The Parasoft CERT C Compliance extension is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with CERT C Coding Standard guidelines. The extension is shipped as part of the Security Compliance Pack for DTP 5.4.0. Contact your Parasoft representative to download and license the Security Compliance Pack.
In this section:
The CERT C Coding Standard was developed by the CERT Coordination Center to improve the safety, reliability, and security of software systems. CERT coding standards consist of "rules" and "recommendations" and are organized into a set of categories. Rules provide code requirements for adhering to the standard, whereas recommendations are intended to provide guidance that improves the safety, reliability, and security of software systems.
Rules and recommendations are collectively referred to as "guidelines." Guidelines in the CERT C Secure Coding Standard are cross-referenced with Common Weakness Enumeration (CWE) entries.
In terms of risk analysis, CERT uses three metrics to help quantify the effects of failing to comply with a guideline:
The metrics are used to prioritize violations into three levels: L1 (highest priority), L2, and L3. The CERT C Compliance extension configures your DTP implementation to show static analysis violations according to their CERT C priority, guideline, type, and guideline category.
See https://wiki.sei.cmu.edu/confluence/display/c/Introduction to learn more about about the standard.
C/C++test 10.4.0 or later (desktop or plug-in edition) with the Flow Analysis license feature enabled. See Security Compliance Pack for DTP 5.4.0 for additional information.
The Parasoft CERT C Compliance extension helps you create the documentation required for demonstrating compliance with CERT C. The following artifacts are included in the package.
Parasoft static and flow analysis rules normally report violations according to a category (e.g., Possible Bug, Interoperability, etc.) and severity (i.e., 1-5). In order to view code analysis violations as CERT C guideline violations, DTP requires a rule map file that realigns Parasoft rules to report violations according to CERT C guidelines. In addition, the code analysis tool (C/C++test) needs a test configuration file that ensures that only the rules related to the remapped CERT C rules are executed. These files are shipped with C/C++test and must also be installed to DTP (see Configuring DTP for CERT C Compliance Reporting). |
The following configuration files shipped with the extension provide CERT C-oriented compliance categories in DTP interfaces:
This file adds the CERT C compliance dashboard template to DTP. See カスタム ダッシュボード テンプレート for additional information about understanding dashboard templates.
This is the DTP Workflow you must install and deploy in Extension Designer. It extends DTP’s data processing functionality to produce CERT-specific dashboard widgets and reports. It helps you track compliance status and document guideline enforcement, deviations, and rule re-categorization.
You can apply profiles to DTP Enterprise Pack extensions that perform custom calculations and drive reporting mechanisms in DTP.
See モデル プロファイルの使用 for information about understanding profiles in DTP Enterprise Pack.
This profile extends the Key Performance Indicator artifact so that metrics widgets can show metrics information related to CERT C guidelines. The profile renders the data calculated by the CERT C Likelihood.json and CERT Remediation Cost.json profiles.
In order to leverage the metrics calculations enabled by the KPI assets, install and deploy the Key Performance Indicator artifact. This artifact ships with the Security Compliance Pack, but is also available separately from the Parasoft Marketplace. |
This file describes the contents of the extension.
The CERT C Compliance DTP Workflow ships with a default profile that includes information necessary for generating CERT compliance reports. The default profile shows the correlation between CERT guidelines and Parasoft code analysis rules.
We strongly advise you to avoid changing the default CERT C 2018 profile because doing so will affect any reports you may need to generate for auditing purposes. |
See モデル プロファイルの使用 for additional information about profiles.
