In this section:
Why use CVE Match?
Given a large (or even small) number of violations for the same rule with the same severity, how can developers know which violations to prioritize first? Which violations to pay more or deeper attention to? How can developers not inadvertently miss a critical security issue while going through a set of violations?
DTP can recommend a CVE match associated with a violation to assist developers when facing the above questions.
What is CVE Match?
CVE match is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.
CVE match can be calculated only for violations that are found within a method (or function body). It is not available if the violation is found outside of a method.
To calculate CVE match, a model was trained on code samples containing CVEs. For the java model, over 400 CVEs are covered representing 88 different CWEs including, but not limited to, the 18 most common CWEs:
CWE-20 | CWE-22 | CWE-74 | CWE-79 | CWE-89 | CWE-94 |
CWE-190 | CWE-200 | CWE-287 | CWE-352 | CWE-400 | CWE-444 |
CWE-502 | CWE-611 | CWE-770 | CWE-862 | CWE-863 | CWE-918 |
The diagram below illustrates how DTP, the CVE Match model, and OpenAI API work together.
Supported Tools
CVE match can be calculated for static analysis violations from Jtest only. C/C++test and dotTEST are currently not supported.
Prerequisites
OpenAI Settings
OpenAI settings must be configured in order to calculate CVE match for violations. See Using DTP with OpenAI for more information.
Source Code View Configuration
DTP must be configured to display source code in the Violations Explorer. See Source Code View Configuration Overview for more information.
Jtest
In order to calculate CVE match for Jtest violations, one of the following conditions must be met:
- Jtest is configured to send advanced metadata to DTP for machine learning. This setting is disabled by default, but it can be enabled under the Advanced Settings on the Static Analysis Settings tab in your Jtest test configurations. See the Jtest documentation at https://docs.parasoft.com/ for more information.
- Metrics analysis is run in addition to static analysis and both reports are sent to DTP. During the metrics analysis, one of the following metrics must be enabled:
METRIC.CLLOCRIM
METRIC.NOBLIM
METRIC.NOCLIM
METRIC.NOLLOCIM
- METRIC.NOMCIM
- METRIC.NOPAR
METRIC.NOPLIM
METRIC.NORET
METRIC.NOSLIM
Operating System Requirements
Older Linux operating systems (CentOS 7.x and older) might be missing some libraries that are needed by the CVE Match model. In these situations, when you try to calculate the CVE Match you might see an error message, "The CVE Match model is not loaded. See logs for more information." Check the logs for more information about the missing library. Note: the error is created when the first missing library is encountered. If multiple libraries are missing, you might get this error multiple times.
Microsoft Visual C++ Redistributable package (2019 or higher) is required by the CVE Match model on Windows. Unless you have disabled Windows updates, this package should already be installed on your system.
Calculating CVE Match
To calculate the CVE match for a violation, select it in the Violations Explorer and click Get Recommendations on the Prioritizations tab.
If the prerequisite conditions have been met, the CVE match will be added to the Recommendations section. If one or more prerequisite conditions have not been met, there will be an info icon to the left of the Recommendations label that you can hover over for details.
Note: The OpenAI embeddings API is called when calculating the CVE match for a violation. Since each API call incurs a cost, DTP 2024.1 only allows calculating CVE match for one violation at a time.