Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2025.1

The Parasoft CERT for Java Compliance extension is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with CERT Oracle Coding Standard for Java guidelines. The extension is shipped as part of the Security Compliance PackContact your Parasoft representative to download and license the Security Compliance Pack.

In this section:

Table of Contents
maxLevel2

...

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
    Image Modified 
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + icon to add a new tab) and choose Import the vertical ellipses menu.
  6. Choose Local > Flows > Workflows > Security > CERT Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

...

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted. 
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    1. Choose the filter associated with your project in the filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See DTP Concepts for additional information.
    2. Specify a range of time from the Period menu. 
    3. Specify a range of builds from the Baseline Build and Target Build menus. 
    Image Modified
  3. Enable Create dashboard from a template and choose the SEI CERT Oracle Coding Standard for Java Compliance template from the associated menu.
  4. Click Create to finish adding the dashboard.

...

Anchor
Manually Adding the CERT for Java Widgets
Manually Adding the CERT for Java Widgets
Manually Adding the CERT for Java Widgets

You can manually add the After deploying the artifact, you can add CERT for Java widgets to an existing a dashboard. See See Adding Widgets for general instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the SEI CERT category.  Image Removedmore information about this process. CERT for Java widgets can be found in the SEI CERTcategory.

The following configurations are available:

...

Anchor
CERT for Java Compliance Widgets
CERT for Java Compliance Widgets
CERT for Java Compliance Widgets Widgets

The following widgets are shipped with the CERT for Java Compliance DTP Workflow to help you achieve CERT for Java Compliance goals.

...

This widget provides an overview of the project's CERT compliance status.

By default, the widget shows Rules and Recommendations, as well as all priority levels. You can add multiple instances of the widget and configure different combinations to create robust views of the compliance status. Click on the widget to open the CERT for Java Compliance Report.

CERT Levels - Target

This widget shows the highest concentration of static analysis violations per CERT category. It provides an overview of the compliance status, as well as applicable deviations, in the tooltip. Click on the widget to open the CERT for Java Compliance Report.

Image Removed

CERT Compliance - Status

The widget can show the following states:

  • Compliant: No violations are reported, and no suppressions have been applied. 
  • Not Compliant: Violations have been reported that represent a significant risk. 
  • Missing rule(s) in analysis: Parasoft code analysis rules documented in the profile were not included in the specified build. Make sure all rules are enabled in the Parasoft tool and re-run the analysis.
  • Compliant with Deviations: The violations reported are acceptable and have been suppressed. See Deviation Report for additional information about deviations/suppressions.
  • Compliant with Violations: The violations reported do not represent a significant risk.

By default, the widget shows Rules and Recommendations, as well as all priority levelsThe widget shows the overall compliance status, as well as the compliance status for each CERT level. You can add multiple instances of the widget configured to use a different profile, for example, a profile with disabled guidelines, to view your current and configure different combinations to create robust views of the compliance status. Click on the widget to open the the CERT for Java Compliance Report.

Image Removed

The code can be compliant with deviations and violations that have been deemed acceptable. See Deviation Report for additional information about deviations.

The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in Jtest and re-run analysis.

CERT Compliance - Percentage Widget

CERT Levels - Target

This widget shows the highest concentration of static analysis violations per CERT category. It provides an overview of the compliance status, as well as applicable deviations, in the tooltip. Click on the widget to open the CERT for Java Compliance Report.

Image Added

CERT Compliance - Status by Level

The widget shows the overall compliance status, as well as the compliance status for each CERT level. You can add multiple instances of the widget configured to use a different profile, for example, a profile with disabled guidelines, to view your current compliance statusThis widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profile. The CERT for Java dashboard includes three instances of this widget, one for each level. Click on the widget to open the CERT for Java Compliance Report.

Image Removed

CERT Compliance - Guidelines by Status

This widget shows the compliance status for a specific Rule or Recommendation per priority level.

Image Removed

You can add multiple instances of the widget configured to different type/priority level combinations to help you understand your compliance status from different perspectives. The pie chart can represent up to four different guideline statuses for the selected category:

Scroll Table Layout
widths30%,70%

...

Guidelines that your code is deviating from but are still considered compliant.

A deviation is when the guideline is not being followed according to the Parasoft static analysis rule, but is considered acceptable because it does not affect the safety of the software. Deviations represent Parasoft static analysis rules that have been suppressed.

...

Guidelines that your code is considered compliant with, even though the static analysis rules that enforce them contain violations. Only Recommendations can have this status.

...

Image Added

The code can be compliant with deviations and violations that have been deemed acceptable. See Deviation Report for additional information about deviations.

The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in Jtest and re-run analysis.

CERT Compliance - Percentage Widget

This widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profile. The CERT for Java dashboard includes three instances of this widget, one for each level. Click on the widget to open the CERT for Java Compliance Report.

Image Added

CERT Compliance - Guidelines by Status

This widget shows the compliance status for a specific Rule or Recommendation per priority level.

Image Added

You can add multiple instances of the widget configured to different type/priority level combinations to help you understand your compliance status from different perspectives. The pie chart can represent up to four different guideline statuses for the selected category:

Scroll Table Layout
widths30%,70%

GreenGuidelines your code is in compliance with for the selected type and level.
Yellow

Guidelines that your code is deviating from but are still considered compliant.

