In this section:

Introduction

The Parasoft CWE Compliance artifact is a set of assets for your DTP infrastructure that enable you to track and visualize programming errors associated with CWE (Common Weakness Enumeration) guidelines. The artifact is shipped as part of the Security Compliance Pack. Contact your Parasoft representative for download and licensing information.

Supported Guidelines

The CWE Compliance artifact supports the following specific CWE implementations:

  • 2023 CWE Top 25 Most Dangerous Software Errors
  • CWE List Version 4.15 (Jtest and dotTEST only)
  • CWE Top 25 + On the Cusp

Click on the following links to learn more about the supported CWE guidelines: 

Prerequisites

The following Parasoft code analysis tools with appropriate Security Compliance licenses are supported:

  • Jtest
  • dotTEST
  • C/C++test

Process Overview

  1. Install the Security Compliance Pack into DTP Extension Designer.
  2. Deploy the CWE Compliance artifact using Extension Designer. This action also deploys CWE Compliance assets to your DTP environment.
  3. Connect your code analysis tool to your project in DTP. Configure the settings that enable DTP to correlate analysis results, such as build ID, source control settings, and so on. See the documentation for your analysis tool for details. 
  4. Analyze the project with your code analysis tool using one of the CWE test configurations.
  5. Use the DTP dashboard template, widgets, and reports to monitor compliance with security standards.

Achieving 100% Compliance

There are many CWE guidelines that are not enforced by Parasoft static analysis. As a result, DTP will report 100% compliance against only those guidelines that are mapped to a Parasoft static analysis rule.

CWE Compliance Assets

The following artifacts are included in the package and added to your DTP environment when you install the Security Compliance Pack.

CWE Compliance.json

This is the core asset that extends DTP's data processing capabilities and produces CWE widgets and reports. DTP Workflows must be deployed using Extension Designer before they can be used (see Deploying the CWE Assets).

Test Configurations

You can configure your tool to run either the test configurations it ships with or the test configurations installed with the Security Compliance Pack. Refer to your tool's documentation for details. The following test configurations are included in the compliance pack.

Configurations for C/C++test:

  • CWE Top 25 + On the Cusp 2023
  • CWE Top 25 2023

Configurations for dotTEST:

  • CWE Top 25 + On the Cusp 2023
  • CWE Top 25 2023
  • CWE 4.15

Configuration for Jtest:

  • CWE Top 25 + On the Cusp 2023
  • CWE Top 25 2023
  • CWE 4.15

The Security Compliance pack ships with the following additional configuration for CWE and OWASP compliance. 

  • UL 2900 (combines OWASP Top 10-2021 and CWE Top 25 + On the Cusp)

Also see the OWASP Compliance documentation.

Dashboard Templates

Dashboard templates include preconfigured widgets to help you quickly view specific information about your projects. Refer to the Dashboards section to learn more about dashboards in DTP. See Adding the CWE Dashboards for details about viewing the widgets that appear in the dashboard templates. The following template files are included in the CWE Compliance artifact.

Dashboards for C and C++ code:

  • CWE Top 25 2023 - C/C++ 
  • CWE Top 25 2023 + On the Cusp - C/C++

Dashboards for .NET code:

  • CWE 4.15 - .NET 
  • CWE Top 25 2023 - .NET 
  • CWE Top 25 2023 + On the Cusp - .NET 

Dashboards for Java code:

  • CWE 4.15 - Java 
  • CWE Top 25 2023 - Java
  • CWE Top 25 2023 + On the Cusp - Java 

The Security Compliance pack ships with the following UL 2900 dashboard templates that include a combination of widgets configured to show CWE Top 25 + On the Cusp and OWASP Top 10 2021 compliance. Note that both CWE and OWASP 2021 compliance artifacts must be deployed

  • UL 2900 - Java 
  • UL 2900 - .NET

Also see the OWASP Compliance documentation.

Models and Profiles

Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack. The following profile files are included with the CWE artifact.

