In this section:
The Parasoft CWE Compliance artifact is a set of assets for your DTP infrastructure that enable you to track and visualize programming errors associated with CWE (Common Weakness Enumeration) guidelines. The artifact is shipped as part of the Security Compliance Pack for DTP 5.4.1. Contact your Parasoft representative for download and licensing information.
The CWE Compliance artifact supports the following specific CWE implementations:
Click on the following links to learn more about CWE guidelines:
One of the following Parasoft code analysis tools with appropriate Security Compliance licenses are required:
The following artifacts are included in the package and added to your DTP environment when you install the Security Compliance Pack.
This is the core asset that extends DTP's data processing capabilities and produces CWE widgets and reports. DTP Workflows must be deployed using Extension Designer before they can be used (see Deploying the CWE Assets).
Dashboard templates include preconfigured widgets to help you quickly view specific information about your projects. Review the Dashboards section if you are unfamiliar with dashboards in DTP. The following template files are included in the CWE Compliance artifact:
See Adding the CWE Dashboards for details.
Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack. The following profile files are included with the CWE artifact.
Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, i.e., weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category:
See Custom Compliance Categories for additional information about rule categories in DTP.
This DTP Workflow performs additional calculations to provide metrics data specific to CWE. The KPI Workflow is optional and is not specific to the CWE Compliance artifact. To use this workflow, deploy it to your DTP environment and manually add instances of the standard Metrics - Summary widget to your dashboard to view the data. See Calculating Security Impact for details.
The CWE Compliance assets are installed when you install the Security Compliance Pack (see Installation). After installing the artifact, you must deploy the assets to your DTP environment.
You can now add CWE widgets, use CWE compliance categories, and view CWE reports.
The CWE Compliance dashboard templates will be available after installing the Security Compliance Pack. If you do not see the dashboard templates, restart DTP (see Stopping DTP Services and Starting DTP Services.
Repeat the process for any additional CWE dashboards you want to add to you DTP view.
If you have already executed your code analysis tool using the correlated CWE test configuration, widgets will render data as soon as the dashboard is added. You can immediately begin using these widgets and working with the data to help you track your compliance goals.
The dashboard templates for .NET projects have the same widgets but are configured to show data related to either a CWE SANS Top 25 2011 - .NET compliance category or a CWE 3.1 - .NET compliance category. See Compliance Categories for a list of the available compliance categories. The following widgets are included:
This widget shows the general compliance status of the project.
The widget can show one of several states:
Click on the widget to open the CWE Compliance Report.
This widget shows how much of the project is in compliance with the CWE guidelines.
Click on the widget to open the CWE Compliance Report.
This widget shows the number of rules passed, violations, and deviations (suppressed code analysis violations). The green segment in the pie chart represents passing rules, while the red segment represents rules that have been violated.
You can perform the following actions:
The dashboard includes several instances of the standard DTP Categories - Top 5 Table widget configured to show violations according to CWE guidelines.
Each instance of the widget is driven by the compliance category configuration (see Compliance Categories).
Click on a category link in the Name column to open the Violations by Rule report. Click on the more... link (if more than five categories contain violations) to view the Violations by Compliance Category report.
The dashboard includes an instance of the standard DTP Rules in Compliance - Summary widget configured for CWE. This widget shows what percentage of the rules are in compliance, number of rules in compliance, rules enabled, and number of violations. Click on the widget to view the Violations by Compliance Category report.
Click on the widget to view the Violations by Compliance Category report.
The dashboard includes an instance of the standard DTP Compliance By Category widget configured for CWE. This widget provides an overview of the compliance status for each category in the compliance configuration.
Click on the widget to open the Violations by Rule report.
This widget shows how static analysis violations are concentrated according to their technical impact.
Mouse over a leaf in the widget to view details. Click on a leaf to open the Violations Explorer filtered by the compliance category.
Widgets in the CWE Top 25 - Java dashboard template includes standard DTP widgets preconfigured to show data according to a Java-oriented compliance category. See Compliance Categories for a list of the available compliance categories. The following widgets are included:
The dashboard includes an instance of the standard DTP Rules in Compliance - Summary widget configured for CWE. This widget shows what percentage of the rules are in compliance, number of rules in compliance, rules enabled, and number of violations.
Click on the widget to view the Violations by Compliance Category report.
The dashboard includes an instance of the standard DTP Compliance by Category/Severity widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget lists the weakness categories, number of rules used to detect each weakness, number of passing rules for each weakness, and the breakdown of the security level(s) associated with the rules. Click on a weakness link in the Name column to open the Violations by Rule report.
The dashboard includes an instance of the standard DTP Compliance by Category/Severity widget configured to show data according to the CWE SANS Top 25 2011 - Technical Impact - Java compliance category. This widget lists the technical impact categories, number of rules used to detect each impact category, number of passing rules for each category, and the breakdown of the security level(s) associated with the rules. Click on a technical impact category link in the Name column to open the Violations by Rule report.
The dashboard includes an instance of the standard DTP Categories - Top 5 Table widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget lists the five weaknesses with the highest number of violations. Click the more... link to open the Violations by Compliance Category report. Click on a weakness link in the Name column to open the Violations by Rule report.
The dashboard includes an instance of the standard DTP Rules - Top 5 Table widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget lists the five code analysis rules with the highest number of violations. Click the more... link to open the Violations by Compliance Category report. Click on a rule link in the Name column to open the Violations Explorer.
