Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

  • 2023 CWE Top 25 Most Dangerous Software Errors (Jtest and dotTEST) and 2022 CWE Top 25 Most Dangerous Software Errors (C/C++test)
  • CWE List Version 4.13 14 (Jtest and dotTEST only)
  • CWE Top 25 + On the Cusp

...

  1. Install the Security Compliance Pack into DTP Extension Designer.
  2. Deploy the CWE Compliance artifact using Extension Designer. This action also deploys CWE Compliance assets to your DTP environment.
  3. Connect your code analysis tool to your project in DTP. Configure the settings that enable DTP to correlate analysis results, i.e., such as build ID, source control settings, etcand so on. See the documentation for your analysis tool for details. 
  4. Analyze the project with your code analysis tool using one of the CWE test configurations.
  5. (Optional) Run the KPI workflow as part of your automated build process to generate metrics data associated with CWE compliance.
  6. Use the DTP dashboard template, widgets, and reports to monitor compliance with security standards.

...

Configurations for C/C++test:

...

  • CWE Top 25 + On the Cusp 20222023
  • CWE Top 25 2023

Configurations for dotTEST:

  • CWE Top 25 + On the Cusp 2023
  • CWE Top 25 2023
  • CWE 4.1314

Configuration for Jtest:

  • CWE Top 25 + On the Cusp 2023
  • CWE Top 25 2023
  • CWE 4.1314

The Security Compliance pack ships with the following additional configuration for CWE and OWASP compliance. 

...

Dashboards for C and C++ code:

  • CWE Top 25 20222023 - C/C++ 
  • CWE Top 25 20222023 + On the Cusp - C/C++

Dashboards for .NET code:

  • CWE 4.13 14 - .NET 
  • CWE Top 25 2023 - .NET 
  • CWE Top 25 2023 + On the Cusp - .NET 

Dashboards for Java code:

  • CWE 4.13 14 - Java 
  • CWE Top 25 2023 - Java
  • CWE Top 25 2023 + On the Cusp - Java 

The Security Compliance pack ships with the following UL 2900 dashboard templates that include a combination of widgets configured to show CWE Top 25 + On the Cusp and OWASP Top 10 2021 compliance.   Note that both CWE and OWASP 2021 compliance artifacts must be deployed

...

Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for for information about understanding profiles in DTP Enterprise Pack.  The The following profile files are included with the CWE artifact.    

Models:

  • CWE Compliance model (cwe-compliance.json)KPI model (KPI.json)

Profiles for C and C++ code:

...

Profiles for .NET code:

  • CWE 4.13 14 - .NET profile
  • CWE Security Impact - .NET profile
  • CWE Top 25 - .NET profile
  • CWE Top 25 + Cusp - .NET

Profiles for Java code:

  • CWE 4.13 14 - Java profile
  • CWE Security Impact - Java profile 
  • CWE Top 25 - Java profile 
  • CWE Top 25 + Cusp - Java

...

Individual code analysis rules belong to a category, such as Security, Exceptions, etcand so on. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, i.e.that is, weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category.

...

Categories for .NET code:

  • CWE 4.13 14 - .NET
  • CWE 4.1314- Software Development - .NET
  • CWE 4.13 14 - Technical Impact - .NET
  • CWE Top 25 - .NET 
  • CWE Top 25 - Software Development - .NET 
  • CWE Top 25 - Technical Impact - .NET
  • CWE Top 25 + Cusp - .NET
  • CWE Top 25 + Cusp - Technical Impact - .NET 
  • CWE Top 25 + Cusp - Software Development - .NET

Categories for Java code:

  • CWE 4.13 14 - Java
  • CWE 4.13 14 - Software Development - Java
  • CWE 4.13 14 - Technical Impact - Java 
  • CWE Top 25 - Java 
  • CWE Top 25 - Software Development - Java 
  • CWE Top 25 - Technical Impact - Java
  • CWE Top 25 + Cusp - Java 
  • CWE Top 25 + Cusp - Technical Impact - Java 
  • CWE Top 25 + Cusp - Software Development - Java 

See Custom Compliance Categories for additional information about rule categories in DTP.