Add the CERT Compliance widgets to your dashboard (see ウィジェットの追加). The widgets will appear in the Compliance category in the Add Widget overlay:
You can configure the following settings for CERT C widgets (some settings are only available for certain widgets):
| Title | You can rename the widget in the Title field. This setting is available for all widgets. |
|---|---|
| Filter | Choose a specific filter or Dashboard Settings from the drop-down menu. See フィルターの作成と管理 for additional information. This setting is available for all widgets. |
| Target Build | Choose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See ビルド管理の使用 for additional information about understanding builds. This setting is available for all widgets. |
| Type | This rule specifies which type of guideline you want to view in the widget. Choose either Rule, Recommendation, or All from the drop-down menu. See Background for additional information about guideline types. This setting is available for the following widgets:
|
| Level | This rule specifies which priority level you want to view in the widget. Choose either L1, L2, or L3 from the drop-down menu. See Background for additional information about guideline priorities. This setting is available for the following widgets:
|
| Compliance Profile | Specify the compliance profile you want to use to view the data. In most cases, this should be the default profile shipped with the extension (see About the CERT Compliance Profile). This setting is available for all widgets. |
The following widgets are shipped with the CERT C Compliance DTP Workflow to help you achieve CERT C compliance goals.
This widget provides an overview of the compliance status for each priority level in a tooltip for the target build. The tooltip also includes applicable deviations. Click on the widget to open the CERT C Compliance Report.
This widget shows you the general state of compliance. You can add multiple instances of the widget configured to use a different profile, e.g., a profile with disabled guidelines, to view your current compliance status. Click on the widget to open the CERT C Compliance Report.
The widget shows the overall compliance status, as well as the compliance status for each CERT C level.
The code can be compliant with deviations and violations that have been deemed acceptable. See Deviations Report for additional information about deviations.
The status will be set to Not Compliant if Parasoft code analysis rules documented in your profile were not included in the specified build or if unacceptable violations have been reported. Make sure all rules are enabled in C/C++test and re-run analysis.
This widget shows the completeness of CERT compliance as a percentage. Completeness is based on the number of guidelines being enforced in the profile. Click on the widget to open the CERT C Compliance Report.
This widget shows the compliance status for a specific Rule or Recommendation per priority level.
You can add multiple instances of the widget configured to different type/priority level combinations to help you understand your compliance status from different perspectives.
The pie chart can represent up to four different guideline statuses for the selected category:
| Green | Guidelines your code is in compliance with for the selected type and level. |
| Yellow | Guidelines that your code is deviating from but are still considered compliant. A deviation is when the guideline is not being followed according to the Parasoft static analysis rule, but is considered acceptable because it does not affect the safety of the software. Deviations represent Parasoft static analysis rules that have been suppressed. |
| Orange | Guidelines that your code is considered compliant with, even though the static analysis rules that enforce them contain violations. Only Recommendations can have this status. |
| Red | Guidelines that your code is not compliant with. |
You can perform the following actions:
This widget provides a representation of the highest concentration of static analysis violations per type and priority level. Tiles are color-coded according the priority level:
The Parasoft rule(s) enforcing violations are also presented. Tiles are proportional to the number of static analysis violations reported for each rule.
The widget uses the hierarchy established in the model profile to correlate Parasoft rules with CERT rules, recommendations, and priorities. You can mouse over a tile in the widget to view the number of violations associated with each rule-guidline-category.
Click on a rule to see the violation in the 違反エクスプローラー.
The CERT Compliance Report provides an overview of your CERT compliance status and serves as the primary document for demonstrating compliance.
You can perform the following actions:
The CERT Compliance Report contains four supporting reports:
Conformance Testing PlanThe Conformance Testing Plan cross-references CERT guidelines with Parasoft static analysis rules using the data specified in the compliance profile. You can change the severity, likelihood, remediation cost, and other values to meet your project goals by configuring the profile.
Deviation ReportYour code can contain violations and still be CERT-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the C/C++test documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP. Click on the Deviations Report link in the CERT Compliance Report to open the Deviation Report. You can filter the report by guideline type and level. You can also filter out violations that have not been suppressed by enabling the Only Deviations option.
Build Audit ReportThe ビルド監査レポート is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CERT during a regulatory audit.
In order to download an archive, the build has to be locked. See ビルド監査レポート for additional details about this report. |
