Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 2

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.2

...

Table of Contents
maxLevel12

Anchor
Background
Background
Background

The CERT Oracle Coding Standard for Java was developed by the CERT Coordination Center to improve the safety, reliability, and security of software systems. CERT coding standards consist of "rules" and "recommendations" and are organized into a set of categories. Rules provide code requirements for adhering to the standard, whereas recommendations are intended to provide guidance that improves the safety, reliability, and security of software systems.

...

See https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java to learn more about the standard.

Prerequisites

Jtest with the Flow Analysis license feature enabled. See Security Compliance Pack for additional information.

Process Overview

  1. Install the Security Compliance Pack into DTP Extension Designer.
  2. Deploy the CERT for Java Compliance artifact into your DTP environment. This also deploys CERT for Java Compliance extension assets.
  3. Analyze code with Jtest using the CERT for Java test configuration and report violations to DTP. You can configure Jtest to use the local test configuration or the test configuration shipped with the Security Compliance Pack. The test configuration and rulemap.xml file configures analysis rules to report violations according to CERT for Java guidelines.
  4. Add the CERT for Java Compliance dashboard and widgets to your DTP interface. The dashboard widgets and shows the reported violations within the context of CERT for Java guidelines.
  5. Interact with the widgets and reports to identify code that needs to be fixed, as well as print out the reports for auditing purposes.
Note
titleAchieving 100% Compliance

CERT for Java is currently a work in progress and includes guidelines that are incomplete and/or subject to change. As a result, DTP will report 100% compliance against only those guidelines that are mapped to a Parasoft static analysis rule.

Anchor
CERT for Java Compliance Extension Assets
CERT for Java Compliance Extension Assets
CERT for Java Compliance Extension Assets

The Parasoft CERT for Java Compliance extension helps you create the documentation required for demonstrating compliance with CERT for Java. The following artifacts are included in the package.

...

This file describes the contents of the extension.

Anchor
Deploying the CERT for Java Compliance Assets
Deploying the CERT for Java Compliance Assets
Deploying the CERT for Java Compliance Assets

The CERT for Java Compliance files are installed as part of the Security Compliance Pack (see Installation for instructions). After installing the artifact, you must deploy the assets to your DTP environment. 

...

You can now add the CERT for Java Compliance dashboard and widgets. 

Anchor
Adding the CERT for Java Compliance Dashboard
Adding the CERT for Java Compliance Dashboard
Adding the CERT for Java Compliance Dashboard

The CERT for Java dashboard template will be available after installing the Security Compliance Pack. If you do not see dashboard template, restart DTP (see Stopping DTP Services and Starting DTP Applications).   

...

If you have already executed Jtest on your project using the CERT for Java test configuration, most widgets will render data as soon as the dashboard is added. You can immediately begin using these widgets and working with the data to help you track your compliance goals (see CERT for Java Compliance Widgets).

Anchor
Manually Adding the CERT for Java Widgets
Manually Adding the CERT for Java Widgets
Manually Adding the CERT for Java Widgets

You can manually add the CERT for Java widgets to an existing dashboard. See Adding Widgets for general instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the SEI CERT category.  

...

TitleYou can rename the widget in the Title field. This setting is available for all widgets.
FilterChoose a specific filter or Dashboard Settings from the menu. See Configuring Filters for additional information. This setting is available for all widgets.
Target BuildChoose a specific build from the menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 
Type

This rule specifies which type of guideline you want to view in the widget. Choose either Rule, Recommendation, or All from the menu. See Background for additional information about guideline types. This setting is available for the following widgets:

  • CERT Compliance - Guidelines by Status
  • CERT Levels - Target
  • CERT Violations by Category - TreeMap
Level

This rule specifies which priority level you want to view in the widget. Choose either L1, L2, or L3 from the menu. See Background for additional information about guideline priorities. This setting is available for the following widgets:

  • CERT Compliance - Guideline by Status
  • CERT Compliance - Percentage
  • CERT Violations by Category - TreeMap
Compliance ProfileSpecify the compliance profile you want to use to view the data. In most cases, this should be the default profile shipped with the extension (see CERT for Java Compliance Profile). This setting is available for all widgets.

