Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 2

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.2

...

Table of Contents
maxLevel12

Why

...

Use CVE Match?

Given a large (or even small) number of violations for the same rule with the same severity, how can developers know which violations to prioritize first? Which violations to pay more or deeper attention to? How can developers not inadvertently miss a critical security issue while going through a set of violations?  

DTP can recommend a CVE match associated with a violation to assist developers when facing the above questions.

What is CVE Match?

CVE match is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.

...

The diagram below illustrates how DTP, the CVE Match model, and OpenAI API work together.

Attribution

The model was trained using data sourced from the National Vulnerability Database provided by the National Institute of Standards and Technology, along with source code samples extracted from public repositories on GitHub.

This product uses data from the NVD API but is not endorsed or certified by the NVD.

Supported Tools

CVE match can be calculated for static analysis violations from Jtest only. C/C++test and dotTEST are currently not supported.

Prerequisites

OpenAI Settings

OpenAI settings must be configured in order to calculate CVE match for violations. See Using DTP with OpenAI for more information.

Source Code View Configuration

DTP must be configured to display source code in the Violations Explorer. See Source Code View Configuration Overview for more information.

Jtest

In order to calculate CVE match for Jtest violations, one of the following conditions must be met:

  1. Jtest is configured to send advanced metadata to DTP for machine learning. This setting is disabled by default, but it can be enabled under the Advanced Settings on the Static Analysis Settings tab in your Jtest test configurations. See the Jtest documentation at https://docs.parasoft.com/ for more information.
  2. Metrics analysis is run in addition to static analysis and both reports are sent to DTP. During the metrics analysis, one of the following metrics must be enabled:

    • METRIC.CLLOCRIM

    • METRIC.NOBLIM

    • METRIC.NOCLIM

    • METRIC.NOLLOCIM

    • METRIC.NOMCIM
    • METRIC.NOPAR

    • METRIC.NOPLIM

    • METRIC.NORET

    • METRIC.NOSLIM

Operating System Requirements

Older Linux operating systems (CentOS 7.x and older) might be missing some libraries that are needed by the CVE Match model. In these situations, when you try to calculate the CVE Match you might see an error message, "The CVE Match model is not loaded. See logs for more information." Check the logs for more information about the missing library. Note: the error is created when the first missing library is encountered. If multiple libraries are missing, you might get this error multiple times.

Microsoft Visual C++ Redistributable package (2019 or higher) is required by the CVE Match model on Windows. Unless you have disabled Windows updates, this package should already be installed on your system.

Calculating CVE Match

To calculate the CVE match for a violation, select it in the Violations Explorer and click Get Recommendations on the Prioritizations tab.

...