Models:

  • CWE Compliance model (cwe-compliance.json)

Profiles for C and C++ code:

  • CWE Security Impact - C++
  • CWE Top 25 - C++
  • CWE Top 25 + Cusp - C++

Profiles for .NET code:

  • CWE 4.15 - .NET profile
  • CWE Security Impact - .NET profile
  • CWE Top 25 - .NET profile
  • CWE Top 25 + Cusp - .NET

Profiles for Java code:

  • CWE 4.15 - Java profile
  • CWE Security Impact - Java profile 
  • CWE Top 25 - Java profile 
  • CWE Top 25 + Cusp - Java

Compliance Categories

Individual code analysis rules belong to a category, such as Security, Exceptions, and so on. The CWE Compliance artifact includes files that map code analysis rules to CWE-specific categories, that is, weakness type or impact. You can configure widgets to report violations according to the categories defined in the following files to view them according to their CWE category.

Categories for C and C++ code:

  • CWE Top 25 - C++ 
  • CWE Top 25 + Cusp - Software Development - C++ 
  • CWE Top 25 + Cusp - C++ 
  • CWE Top 25 + Cusp - Technical Impact - C++
  • CWE Top 25 - Software Development - C++
  • CWE Top 25 - Technical Impact - C++ 

Categories for .NET code:

  • CWE 4.15 - .NET
  • CWE 4.15- Software Development - .NET
  • CWE 4.15 - Technical Impact - .NET
  • CWE Top 25 - .NET 
  • CWE Top 25 - Software Development - .NET 
  • CWE Top 25 - Technical Impact - .NET
  • CWE Top 25 + Cusp - .NET
  • CWE Top 25 + Cusp - Technical Impact - .NET 
  • CWE Top 25 + Cusp - Software Development - .NET

Categories for Java code:

  • CWE 4.15 - Java
  • CWE 4.15 - Software Development - Java
  • CWE 4.15 - Technical Impact - Java 
  • CWE Top 25 - Java 
  • CWE Top 25 - Software Development - Java 
  • CWE Top 25 - Technical Impact - Java
  • CWE Top 25 + Cusp - Java 
  • CWE Top 25 + Cusp - Technical Impact - Java 
  • CWE Top 25 + Cusp - Software Development - Java 

See Custom Compliance Categories for additional information about rule categories in DTP.

Cross-reference PDFs

For your convenience, PDFs that show the association between Parasoft rules and CWE guidelines are located in the following directories:

  • <PACK>/rules/jtest
  • <PACK>/rules/dottest
  • <PACK>/rules/cpptest  

Deploying the CWE Assets 

The CWE Compliance assets are installed when you install the Security Compliance Pack (see Installation). After installing the artifact, you must deploy the assets to your DTP environment.  

  1. Choose Extension Designer from the DTP settings (gear icon) menu.
  2. Click the Services tab and expand the DTP Workflows services category. You can deploy assets under any service category you wish, but we recommend using the DTP Workflows category to match how Parasoft categorizes the assets. You can also click Add Category to create your own service category (see Working with Services for additional information).
     
  3. You can deploy the artifact to an existing service or add a new service. The number of artifacts deployed to a service affects the overall performance. See Extension Designer Best Practices for additional information. Choose an existing service and continue to step 5 or click Add Service.
  4. Specify a name for the service and click Confirm.
  5. The tabbed interface helps you keep artifacts organized within the service. Organizing your artifacts across one or more tabs does not affect the performance of the system. Click on a tab (or click the + icon to add a new tab) and choose Import from the vertical ellipses menu.
  6. Choose Local > Flows > Workflows > Security > CWE Compliance and click Import.
  7. Click anywhere in the open area to drop the artifact into the service. 
  8. Click Deploy and return to your DTP dashboard.
  9. Refresh your browser.

You can now add CWE widgets, use CWE compliance categories, and view CWE reports.

Adding the CWE Dashboards

The CWE Compliance dashboard templates will be available after installing the Security Compliance Pack. If you do not see the dashboard templates, restart DTP (see Stopping DTP Services and Starting DTP Applications).

