The CWE Compliance artifact supports the following specific CWE implementations:
- 2011 2019 CWE /SANS Top 25 Most Dangerous Software Errors
- CWE List Version 4.0 (Jtest and dotTEST only)
- CWE Top 25 + On the Cusp
The following Parasoft code analysis tools with appropriate Security Compliance license licenses are supported:
- Jtest 2020.1 or later
- dotTEST 2020.1 or later
- C/C++test 2020.1 or later
- Install the Security Compliance Pack into DTP Extension Designer.
- Deploy the CWE Compliance artifact using Extension Designer. This action also deploys the deploys CWE Compliance assets to your DTP environment.
- Connect your code analysis tool to your project in DTP. Configure the settings that enable DTP to correlate analysis results, i.e., build ID, source control settings, etc. See the documentation for your analysis tool for details.
- Analyze the project with your code analysis tool using one of the CWE test configurations.
- (Optional) Run the KPI workflow as part of your automated build process to generate metrics data associated with CWE compliance.
- Use the DTP dashboard template, widgets, and reports to monitor compliance with security standards.
The following template files are included in the CWE Compliance artifact:
- CWE 4.0 - .NET (CWE-4_0-dotNET.json)
- CWE 4.0 - Java (CWE-Top4_0-25-Java.json)
- CWE Top 25 2019 - .NET (CWE-Top-25-dotNET.json)
- CWE Top 25 2019 - Java (CWE-Top-25-Java.json)
- CWE Top 25 2019 - C/C++ (CWE-Top-25-Cpp.json)
- CWE Top 25 2019 + On the Cusp - .NET (CWE-Top-25-and-On-the-Cusp-dotNET.json)
- CWE Top 25 2019 + On the Cusp - Java (CWE-Top-25-and-On-the-Cusp-Java.json)
- CWE Top 25 2019 + On the Cusp - C/C++ (CWE-Top-25-and-On-the-Cusp-Cpp.json)
- CWE 3.4 - Java (CWE-4_0-Java.json)
- CWE 3.4 - .NET (CWE-4_0-dotNET.json)
The Security Compliance pack ships with The Security Compliance pack ships with the following additional dashboard templates that include a combination of widgets configured to show CWE and OWASP compliance.
The following profile files are included with the CWE artifact.
- CWE 34.4 0 - .NET profile (cwe-4_0-dotnet.json)
- CWE 34.4 0 - Java profile (cwe-4_0-java.json)
- CWE Security Impact - .NET profile (cwe-security-impact-dotnet.json)
- CWE Security Impact - Java profile (cwe-security-impact-java.json)
- CWE Security Impact - C++ (cwe-security-impact-cpp.json)
- CWE Top 25 - .NET profile (cwe-top25-2019-dotnet.json)
- CWE Top 25 - Java profile (cwe-top25-2019-java.json)
- CWE Top 25 - C++ (cwe-top25-2019-cpp.json)
- CWE Top 25+Cusp - .NET (cwe-top25-2019-on-the-cusp-dotnet)
- CWE Top 25+Cusp - Java (cwe-top25-2019-on-the-cusp-java)
- CWE Top 25+Cusp - C++ (cwe-top25-2019-on-the-cusp-cpp.json)
- CWE Compliance model (cwe-compliance.json)
- KPI model (KPI.json)
Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, i.e., weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category:
- CWE 34.4 - Development Concepts - .NET 0 - Java (CWE-4_0-Development-Concepts-dotNETJava.xml)
- CWE 3.4 - Development Concepts - Java Top 25 - Technical Impact - C++ (CWE-4_0Top-Development25-ConceptsImpact-JavaCpp.xml)
- CWE 3.4 - .NET 4.0 - Software Development - Java (CWE-4_0-Software-Development-dotNETJava.xml)
- CWE 3.4 - Java Top 25 - Technical Impact - Java (CWE-Top-25-Impact-Java.xml)
- CWE 4.0 - Software Development - .NET (CWE-4_0-JavaSoftware-Development-dotNET.xml)
- CWE 34.4 0 - Technical Impact - .NET (CWE-Top-25-Impact-dotNET.xml)
- CWE 34.4 - Technical Impact - Java 0 - .NET (CWE-Impact4_0-JavadotNET.xml)
