Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 5.4.3

...

  • 2011 CWE/SANS Top 25 Most Dangerous Software Errors
  • CWE List Version 3.
  • CWE Top 25 + On the Cusp

Click on the following links to learn more about the supported CWE guidelines: 

...

You can configure your tool to run either the test configurations it ships with or the test configurations installed with the Security Compliance Pack. Refer to your tool's documentation for details. The following test configurations are included in the compliance pack:

  • CWE 3.2 4 [Parasoft 10.4.3].properties
  • CWE SANS Top 25 2011 2019 [Parasoft 10.4.3].properties
  • CWE SANS Top 25 2011 2019 + On the Cusp [Parasoft 10.4.3].properties
  • PCI DSS 3.2.properties [Parasoft 10.4.3].properties 
  • UL 2900 [Parasoft 10.4.3].properties

...

The following template files are included in the CWE Compliance artifact:

  • CWE Top 25 2011 2019 - Java (CWE-Top-25-Java.json)
  • CWE Top 25 2011 2019 - .NET (CWE-Top-25-dotNET.json)
  • CWE Top 25 2011 2019 + On the Cusp - .NET (CWE-Top-25-and-On-the-Cusp-dotNET.json)
  • CWE Top 25 2011 2019 + On the Cusp - Java (CWE-Top-25-and-On-the-Cusp-Java.json)
  • CWE 3.3 4 - Java (CWE-3_24-Java.json)
  • CWE 3.3 4 - .NET (CWE-3_24-dotNET.json)

The Security Compliance pack ships with the following additional dashboard templates that include a combination of widgets configured to show CWE and OWASP compliance. 

...

The following profile files are included with the CWE artifact.    

  • CWE 3.3 4 - .NET profile (cwe-3_34-dotnet.json)
  • CWE 3.3 4 - Java profile (cwe-3_24-java.json)
  • CWE Security Impact - .NET profile (cwe-security-impact-dotnet.json)
  • CWE Security Impact - Java profile (cwe-security-impact-java.json)
  • CWE Top 25 - .NET profile (cwe-top25-20112019-dotnet.json)
  • CWE Top 25 - Java profile (cwe-top25-20112019-java.json)
  • CWE Top 25+Cusp - .NET (cwe-top25-20112019-on-the-cusp-dotnet)
  • CWE Top 25+Cusp - Java (cwe-top25-20112019-on-the-cusp-java)
  • CWE Compliance model (cwe-compliance.json)
  • KPI model (KPI.json)

...

Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, i.e., weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category:  

  • CWE 3.3 4 - Development Concepts - .NET (CWE-3_34-Development-Concepts-dotNET.xml)
  • CWE 3.3 4 - Development Concepts - Java (CWE-3_34-Development-Concepts-Java.xml)
  • CWE 3.3 4 - .NET (CWE-3_34-dotNET.xml)
  • CWE 3.3 4 - Java (CWE-3_34-Java.xml)
  • CWE 3.3 4 - Technical Impact - .NET (CWE-Impact-dotNET.xml)
  • CWE 3.3 4 - Technical Impact - Java (CWE-Impact-Java.xml)
  • CWE Top 25 - Development Concepts - .NET (CWE-Top-25-20112019-Development-Concepts-dotNET.xml)
  • CWE Top 25 - Development Concepts - Java (CWE-Top-25-20112019-Development-Concepts-Java.xml)
  • CWE Top 25 - .NET (CWE-Top-25-20112019-dotNET.xml)
  • CWE Top 25 - Java (CWE-Top-25-20112019-Java.xml)
  • CWE Top 25+Cusp - Development Concepts - .NET (CWE-Top-25-and-Cusp-Development-Concepts-dotNET.xml)
  • CWE Top 25+Cusp - Development Concepts - Java (CWE-Top-25-and-Cusp-Development-Concepts-Java.xml)
  • CWE Top 25+Cusp - .NET (CWE-Top-25-and-Cusp-dotNET.xml)
  • CWE Top 25+Cusp - Java (CWE-Top-25-and-Cusp-Java.xml)
  • CWE Top 25+Cusp - Technical Impact - .NET (CWE-Top-25-and-Cusp-Impact-dotNET.xml)
  • CWE Top 25+Cusp - Technical Impact - Java (CWE-Top-25-and-Cusp-Impact-Java.xml)
  • CWE Top 25 - Technical Impact - .NET (CWE-Top-25-Impact-dotNET.xml)
  • CWE Top 25 - Technical Impact - Java (CWE-Top-25-Impact-Java.xml)

...

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted.
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    • Choose the filter associated with your project from the Filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See Creating and Managing Filters for additional information. 
    • Specify a range of time from the Period drop-down menu. 
    • Specify a range of builds from the Baseline Build and Target Build drop-down menus.
    Image RemovedImage Added
  3. Enable the Create dashboard from a template option and choose one of the CWE templates.
  4. Click Create to finish adding the dashboard.

...

This widget shows the general compliance status of the project. It includes the build ID and the compliance category configuration used to display the results. 

Image RemovedImage Added

The widget can show the following states:

...

TitleYou can rename the widget in the Title field.
Filter

Choose a specific filter or Dashboard Settings from the drop-down menu. See Creating and Managing Filters for additional information.

The filter should contain data that matches the type compliance profile you choose (Java or .NET). Forexample, if the filter contains code analysis data on a .NET project then you should choose one of the .NET compliance profiles.

Target BuildChoose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 

Compliance Profile

Anchor
compliance-profile
compliance-profile

Choose a compliance profile from the drop-down menu to display the code analysis data against one of the supported CWE-specific sets of guidelines. You can choose one of the following profiles:

  • CWE 3.3 4 - .NET
  • CWE 3.3 4 - Java
  • CWE Top 25 - .NET
  • CWE Top 25 - Java
  • CWE Top 25+Cusp - .NET
  • CWE Top 25+Cusp - Java

The type compliance profile (Java or .NET) should match the data in the selected filter. Forexample, choose one of the .NET compliance profiles if the filter contains code analysis data on a .NET project.

...

The Key Performance Indicator (KPI) DTP Workflow defines a KPI associated with static analysis rules so you can measure and quantify results. The build must have static analysis and metrics analysis data for the KPI extension to perform the calculation. The code analysis tool should have already been executed with the Metrics and CWE 3.3 4 test configuration test configurations under the same build ID. The metrics analysis must also include data for the Logical Lines of Code metric (metricId METRIC.NOLLOCIF). Refer to the tool documentation for details about setting the build ID and executing the Metrics test configuration.

...