Versions Compared

Old Version 2

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 3

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

Table of Contents
maxLevel1

Why use

...

CVE Match?

Given a large (or even small) number of violations for the same rule with the same severity, how can developers know which violations to prioritize first? Which violations to pay more or deeper attention to? How can developers not inadvertently miss a critical security issue while going through a set of violations?  

DTP can recommend a vulnerability probability CVE match associated with a violation to assist developers when facing the above questions.

What is

...

CVE Match?

Vulnerability probability CVE match is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.

Vulnerability probability CVE match can be calculated only for violations that are found within a method (or function body). It is not available if the violation is found outside of a method.

To calculate vulnerability probabilityCVE match, a model was trained on code samples containing CVEs. For the java model, over 400 CVEs are covered representing 88 different CWEs including, but not limited to, the 18 most common CWEs:

...

The diagram below illustrates how DTP, the Vulnerability Probability CVE Match model, and OpenAI API work together.

Supported Tools

Vulnerability Probability CVE match can be calculated for static analysis violations from Jtest only. C/C++test and dotTEST are currently not supported.

Prerequisites

OpenAI Settings

OpenAI settings must be configured in order to calculate Vulnerability Probability CVE match for violations. See Using DTP with OpenAI for more information.

Source Code View Configuration

DTP must be configured to display source code in the Violations Explorer. See Source Code View Configuration Overview for more information.

Jtest

In order to calculate Vulnerability Probability CVE match for Jtest violations, one of the following conditions must be met:

  1. Jtest is configured to send advanced metadata to DTP for machine learning. This setting is disabled by default, but it can be enabled under the Advanced Settings on the Static Analysis Settings tab in your Jtest test configurations. See the Jtest documentation at https://docs.parasoft.com/ for more information.
  2. Metrics analysis is run in addition to static analysis and both reports are sent to DTP. During the metrics analysis, one of the following metrics must be enabled:

    • METRIC.CLLOCRIM

    • METRIC.NOBLIM

    • METRIC.NOCLIM

    • METRIC.NOLLOCIM

    • METRIC.NOMCIM
    • METRIC.NOPAR

    • METRIC.NOPLIM

    • METRIC.NORET

    • METRIC.NOSLIM

Operating System Requirements

Older Linux operating systems (CentOS 7.x and older) might be missing some libraries that are needed by the vulnerability probability CVE Match model. In these situations, when you try to calculate the vulnerability probability CVE Match you might see an error message, "The Vulnerability Probability CVE Match model is not loaded. See logs for more information." Check the logs for more information about the missing library. Note: the error is created when the first missing library is encountered. If multiple libraries are missing, you might get this error multiple times.

Microsoft Visual C++ Redistributable package (2019 or higher) is required by the Vulnerability Probability CVE Match model on Windows. Unless you have disabled Windows updates, this package should already be installed on your system.

Calculating

...

CVE Match

To calculate the vulnerability probability CVE match for a violation, select it in the Violations Explorer and click Get Recommendations on the Prioritizations tab.

If the prerequisite conditions have been met, the vulnerability probability CVE match will be added to the Recommendations section. If one or more prerequisite conditions have not been met, there will be an info icon to the left of the Recommendations label that you can hover over for details.

Note: The OpenAI embeddings API is called when calculating the vulnerability probability CVE match for a violation. Since each API call incurs a cost, DTP 2024.1 only allows calculating vulnerability probability CVE match for one violation at a time.  

...