Versions Compared

Old Version 2

changes.mady.by.user user-50d80

Saved on

compared with

New Version Current

changes.mady.by.user user-50d80

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2020.2

...

The CWE Compliance artifact supports the following specific CWE implementations:

  • 2020CWE 2020 CWE Top 25 Most Dangerous Software Errors
  • CWE List Version 4.2 (Jtest and dotTEST only)
  • CWE Top 25 + On the Cusp

...

You can configure your tool to run either the test configurations it ships with or the test configurations installed with the Security Compliance Pack. Refer to your tool's documentation for details. The following test configurations are included in the compliance pack.

Configurations for C/C++test:

  • CWE 4.2 Top 25 2019 [Parasoft 2020.2].properties (Jtest and dotTEST only)
  • CWE Top 25 2020 + On the Cusp 2019 [Parasoft 2020.2].properties

Configurations for dotTEST:

  • CWE Top 25 2020 + On the Cusp 2020 [Parasoft 2020.2].properties
  • CWE Top 25 2020 [Parasoft 2020.2].properties
  • CWE 4.2 [Parasoft 2020.2].properties (C/C++test only)

Configuration for Jtest:

  • CWE Top 25 2020 + On the Cusp 2020 [Parasoft 2020.2].properties (C/C++test only)properties
  • CWE Top 25 2020 [Parasoft 2020.2].properties
  • CWE 4.2 PCI DSS 3.2.properties [Parasoft 2020.2].properties (Jtest and dotTEST only)properties

The Security Compliance pack ships with the following additional configuration for CWE and OWASP compliance. 

  • UL 2900 [Parasoft 2020.2].properties (Jtest and dotTEST only)properties

Also see the OWASP Compliance documentation.

Dashboard Templates

Dashboard templates include preconfigured widgets to help you quickly view specific information about your projects. Refer to the Dashboards section to learn more about dashboards in DTP. See Adding the CWE Dashboards for details about viewing the widgets that appear in the dashboard templates.The  The following template files are included in the CWE Compliance artifact.

Dashboards for C and C++ code:

  • CWE Top 25 2019- C/C++ (CWE-Top-25-Cpp.json)
  • CWE Top 25 2019+ On the Cusp - C/C++ (CWE-Top-25-and-On-the-Cusp-Cpp.json)

Dashboards for .NET code:

  • CWE 4.2 - .NET 4.0 - .NET (CWE-4_0-dotNET.json)CWE 4.0 - Java (CWE-4_02-JavadotNET.json)
  • CWE Top 25 2020 - .NET (CWE-Top-25-dotNET.json)
  • CWE Top 25 2020 - Java + On the Cusp - .NET (CWE-Top-25-Java.json)and-On-the-Cusp-dotNET.json)

Dashboards for Java code:

  • CWE 4.2 - Java (CWE-4_2-Java
  • CWE Top 25 2020- C/C++ (CWE-Top-25-Cpp.json)
  • CWE Top 25 2020 + On the Cusp - .NET (CWE-Top-25-and-On-the-Cusp-dotNET.json)
  • CWE Top 25 2020 + On the Cusp - Java (CWE-Top-25-and-On-the-Cusp-Java.json)
  • CWE Top 25 2020 + On the Cusp - C/C++ Java (CWE-Top-25-and-On-the-Cusp-CppJava.json)

The Security Compliance pack ships with the following additional dashboard templates that include a combination of widgets configured to show CWE and OWASP compliance. 

...

Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack.The  The following profile files are included with the CWE artifact.    

Models:

  • CWE 4.2 - .NET profile Compliance model (cwe-4_2-dotnetcompliance.json)CWE 4.2 - Java profile (cwe-4_2-java
  • KPI model (KPI.json)

Profiles for C and C++ code:

  • CWE Security Impact - .NET profile C++ (cwe-security-impact-dotnetcpp.json)
  • CWE Security Impact - Java profile Top 25 - C++ (cwe-securitytop25-impact2019-javacpp.json)
  • CWE Security Impact Top 25+Cusp - C++ (cwe-security-impacttop25-2019-on-the-cusp-cpp.json)

Profiles for .NET code:

  • CWE Top 25 4.2 - .NET profile (cwe-top25-20204_2-dotnet.json)
  • CWE Top 25 - Java Security Impact - .NET profile (cwe-top25security-2019impact-javadotnet.json)
  • CWE Top 25 - C++ .NET profile (cwe-top25-20192020-cppdotnet.json)
  • CWE Top 25+Cusp - .NET (cwe-top25-2020-on-the-cusp-dotnet)CWE Top 25+Cusp

