Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space CPPTDESKDEV and version 10.4.2

...

Compliance Packs include test configurations tailored for particular compliance domains to help you enforce industry-specific compliance standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to C/C++test's rules.(info) Compliance Packs

Info
iconfalse
titleDisplaying compliance results on DTP

Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals.  These test configurations require dedicated license features to be activated. Contact Parasoft Support for more details on Compliance Packs licensing.

See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage.

Aerospace Pack

Test Configuration Description
Joint Strike FighterChecks rules that enforce the Joint Strike Fighter (JSF) program coding standards.
DO178C Software Level A Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level A
DO178C Software Level B Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level B
DO178C Software Level C and D Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level C and D

...

Checks rules that enforce the High Integrity C
Test Configuration Description
AUTOSAR C++14 Coding Guidelines

Checks rules that enforce the AUTOSAR C++ Coding Guidelines (Adaptive Platform, version 17-10).

High Integrity C++

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details.

High Integrity C++Checks rules that enforce the High Integrity C++ Coding Standard.
HIS Source Code MetricsChecks metrics required by the Herstellerinitiative Software (HIS) group.
MISRA C 1998Checks rules that enforce the MISRA C coding standards.
MISRA C 2004Checks rules that enforce the MISRA C 2004 coding standards.
MISRA C++ 2008Checks rules that enforce the MISRA C++ 2008 coding standards.
MISRA C 2012

Checks rules that enforce the MISRA C 2012 coding standards.

ISO26262 ASIL A Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details.

ISO26262 ASIL A Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL A
ISO26262 ASIL B and C Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL B and C
ISO26262 ASIL D Unit TestingExecutes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL D

...

Test Configuration Description
CWE-SANS Top 25 Most Dangerous Programming Errors

Checks for the 2011 CWE/SANS Top 25 Most Dangerous Software Errors—  a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

(http://cwe.mitre.org/top25/index.html)

For more details, see 2011 CWE/SANS Top 25 Most Dangerous Software Errors Mapping.

OWASP Top 10 2017

Includes rules that find issues identified in OWASP’s Top 10 standard.

Payment Card Industry Data Security Standard

Checks rules for the security issues referenced in section 6 of the Payment Card Industry Data Security Standard (PCI DSS) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml)

Issues detected include input validation (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) and validation of proper error handling.

Security RulesChecks rules designed to prevent or identify security vulnerabilities.
SEI CERT C Coding GuidelinesChecks rules and recommendations for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities.
SEI CERT C Rules

Checks rules for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities.

SEI CERT C+

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details.

SEI CERT C++ Rules

Checks rules for the SEI CERT C++ Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities.

UL 2900Includes rules that find

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details.

UL 2900Includes rules that find issues identified in the UL-2900 standard.

...

This section includes rule mapping for the OWASP and CWE standardsstandars. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

...

2011 CWE/SANS Top 25 Most Dangerous Software Errors Mapping
Anchor
2011 CWE/SANS Top 25 Most Dangerous Software Errors_Mapping
2011 CWE/SANS Top 25 Most Dangerous Software Errors_Mapping

CWE IDCWE NameParasoft IDParasoft Name
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') BD-SECURITY-TDSQLProtect against SQL injection 
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') BD-SECURITY-TDCMD
CWE-
Protect against command injection 
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')BD-PB-OVERFFMAvoid buffer overflow due to defining incorrect format limits
BD-PB-OVERFNZT Avoid overflow due to reading a not zero terminated string
BD-PB-OVERFWRAvoid overflow when writing to a buffer 
BD-SECURITY-OVERFWR Avoid buffer write overflow from tainted data
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') BD-SECURITY-TDFNAMES Protect against file name injection 
CWE-676Use of Potentially Dangerous Function PB-37 The unbounded functions of library shall not be used
SECURITY-11Avoid using unsecured shell functions that may be affected by shell metacharacters
SECURITY-12Avoid using unsafe string functions which may cause buffer overflows 
SECURITY-13 Avoid using unsafe string functions that do not check bounds 
SECURITY-14
SECURITY-16 
Do not use scanf and fscanf functions without specifying variable size in format string 
SECURITY-16 Never use gets() 
SECURITY-22Do not use mbstowcs() function 
SECURITY-30Avoid using 'getpw' function in program code 
SECURITY-31Do not use 'cuserid' function 
CWE-327Use of a Broken or Risky Cryptographic Algorithm SECURITY-02Avoid functions which use random numbers from standard C library 
SECURITY-28 
SECURITY-37
Standard random number generators should not be used to generate randomness for security reasons 
SECURITY-37Do not use weak encryption functions 
CWE-131 Incorrect Calculation of Buffer Size BD-PB-ARRAYAvoid accessing arrays out of bounds 
BD-PB-OVERFRD Avoid overflow when reading from a buffer 
BD-SECURITY-ARRAY 
MRM-45 
Avoid tainted data in array indexes 
MRM-45 Do not use sizeof operator on pointer type to specify the size of the memory to be allocated via 'malloc', 'calloc' or 'realloc' function 
CWE-134 Uncontrolled Format StringSECURITY-05 Avoid using functions printf/wprintf with only one variable parameter
SECURITY-08 Avoid using functions fprintf/fwprintf with only two parameters, when second parameter is a variable 
CWE-190Integer Overflow or WraparoundBD-SECURITY-INTOVERF Protect against integer overflow/underflow from tainted data
MISRA-051 Evaluation of constant unsigned integer expressions should not lead to wrap-around