...
Compliance Packs include test configurations tailored for particular compliance domains to help you enforce industry-specific compliance standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to C/C++test's rules.
Info | ||||
---|---|---|---|---|
| ||||
Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals. These test configurations require dedicated license features to be activated. Contact Parasoft Support for more details on Compliance Packs licensing. See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage. |
...
Test Configuration | Description |
---|---|
AUTOSAR C++14 Coding Guidelines | Checks rules that enforce the AUTOSAR C++ Coding Guidelines (Adaptive Platform, version 17-10). This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
High Integrity C++ | Checks rules that enforce the High Integrity C++ Coding Standard. |
HIS Source Code Metrics | Checks metrics required by the Herstellerinitiative Software (HIS) group. |
MISRA C 1998 | Checks rules that enforce the MISRA C coding standards. |
MISRA C 2004 | Checks rules that enforce the MISRA C 2004 coding standards. |
MISRA C++ 2008 | Checks rules that enforce the MISRA C++ 2008 coding standards. |
MISRA C 2012 | Checks rules that enforce the MISRA C 2012 coding standards. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
ISO26262 ASIL A Unit TestingISO26262 ASIL A Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL A |
ISO26262 ASIL B and C Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL B and C |
ISO26262 ASIL D Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL D |
...
Test Configuration | Description | ||
---|---|---|---|
CWE-SANS Top 25 Most Dangerous Programming Errors | Checks for the 2011 CWE/SANS Top 25 Most Dangerous Software Errors— a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. (http://cwe.mitre.org/top25/index.html) For more details, see 2011 CWE/SANS Top 25 Most Dangerous Software Errors Mapping. | ||
OWASP Top 10 2017 | Includes rules that find issues identified in OWASP’s Top 10 standard. | ||
Payment Card Industry Data Security Standard | Checks rules for the security issues referenced in section 6 of the Payment Card Industry Data Security Standard (PCI DSS) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml) Issues detected include input validation (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) and validation of proper error handling. | ||
Security Rules | Checks rules designed to prevent or identify security vulnerabilities. | ||
SEI CERT C Coding Guidelines | Checks rules and recommendations for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. | ||
SEI CERT C Rules | Checks rules for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. | ||
SEI CERT C++ Rules | SEI CERT C++ Rules | Checks rules for the SEI CERT C++ Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. | |
UL 2900 | Includes rules that find | UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
...
This section includes rule mapping for the OWASP and CWE standardsstandars. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
...
2011 CWE/SANS Top 25 Most Dangerous Software Errors Mapping
Anchor | ||||
---|---|---|---|---|
|
CWE ID | CWE Name | Parasoft ID | Parasoft Name |
---|---|---|---|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | BD-SECURITY-TDSQL | Protect against SQL injection |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | BD-SECURITY-TDCMD |
Protect against command injection | |||
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | BD-PB-OVERFFM | Avoid buffer overflow due to defining incorrect format limits |
BD-PB-OVERFNZT | Avoid overflow due to reading a not zero terminated string | ||
BD-PB-OVERFWR | Avoid overflow when writing to a buffer | ||
BD-SECURITY-OVERFWR | Avoid buffer write overflow from tainted data | ||
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | BD-SECURITY-TDFNAMES | Protect against file name injection |
CWE-676 | Use of Potentially Dangerous Function | PB-37 | The unbounded functions of library shall not be used |
SECURITY-11 |
Avoid using unsecured shell functions that may be affected by shell metacharacters | |||
SECURITY-12 | Avoid using unsafe string functions which may cause buffer overflows | ||
SECURITY-13 | Avoid using unsafe string functions that do not check bounds | ||
SECURITY-14 | Do not use scanf and fscanf functions without specifying variable size in format string | ||
SECURITY-16 | Never use gets() | ||
SECURITY-22 | Do not use mbstowcs() function | ||
SECURITY-30 | Avoid using 'getpw' function in program code | ||
SECURITY-31 | Do not use 'cuserid' function | ||
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | SECURITY-02 | Avoid functions which use random numbers from standard C library |
SECURITY-28 |
Standard random number generators should not be used to generate randomness for security reasons | |||
SECURITY-37 | Do not use weak encryption functions | ||
CWE-131 | Incorrect Calculation of Buffer Size | BD-PB-ARRAY | Avoid accessing arrays out of bounds |
BD-PB-OVERFRD | Avoid overflow when reading from a buffer | ||
BD-SECURITY-ARRAY |
Avoid tainted data in array indexes | |||
MRM-45 | Do not use sizeof operator on pointer type to specify the size of the memory to be allocated via 'malloc', 'calloc' or 'realloc' function | ||
CWE-134 | Uncontrolled Format String | SECURITY-05 | Avoid using functions printf/wprintf with only one variable parameter |
SECURITY-08 | Avoid using functions fprintf/fwprintf with only two parameters, when second parameter is a variable | ||
CWE-190 | Integer Overflow or Wraparound | BD-SECURITY-INTOVERF | Protect against integer overflow/underflow from tainted data |
MISRA-051 | Evaluation of constant unsigned integer expressions should not lead to wrap-around |