Tiles are proportional to the number of static analysis violations reported for each rule. 

Image Removed  

The widget uses the hierarchy established in the model profile to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule/guideline/category.

Click on a rule to see the violation in the Violations Explorer.

CERT Compliance by Priority

This widget is an implementation of the standard Compliance By Category widget shipped with DTP. It shows the number and percentage of rules in compliance grouped by rule categories.

Image Removed

 Click on an entry in the table to open the Violations by Compliance Category report. 

Top 5 CERT Categories

This widget is an implementation of the standard Categories - Top 5 Table Compliance widget shipped with DTP. It shows the five CERT guideline categories with the most violations.

Image Removed

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

Top 5 CERT Guidelines 

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guidelines with the most violations.

Image Removed

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

CERT Analysis Compliance

This widget is an implementation of the standard Rules in Compliance - Summary widget shipped withe DTP. This widget shows the following information:

  • How many static analysis rules for the selected compliance standard were enabled during code analysis.
  • How many violations were reported.
  • The overall percentage of rules that did not report violations.
  • The change in number of violations from the baseline build to the target build as a percentage (if applicable).

Image Removed

 Click on the widget to open the Violations by Compliance Category report. 

...

The CERT Compliance Report provides an overview of your CERT compliance status and serves as the primary document for demonstrating compliance.

Image Removed

You can perform the following actions:

  • Use the menus to sort by the following criteria:
    • Guideline type: Rule, Recommendation, or All 
    • Priority level: L1, L2, L3, or All
    • Compliance status: All, No Rules Enabled, Compliant, Compliant With Deviations, Compliant With Violations, Not Compliant, Missing Rule(s) in Analysis
  • Click on a guideline link in the Guideline column to open the Conformance Enforcement Plan. The link goes directly to the specific guideline so that you can review the Parasoft code analysis rule or rules enforcing the guideline. 
  • Click a link in the # of Violations column to view the violations in the Violations Explorer.
  • Click a link in the # of Deviations column to view the suppressed violations in the Violations Explorer.
  • Open one of the CERT Compliance sub-reports.
  • Click Download PDF to download a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

The CERT Compliance Report contains four supporting reports:

Table of Content Zone
maxLevel2
minLevel2
locationtop

Conformance Testing Plan

The Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile.

Image Removed

Deviation Report 

Your code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the C/C++test documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.

Click the Deviation Report link in the CERT Compliance Report to open the Deviation Report. 

Image Removed

The Deviations Report shows all guideline IDs and headers, but guidelines that have been suppressed will show additional information. You can perform the following actions:

  1. Filter the report by type (Rule, Recommendation, All).
  2. Filter the report by level (L1, L2, L3).
  3. Enable Only Deviations to only show deviations.
  4. Enable Hide Modification History to exclude the modification history for deviations.

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.

Image Removed

In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.  

Profiles

The Security Compliance Pack includes a profile associated with the core CERT C workflow and a set of profiles associated with calculating the SEI CERT C Remediation Cost and SEI CERT C Likelihood KPI metrics. See Working with Model Profiles for additional information about profiles.

...

The CERT C Compliance DTP Workflow ships with a default profile that includes information necessary for generating CERT compliance reports. The default profile shows the correlation between CERT guidelines and Parasoft code analysis rules and is suitable for most normal use cases.

Warning
titleDo not modify the CERT profile

We strongly advise against altering the default CERT C profile because doing so will affect any reports you may need to generate for auditing purposes.

 Image Removed

If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CERT C guidelines to achieve your software quality and compliance goals

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the CERT Compliance model and choose the SEI CERT C 2018 profile. 
  3. Click Export Profile to download a copy. 
  4. Click Add Profile and enter a name.
  5. Click Confirm to create an empty profile. 
  6. Rename the copy of the default profile you exported and click Import Profile
  7. Browse for the copy and confirm to upload.
  8. Click Edit and make your adjustments. 
  9. Click Save.

CERT C KPI Profiles

The KPI artifact shipped with the Security Compliance Pack includes the SEI CERT C Likelihood and SEI CERT C Remediation Cost profiles. The profiles assign weights to the metrics analysis rules in order to calculate a KPI value for the build.

Image Removed

The default profile is suitable for most normal usage, but you can adjust the weights for each metrics rule if necessary.

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the KPI model and choose either the SEI CERT C Likelihood or SEI CERT C Remediation profile.
  3. Click Export Profile to download a copy. 
  4. Click Add Profile and enter a name.
  5. Click Confirm to create an empty profile. 
  6. Rename the copy of the default profile you exported and click Import Profile
  7. Browse for the copy and confirm to upload.
  8. Click Edit and make make your adjustments. 
  9. Click Save.