Key Performance Indicator.json

This DTP Workflow performs additional calculations to provide metrics data specific to CWE. The KPI Workflow is optional and is not specific to the CWE Compliance artifact. To use this workflow, deploy it to your DTP environment and manually add instances of the standard Metrics - Summary widget to your dashboard to view the data. See Calculating Security Impact for details. 

Cross-reference PDFs

For your convenience, PDFs that show the association between Parasoft rules and CWE guidelines are located in the following directories:

Cross-reference PDFs

For your convenience, PDFs that show the association between Parasoft rules and CWE guidelines are located in the following directories:

  • <PACK>/rules/jtest
  • <PACK>/rules/dottest
  • <PACK>/rules/cpptest  

Deploying the CWE Assets 

...

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
     
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + button icon to add a new tab) and choose Import from the vertical ellipses menu.
  6. Choose Local> Flows> Workflows> Security> Local > Flows > Workflows > Security > CWE Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

...

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted.
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    • Choose the filter associated with your project from the Filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See Configuring Filters for additional information. 
    • Specify a range of time from the Period drop-down menu. 
    • Specify a range of builds from the Baseline Build and Target Build drop-down menusmenus.
  3. Enable the Create dashboard from a template option and choose one of the CWE templates from the associated menu.
  4. Click Create to finish adding the dashboard.

...

  • Mouse over a segment of the pie chart to view details.
  • Click on the passing segment of the pie chart to open the the CWE Compliance Report filtered by passing guidelines.
  • Click on the violations segment of the pie chart to open the the CWE Compliance Report filtered by violations.
  • Click on the Violations value to open an unfiltered instance of the the CWE Compliance Report.
  • Click on the Deviations value to open the the Deviation Report.

Violations by Category

...

TitleYou can rename the widget in the Title field.
Filter

Choose a specific filter or Dashboard Settings from the drop-down menu. See Configuring Filters for additional information.

The filter should contain data that matches the type of compliance profile you choose (Java, .NET, C++). Forexample, if the filter contains code analysis data on a .NET project, then you should choose one of the .NET compliance profiles.

Target BuildChoose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 

Compliance Profile

Anchor
compliance-profile
compliance-profile

Choose a compliance profile from the drop-down menu to display the code analysis data against one of the supported CWE-specific sets of guidelines. You can choose one of the following profiles:

  • CWE 4.13 14 - .NET
  • CWE 4.13 14 - Java
  • CWE Top 25 - .NET
  • CWE Top 25 - Java
  • CWE Top 25 - C++
  • CWE Top 25 + Cusp - .NET
  • CWE Top 25 + Cusp - Java
  • CWE Top 25 + Cusp - C++

The type of compliance profile (Java, .NET, C++) should match the data in the selected filter. Forexample, choose one of the .NET compliance profiles if the filter contains code analysis data on a .NET project.

CWE Compliance Report

The CWE Compliance artifact includes profiles that you can use to calculate the security impact of detected weaknesses. Additional steps are required to leverage this functionality. See Calculating Security Impact for details. 

Calculating Security Impact

The Key Performance Indicator (KPI) DTP Workflow defines a KPI associated with static analysis rules so you can measure and quantify results. The build must have static analysis and metrics analysis data for the KPI extension to perform the calculation. The code analysis tool should have already been executed with the Metrics and a CWE test configuration test configurations under the same build ID. The metrics analysis must also include data for the Logical Lines of Code metric (metricId METRIC.NOLLOCIF). Refer to the tool documentation for details about setting the build ID and executing the Metrics test configuration.

This artifact needs to be deployed manually before you can use it.