The dashboard includes an instance of the standard DTP Violations - Summary Trend widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget shows the total number of failed or suppressed violations, the trend over a specified period, and the change from the first to last build in that period. Click on the widget to to open the Violations Explorer.
The dashboard includes an instance of the standard DTP Severities - Pie widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget shows a pie chart of the violations in the project. Each segment represents a severity level. The legend includes the number of violations and changes from the baseline build to the target build. Click on the widget to to open the Violations Explorer.
The dashboard includes an instance of the standard DTP Authors - Top 5 Bar widget configured to show data according to the CWE SANS Top 25 2011 - Java compliance category. This widget shows the five code authors with the highest number of violations. Click on the more... link to open the Authors Report. Click on a bar to view the author's violations in the Violations Explorer.
You can manually add the CWE widgets to an existing dashboard. See Adding Widgets for general instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the CWE category.
Title | You can rename the widget in the Title field. This setting is available for all widgets. |
---|---|
Filter | Choose a specific filter or Dashboard Settings from the drop-down menu. See Creating and Managing Filters for additional information. This setting is available for all widgets. |
Target Build | Choose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. |
Compliance | Choose a compliance category group to view the data. See Compliance Categories for a list of the CWE-related compliance category groups. This configuration is not available for custom CWE widgets. |
Compliance Profile | Profiles are assets shipped with an extension that enable DTP to perform additional calculations. See Models and Profiles for a list of the profiles shipped with the CWE Compliance artifact. |
The CWE Compliance artifact includes profiles that you can use to calculate the security impact of detected weaknesses. Additional steps are required to leverage this functionality. See Calculating Security Impact for details.
The Key Performance Indicator (KPI) DTP Workflow defines a KPI associated with static analysis rules so you can measure and quantify results. The build must have static analysis and metrics analysis data for the KPI extension to perform the calculation. Be sure that code analysis tool has been executed with the Metrics test configuration, as welll as the CWE 3.1 test configuration under the same build ID. The metrics analysis must also include data for the Logical Lines of Code metric (metricId METRIC.NOLLOCIF). Refer to the tool documentation for details about setting the build ID and executing the Metrics test configuration.
This artifact needs to be deployed manually before you can use it.
The widget will appear on your dashboard.
Clicking on the widget opens the Single Metric Overview Report.
You can execute the request in a browser, using a cURL command, or add it to a script. The following table describes the required parameters:
filterId | The filter ID for the project that the calculations will be performed on. You can quickly get the filter ID from URL of your dashboard. You can also get the filter ID from the the Filters settings in DTP administration (see Creating and Managing Filters). |
---|---|
profile | The name of the profile that contains the rules and weights to for the calculation. Specify one of the following profiles to calculate security impact:
You can get the names of the profile from the Model Profile tab in Extension Designer. |
buildId | The build on which the calculation will be performed on. If you would prefer to use the latest unlocked build that has violations data and metrics calculated, you can use latestBuild as the value of this parameter. If no build id is provided, this parameter defaults to latestBuild . |
http://framemaker.parasoft.com:8314/api/v1/services/5c0f0cae5d018e0630ae2789/slices/9acaecb1.7eb78?filterId=9&buildId=docs-dotTEST&profile=CWE%20Security%20Impact%20-%20.NET |
{ "success":{ "title":"KPI", "message":"Calculation has started for filter 'CWE dotTEST' using profile 'CWE Security Impact - .NET'. Check debug output for any errors during calculation." } } |
Every rule can have a different weighting, and not every rule has to be in the profile, which enables you to run different KPIs for different purposes and different profiles for different subsets of rules. See Profiles for additional information.
Depending on the volume of data being analyzed, KPI calculation may require multiple runs to acquire the core data and may take significant time, therefore triggering KPI calculation should be done as part of your build process or by manually using a trigger node in the KPI slice. |
The following CWE widgets shipped with the CWE Compliance artifact link to the CWE Compliance Report:
You can use the report to demonstrate compliance with CWE.
You can perform the following actions:
The Weakness Detection Plan shows how Parasoft code analysis rules map to weaknesses. This report is populated with data from the selected compliance profile (see Models and Profiles).
The Deviation Report shows information about which violations have been suppressed in the project. By default, the report shows all guidelines, but you can enable the Only Deviations option to filter out guidelines that have no suppressions associated with them. See Suppressing Violations for information about suppressions in DTP. Refer to the documentation for your analysis tool to learn about in-code suppressions.
The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CWE during a regulatory audit.
In order to download an archive, the build has to be locked. See Build Audit Report for additional details.
The Security Compliance Pack for DTP 5.4.1 includes a set of profiles that perform custom calculations for the CWE 3.1 and CWE SANS Top 25 2011 standards and a set of profiles associated with calculating the CWE Security Impact KPI metrics for Java and .NET code.
The default profiles show the correlation between CWE guidelines and Parasoft code analysis rules and are suitable for most normal use cases.
We strongly advise you to avoid changing the default CWE profiles because doing so will affect any reports you may need to generate for auditing purposes. |
If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CWE guidelines to achieve your software quality and compliance goals.
The KPI artifact shipped with the Security Compliance Pack includes a SCWE Security Impact - .NET and CWE Security Impact - Java profiles. The profiles assign weights to the metrics analysis rules in order to calculate a KPI value for the build.
The default profile is suitable for most normal usage, but you can adjust the weights for each metrics rule if necessary.