A deviation is when the guideline is not being followed according to the Parasoft static analysis rule, but is considered acceptable because it does not affect the safety of the software. Deviations represent Parasoft static analysis rules that have been suppressed.

Orange

Guidelines that your code is considered compliant with, even though the static analysis rules that enforce them contain violations. Only Recommendations can have this status.

RedGuidelines that your code is not compliant with.

You can perform the following actions:

  • Mouse over a pie slice to view details.
  • Click on a section to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of violations counter to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of deviations counter to open the Deviation Report filtered by the type and priority.

CERT Violations by Category - TreeMap Widget

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according the priority level:

  • Red tiles represent L1 violations.
  • Yellow tiles represent L2 violations.
  • Green tiles represent L3 violations.

The Parasoft rule(s) enforcing violations are also presented. Tiles are proportional to the number of static analysis violations reported for each rule. 

 Image Added

The widget uses the hierarchy established in the model profile to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule/guideline/category.

Click on a rule to see the violation in the Violations Explorer.

CERT Compliance by Priority

This widget is an implementation of the standard Compliance By Category widget shipped with DTP. It shows the number and percentage of rules in compliance grouped by rule categories.

Image Added

Click on an entry in the table to open the 

You can perform the following actions:

  • Mouse over a pie slice to view details.
  • Click on a section to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of violations counter to open the CERT for Java Compliance Report filtered by the type, priority, and compliance status.
  • Click on the number of deviations counter to open the Deviation Report filtered by the type and priority.

CERT Violations by Category - TreeMap Widget

This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according the priority level:

  • Red tiles represent L1 violations.
  • Yellow tiles represent L2 violations.
  • Green tiles represent L3 violations.

The Parasoft rule(s) enforcing violations are also presented. Tiles are proportional to the number of static analysis violations reported for each rule. 

 Image Removed

The widget uses the hierarchy established in the model profile to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule/guideline/category.

Click on a rule to see the violation in the Violations Explorer.

CERT Compliance by Priority

This widget is an implementation of the standard Compliance By Category widget shipped with DTP. It shows the number and percentage of rules in compliance grouped by rule categories.

Image Removed

Click on an entry in the table to open the Violations by Compliance Category report.

Top 5 CERT Categories

This widget is an implementation of the standard Categories - Top 5 Table widget shipped with DTP. It shows the five CERT guideline categories with the most violations.

Image Removed

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

Top 5 CERT

...

Categories

This widget is an implementation of the standard Categories - Top 5 Table widget widget shipped with DTP. It shows the shows the five CERT guidelines guideline categories with the most violations.

Image Added

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

Top 5 CERT Guidelines

This widget is an implementation of the standard Categories - Table widget shipped with DTP. It shows the five CERT guidelines with the most violations.

Click on a link in the Name column or the more... link to open the Violations by Compliance Category report.

...

The CERT Compliance Report provides an overview of your CERT compliance status and serves as the primary document for demonstrating compliance.Image Removedand serves as the primary document for demonstrating compliance.

Image Added

The report can show the following states:

  • Compliant: No violations are reported, and no suppressions have been applied. 
  • Not Compliant: Violations have been reported that represent a significant risk. 
  • Missing rule(s) in analysis: Parasoft code analysis rules documented in the profile were not included in the specified build. Make sure all rules are enabled in the Parasoft tool and re-run the analysis.
  • Compliant with Deviations: The violations reported are acceptable and have been suppressed. See Deviation Report for additional information about deviations/suppressions.
  • Compliant with Violations: The violations reported do not represent a significant risk.
  • No Rules Enabled: There are no Parasoft code analysis rules mapped to the guideline.

You can perform the following actions:

  • Use the menus to sort by the following criteria:
    • Guideline type: Rule, Recommendation, or All 
    • Priority level: L1, L2, L3, or All
    • Compliance status: All, No Rules Enabled, Compliant, Compliant With with Deviations, Compliant With with Violations, Not Compliant, Missing Rule(s) in Analysis
  • Click a link in the # of Violations to view the violations in the Violations Explorer.
  • Click a link in the # of Deviations to view the suppressed violations in the Violations Explorer.
  • Open one of the CERT Compliance sub-reports.
  • Click Download PDF to download a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

...

Table of Content Zone
maxLevel3
minLevel3
locationtop

Conformance Testing Plan

The Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile. Click on a guideline to view the CERT documentation on the CERT website.

Deviation Report 

Your code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.

Click the Deviation Report link in the CERT Compliance Report to open the Deviation Report.  Image Removed

The Deviations Deviation Report shows all guideline IDs and headers , but guidelines that have been suppressed will show additional informationwith deviations. You can perform the following actions:

  • Filter the report by type (Rule, Recommendation, All).
  • Filter the report by level (L1, L2, L3).
  • Enable Only Deviations to only show deviations.
    • Enable Hide Modification History to exclude the modification history for deviations.   
    • Click on the Violation ID to drill down into the Violations Explorer.

    Build Audit Report

    The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.

    Image Modified

    In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.  

    ...