  1. Open Extension Designer and click on the Services tab.
  2. Choose a service under a service category for running the KPI artifact. We recommend using a service in the DTP Workflows category to match how Parasoft categorizes the assets. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance.
  3. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + button to add a new tab) and click the vertical ellipses menu.
  4. Choose Import> Library> Workflows> Security> Key Performance Indicator and click anywhere in the open area to drop the artifact into the service. 
  5. Click Deploy and click on the service category where the KPI artifact is deployed.
    Image Removed
  6. Expand the Key Performance Indicator section and copy the endpoint. Extension Designer presents two paths for the endpoint. The API Endpoint Path includes all API directories and can be used for exercising the endpoint in most cases. The Direct Endpoint Path is the direct path to the endpoint on the server and can be used if the API endpoint path is blocked or inaccessible, such as in some third-party integrations that require authentication. 
    Image Removed
  7. Send a REST request to the endpoint along with the required parameters. See Execution Details.
  8. Open your DTP dashboard and click Add Widget.
  9. Choose the Metrics> Metrics - Summary widget in the overlay.
  10. Choose the CWE Security Impact/Logical Lines in Files from the Metric drop-down menu 
  11. Specify the metric aggregation you would like to display from the Aggregation drop-down menu and click Create.
    Image Removed

The widget will appear on your dashboard.

Image Removed

Clicking on the widget opens the Single Metric Overview Report.

Execution Details

You can execute the request in a browser, using a cURL command, or add it to a script. The following table describes the required parameters:

Scroll Table Layout
sortDirectionASC
repeatTableHeadersdefault
widths30%,70%
sortByColumn1
sortEnabledfalse
cellHighlightingtrue

...

The filter ID for the project that the calculations will be performed on. You can quickly get the filter ID from URL of your dashboard.

Image Removed

You can also get the filter ID from the the Filters settings in DTP administration (see Configuring Filters).

...

The name of the profile that contains the rules and weights to for the calculation. Specify one of the following profiles to calculate security impact:
  • CWE Security Impact - .NET
  • CWE Security Impact - Java
  • CWE Security Impact - C++

You can get the names of the profile from the Model Profile tab in Extension Designer.
Image Removed 

...

Report enables you to demonstrate compliance and monitor progress toward your compliance policy. The following CWE widgets link to the CWE Compliance Report: 

The report includes data for the build ID and filter configured in the widget you clicked to access the report. The compliance status of the project is also determined by the compliance profile configuration specified in the widget you clicked to access the report (see CWE Widget Configuration Settings).

Image Added

You can perform the following actions:

  • Click on one of the following links to open a sub-report:
  • Choose a state from the Compliance drop-down menu to filter weaknesses by their current state.
  • Click on a column header to sort the report.
  • Click a link in the Weakness column to go directly to the weakness in the Weakness Detection Plan report.
  • Click a value in the # of Violations column to view the violations in the Violations Explorer.
  • Click a value in the # of Deviations columns to view the suppressed violations in the Violations Explorer.
  • Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

Weakness Detection Plan

The Weakness Detection Plan shows how Parasoft code analysis rules map to weaknesses. This report is populated with data from the selected compliance profile (see Models and Profiles). 

Image Added

Deviation Report

The Deviation Report shows information about which violations have been suppressed in the project. See Suppressing Violations for information about suppressions in DTP. Refer to the documentation for your analysis tool to learn about in-code suppressions.

Image Added

By default, the report shows all guidelines, but you can enable Only Deviations to filter out guidelines that have no suppressions associated with them. You can also enable Hide Modification History to exclude the modification history for deviations. 

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CWE during a regulatory audit.

Image Added

In order to download an archive, the build has to be locked. See Build Audit Report for additional details.

Profiles

Profiles provide additional inputs that enable custom calculations. The Security Compliance Pack includes a set of profiles that enable the data to viewed in the context of CWE standards. See Models and Profiles for list of the profiles used for CWE compliance. You can create custom profiles if you want to customize how DTP reports CWE data. 

CWE Compliance Profiles

The default profiles show the correlation between CWE guidelines and Parasoft code analysis rules and are suitable for most normal use cases.

Warning
titleDo not modify the CWE profiles

We strongly advise you to avoid changing the default CWE profiles because doing so will affect any reports you may need to generate for auditing purposes.