Anchor
CERT for Java Compliance Widgets
CERT for Java Compliance Widgets
CERT for Java Compliance Widgets 

The following widgets are shipped with the CERT for Java Compliance DTP Workflow to help you achieve CERT for Java Compliance goals.

CERT Compliance - Status

This widget provides an overview of the project's CERT compliance status.

...

By default, the widget shows Rules and Recommendations, as well as all priority levels. You can add multiple instances of the widget and configure different combinations to create robust views of the compliance status. Click on the widget to open the CERT for Java Compliance Report.

CERT Levels - Target

This widget shows the highest concentration of static analysis violations per CERT category. It provides an overview of the compliance status, as well as applicable deviations, in the tooltip. Click on the widget to open the CERT for Java Compliance Report.

CERT Compliance - Status

The widget shows the overall compliance status, as well as the compliance status for each CERT level. You can add multiple instances of the widget configured to use a different profile, for example, a profile with disabled guidelines, to view your current compliance status. Click on the widget to open the CERT for Java Compliance Report.

...

The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in Jtest and re-run analysis.

CERT Compliance - Percentage Widget

This widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profile. The CERT for Java dashboard includes three instances of this widget, one for each level. Click on the widget to open the CERT for Java Compliance Report.

CERT Compliance - Guidelines by Status

This widget shows the compliance status for a specific Rule or Recommendation per priority level.

...

  • Mouse over a pie slice to view details.
  • Click on a section to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of violations counter to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of deviations counter to open the Deviation Report filtered by the type and priority.

CERT Violations by Category - TreeMap Widget

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according the priority level:

...

Click on a rule to see the violation in the Violations Explorer.

CERT Compliance by Priority

This widget is an implementation of the standard Compliance By Category widget shipped with DTP. It shows the number and percentage of rules in compliance grouped by rule categories.

...

Click on an entry in the table to open the Violations by Compliance Category report.

Top 5 CERT Categories

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guideline categories with the most violations.

...

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

Top 5 CERT Guidelines

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guidelines with the most violations.

...

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

CERT Analysis Compliance

This widget is an implementation of the standard Rules in Compliance - Summary widget shipped withe DTP. This widgets shows the following information:

...

Click on the widget to open the Violations by Compliance Category report.

Anchor
CERT for Java Compliance Reports
CERT for Java Compliance Reports
CERT for Java Compliance Reports

The CERT Compliance Report provides an overview of your CERT compliance status and serves as the primary document for demonstrating compliance.

...

The CERT Compliance Report contains four the following supporting reports:

Table of Content Zone
maxLevel23
minLevel23
locationtop

Conformance Testing Plan

The Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile. Click on a guideline to view the CERT documentation on the CERT website.

Deviation Report 

Your code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.

Click the Deviation Report link in the CERT Compliance Report to open the Deviation Report.  

The Deviations Report shows all guideline IDs and headers, but guidelines that have been suppressed will show additional information. You can perform the following actions:

  1. Filter the report by type (Rule, Recommendation, All).
  2. Filter the report by level (L1, L2, L3).
  3. Enable Only Deviations to only show deviations.
  4. Enable Hide Modification History to exclude the modification history for deviations.   

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.

In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.  

Profiles

The Security Compliance Pack includes a profile associated with the core CERT for Java workflow.

Anchor
CERT for Java Compliance Profile
CERT for Java Compliance Profile
CERT for Java Compliance Profile

The CERT for Java Compliance DTP Workflow ships with a default profile that includes information necessary for generating CERT compliance reports. The default profile shows the correlation between CERT guidelines and Parasoft code analysis rules and is suitable for most normal use cases.

...