- CWE Top 25 - Development Concepts - .NET +Cusp - C++ (CWE-Top-25-2019and-DevelopmentCusp-Concepts-dotNETCpp.xml)
- CWE Top 25 - Development Concepts 4.0 - Technical Impact - Java (CWE-Top-25-2019-Development-Concepts-Impact-Java.xml)
- CWE Top 25+Cusp - Development Concepts Technical Impact - C++ (CWE-Top-25-2019and-DevelopmentCusp-ConceptsImpact-Cpp.xml)
- CWE Top 25 - Technical Impact - .NET (CWE-TopImpact-25-2019-dotNET.xml)
- CWE Top 25+Cusp - Technical Impact - Java (CWE-Top-25-and-2019Cusp-Impact-Java.xml)
- CWE Top 25 - C++ (CWE-Top-25-2019-Cpp.xml)
- CWE Top 25+Cusp - Development Concepts - .NET (CWE-Top-25-and-Cusp-Development-Concepts-dotNET.xml)CWE Top 25+Cusp - Development Concepts - Java Technical Impact - .NET (CWE-Top-25-and-Cusp-DevelopmentImpact-Concepts-JavadotNET.xml)
- CWE Top 25 +Cusp - Development Concepts - C++ - Java (CWE-Top-25-and-Cusp-Development-Concepts-Cpp2019-Java.xml)
- CWE Top 25+Cusp - .NET Java (CWE-Top-25-and-Cusp-dotNETJava.xml)
- CWE Top 25+Cusp - Java - Software Development - C++ (CWE-Top-25-2019-andSoftware-CuspDevelopment-JavaCpp.xml)
- CWE Top 25 +Cusp - Software Development - C++ (CWE-Top-25-and-Cusp-Software-Development-Cpp.xml)
- CWE Top 25 +Cusp - Technical Impact - .NET Software Development - Java (CWE-Top-25-and2019-CuspSoftware-ImpactDevelopment-dotNETJava.xml)
- CWE Top 25+Cusp - Technical Impact Software Development - Java (CWE-Top-25-and-Cusp-Software-ImpactDevelopment-Java.xml)
- CWE Top 25 +Cusp - Technical Impact - C++ Software Development - .NET (CWE-Top-25-and2019-CuspSoftware-ImpactDevelopment-CppdotNET.xml)
- CWE Top 25+Cusp - Technical Impact Software Development - .NET (CWE-Top-25-Impact-and-Cusp-Software-Development-dotNET.xml)
- CWE Top 25 - Technical Impact - Java .NET (CWE-Top-25-Impact2019-JavadotNET.xml)
- CWE Top 25 - Technical Impact - C++ +Cusp - .NET (CWE-Top-25-and-ImpactCusp-CppdotNET.xml)
See Custom Compliance Categories for additional information about rule categories in DTP.
- Click Add Dashboard in the DTP toolbar and specify a name when prompted.
- (Optional) You can configure the default view for the dashboard by specifying the following information:
- Choose the filter associated with your project from the Filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See Creating and Managing Filters for additional information.
- Specify a range of time from the Period drop-down menu.
- Specify a range of builds from the Baseline Build and Target Build drop-down menus.
- Enable the Create dashboard from a template option and choose one of the CWE templates.
- Click Create to finish adding the dashboard.
The dashboard includes several instances of the standard DTP Categories - Top 5 Table widget configured to show violations according to CWE guidelines.
Each instance of the widget is driven by the compliance category configuration (see Compliance Categories).
The widget will appear on your dashboard.
Clicking on the widget opens the Single Metric Overview Report.
The report includes data for the build ID and filter configured in the widget you clicked to access the report. The compliance status of the project is also determined by the compliance profile configuration specified in the widget you clicked to access the report (see CWE Widget Configuration Settings).
You can perform the following actions:
The Weakness Detection Plan shows how Parasoft code analysis rules map to weaknesses. This report is populated with data from the selected compliance profile (see Models and Profiles).