If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CWE guidelines to achieve your software quality and compliance goals

Code Block
languagetext
titleExample API Call URL
http://framemaker.parasoft.com:8314/api/v1/services/5c0f0cae5d018e0630ae2789/slices/9acaecb1.7eb78?filterId=9&profile=CWE%20Security%20Impact%20-%20.NET
Code Block
languagetext
titleExample Successful Response
{
	"success":{
		"title":"KPI",
		"message":"Calculation has started for filter 'CWE dotTEST' using profile 'CWE Security Impact - .NET'. Check debug output for any errors during calculation."
	}
}

The default profile settings are based on the CWE standard, but you can remove or add rules, as well as change their default weights, in the profile. Creating custom profiles enables you to run different KPIs for different purposes and different profiles for different subsets of rules. You should preserve the default profiles and upload custom profiles to Extension Designer as necessary if you want to calculate custom KPIs. See Profiles for additional information.

Info
titleRun KPI as part of your automated build process

Depending on the volume of data being analyzed, KPI calculation may require multiple runs to acquire the core data and may take significant time, therefore triggering KPI calculation should be done as part of your build process or by manually using a trigger node in the KPI slice.

CWE Compliance Report

The CWE Compliance Report enables you to demonstrate compliance and monitor progress toward your compliance policy. The following CWE widgets link to the CWE Compliance Report: 

The report includes data for the build ID and filter configured in the widget you clicked to access the report. The compliance status of the project is also determined by the compliance profile configuration specified in the widget you clicked to access the report (see CWE Widget Configuration Settings).

Image Removed

You can perform the following actions:

  • Click on one of the following links to open a sub-report:
  • Choose a state from the Compliance drop-down menu to filter weaknesses by their current state.
  • Click on a column header to sort the report.
  • Click on a link in the Weakness column to go directly to the weakness in the Weakness Detection Plan report.
  • Click on a value in the # of Violations column to view the violations in the Violations Explorer.
  • Click on a value in the # of Deviations columns to view the suppressed violations in the Violations Explorer.
  • Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

Weakness Detection Plan

The Weakness Detection Plan shows how Parasoft code analysis rules map to weaknesses. This report is populated with data from the selected compliance profile (see Models and Profiles). 

Image Removed

Deviation Report

The Deviation Report shows information about which violations have been suppressed in the project. See Suppressing Violations for information about suppressions in DTP. Refer to the documentation for your analysis tool to learn about in-code suppressions.

Image Removed

By default, the report shows all guidelines, but you can enable the Only Deviations option to filter out guidelines that have no suppressions associated with them. You can also enable the Hide Modification History option to exclude the modification history for deviations. 

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CWE during a regulatory audit.

Image Removed

In order to download an archive, the build has to be locked. See Build Audit Report for additional details.

Profiles

Profiles provide additional inputs that enable custom calculations. The Security Compliance Pack includes a set of profiles that enable the data to viewed in the context of CWE standards. See Models and Profiles for list of the profiles used for CWE compliance. You can create custom profiles if you want to customize how DTP reports CWE data. 

CWE Compliance Profiles

The default profiles show the correlation between CWE guidelines and Parasoft code analysis rules and are suitable for most normal use cases.

Warning
titleDo not modify the CWE profiles

We strongly advise you to avoid changing the default CWE profiles because doing so will affect any reports you may need to generate for auditing purposes.

If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CWE guidelines to achieve your software quality and compliance goals

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the CWE Compliance model and choose one of the profiles. 
  3. Click Export Profile to download a copy. 
  4. Click Add Profile and enter a name.
  5. Click Confirm to create an empty profile. 
  6. Rename the copy of the default profile you exported and click Import Profile
  7. Browse for the copy and confirm to upload.
  8. Click Edit and make your adjustments. 
  9. Click Save.

CWE KPI Profiles

The KPI artifact shipped with the Security Compliance Pack includes the following profiles:

  • CWE Security Impact - .NET
  • CWE Security Impact - C++
  • CWE Security Impact - Java 

The profiles assign weights to the metrics analysis rules in order to calculate a KPI value for the build. 

Image Removed

The default profile is suitable for most normal usage, but you can adjust the weights for each metrics rule if necessary.

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the KPI CWE Compliance model and choose a profileone of the profiles. 
  3. Click Export Profile to download a copy. 
  4. Click Click Add Profile and and enter a name.
  5. Click Click Confirm to to create an empty profile. 
  6. Rename the copy of the default profile you exported and click Import Profile
  7. Browse for the copy and confirm to upload.
  8. Click Edit and and make your adjustments. 
  9. Click Save.