Profiles for Java code:

  • CWE 4.2 - Java profile (cwe-top25-2019-on-the-cusp-java4_2-java.json)
  • CWE Top 25+Cusp - C++ Security Impact - Java profile (cwe-top25security-2019-on-the-cusp-cppimpact-java.json)
  • CWE Compliance model Top 25 - Java profile (cwe-compliancetop25-2020-java.json)KPI model (KPI.json
  • CWE Top 25+Cusp - Java (cwe-top25-2020-on-the-cusp-java)

Compliance Categories

Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, i.e., weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category:  .

Categories for C and C++ code:

  • CWE Top 25 - C++ (CWE-Top-25-2019-CppCWE 4.2 - Java (CWE-4_2-Java.xml)
  • CWE Top 25+Cusp - Technical Impact Software Development - C++ (CWE-Top-25-2019-Software-ImpactDevelopment-Cpp.xml)
  • CWE 4.2 - Software Development - Java Top 25+Cusp - C++ (CWE-4_2-Software-Development-JavaTop-25-and-Cusp-Cpp.xml)
  • CWE Top 25+Cusp - Technical Impact - Java C++ (CWE-Top-25-and-Cusp-Impact-JavaCpp.xml)
  • CWE 4.2 Top 25 - Software Development - .NET C++ (CWE-4_2Top-25-and-Cusp-Software-Development-dotNETCpp.xml)
  • CWE 4.2 Top 25 - Technical Impact - .NET C++ (CWE-Top-25-Impact-dotNETCpp.xml)

Categories for .NET code:

  • CWE 4.2 - .NET (CWE-4_2-dotNET.xml)
  • CWE Top 25+Cusp - C++ 4.2 - Software Development - .NET (CWE-Top4_2-25Software-andDevelopment-Cusp-CppdotNET.xml)
  • CWE 4.2 - Technical Impact - Java .NET (CWE-Impact-JavadotNET.xml)
  • CWE Top 25 +Cusp - Technical Impact - C++ - .NET (CWE-Top-25-and-Cusp-Impact-Cpp.2020-dotNET.xml)
  • CWE Top 25 - Technical Impact Software Development - .NET (CWE-Impact-Top-25-2020-Software-Development-dotNET.xml)
  • CWE Top 25 +Cusp - Technical Impact - Java .NET (CWE-Top-25-and-Cusp-Impact-JavadotNET.xml)
  • CWE Top 25 - C++ +Cusp - .NET (CWE-Top-25-and-2019Cusp-CppdotNET.xml)
  • CWE Top 25+Cusp - Technical Impact - .NET (CWE-Top-25-and-Cusp-Impact-dotNET.xml)
  • CWE Top 25 - Java +Cusp - Software Development - .NET (CWE-Top-25-2019-Java-and-Cusp-Software-Development-dotNET.xml)

Categories for Java code:

  • CWE Top 25+Cusp 4.2 - Java (CWE-Top-25-and-Cusp4_2-Java.xml)
  • CWE Top 25+Cusp 4.2 - Software Development - C++ Java (CWE-Top-25-20194_2-Software-Development-CppJava.xml)
  • CWE Top 25 - Software Development - C++ (CWE-Top-25-and-Cusp-Software-Development-Cpp4.2 - Technical Impact - Java (CWE-Impact-Java.xml)
  • CWE Top 25 - Software Development - Java (CWE-Top-25-2019-Software-Development2020-Java.xml)
  • CWE Top 25 +Cusp - Software Development - Java (CWE-Top-25-and2020-Cusp-Software-Development-Java.xml)
  • CWE Top 25 - Software Development - .NET Technical Impact - Java (CWE-Top-25-2019-Software-Development-dotNETImpact-Java.xml)
  • CWE Top 25+Cusp - Software Development - .NET Java (CWE-Top-25-and-Cusp-Software-Development-dotNETJava.xml)
  • CWE Top 25 - .NET +Cusp - Technical Impact - Java (CWE-Top-25-and-2019Cusp-Impact-dotNETJava.xml)
  • CWE Top 25+Cusp - .NET Software Development - Java (CWE-Top-25-and-Cusp-dotNETSoftware-Development-Java.xml)

See Custom Compliance Categories for additional information about rule categories in DTP.

...