  1. Click Add Dashboard in the DTP toolbar and specify a name when prompted.
  2. (Optional) You can configure the default view for the dashboard by specifying the following information:
    • Choose the filter associated with your project from the Filter drop-down menu. A filter represents a set of run configurations that enabled custom views of the data stored in DTP. See Configuring Filters for additional information. 
    • Specify a range of time from the Period menu. 
    • Specify a range of builds from the Baseline Build and Target Build menus.
  3. Enable Create dashboard from a template and choose one of the CWE templates from the associated menu.
  4. Click Create to finish adding the dashboard.

Repeat the process for any additional CWE dashboards you want to add to you DTP view.

If you have already executed your code analysis tool using the correlated CWE test configuration, widgets will render data as soon as the dashboard is added. You can immediately begin using these widgets and working with the data to help you track your compliance goals. 

CWE Dashboards

See Dashboard Templates for a list of the dashboard templates shipped with the compliance artifact. The following widgets are included on one or more of the dashboards shipped with the Security Compliance pack:

CWE Compliance - Status

This widget shows the general compliance status of the project. It includes the build ID and the compliance category configuration used to display the results. 

The widget can show the following states:

  • Compliant - Code meets all required guidelines.
  • Compliant with Deviations - Code meets all guidelines, but deviations have been applied. Deviations are violations that you have determined to be acceptable (see Deviation Report for additional information about deviations).
  • Not Compliant - Code does not meet all required guidelines.
  • Missing rule(s) in analysis - Parasoft code analysis rules documented in your profile were not included in the specified build. 

Click on the widget to open the CWE Compliance Report.

CWE Compliance - Percentage

This widget shows how much of the project is in compliance with the CWE guidelines. 

Click on the widget to open the CWE Compliance Report.

CWE Compliance - Weakness by Status

This widget shows the number of rules passed, violations, and deviations (suppressed code analysis violations). The green segment in the pie chart represents passing rules, while the red segment represents rules that have been violated. The widget also includes the build ID and the compliance category configuration used to display the results.

You can perform the following actions:

  • Mouse over a segment of the pie chart to view details.
  • Click the passing segment of the pie chart to open the CWE Compliance Report filtered by passing guidelines.
  • Click the violations segment of the pie chart to open the CWE Compliance Report filtered by violations.
  • Click the Violations value to open an unfiltered instance of the CWE Compliance Report.
  • Click the Deviations value to open the Deviation Report.

Violations by Category

The dashboard includes several instances of the standard DTP Categories - Top 5 Table widget configured to show violations according to CWE guidelines. 

Each instance of the widget is driven by the compliance category configuration (see Compliance Categories).

Click on a category link in the Name column to open the Violations by Rule report. Click on the more... link (if more than five categories contain violations) to view the Violations by Compliance Category report.

Rules in Compliance

The dashboard includes an instance of the standard DTP Rules in Compliance - Summary widget configured for CWE. This widget shows what percentage of the rules are in compliance, number of rules in compliance, rules enabled, and number of violations. Click on the widget to view the Violations by Compliance Category report.

Compliance by Category

The dashboard includes an instance of the standard DTP Compliance By Category widget configured for CWE. This widget provides an overview of the compliance status for each category in the compliance configuration. 

Click on the widget to open the Violations by Rule report.

CWE Weakness by Technical Impact - TreeMap

This widget shows how static analysis violations are concentrated according to their technical impact. 

Mouse over a leaf in the widget to view details. Click on a leaf to open the Violations Explorer filtered by the compliance category.

Manually Adding the CWE Widgets

You can manually add the CWE widgets to an existing dashboard. See Adding Widgets for general instructions on how to add widgets to a dashboard. After deploying the artifact, widgets will appear in the CWE category.  

CWE Widget Configuration Settings

TitleYou can rename the widget in the Title field.
Filter

Choose a specific filter or Dashboard Settings from the menu. See Configuring Filters for additional information.

The filter should contain data that matches the type of compliance profile you choose (Java, .NET, C++). For example, if the filter contains code analysis data on a .NET project, then you should choose one of the .NET compliance profiles.

Target BuildChoose a specific build from the menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds. This setting is available for all widgets. 

Compliance Profile

Choose a compliance profile from the menu to display the code analysis data against one of the supported CWE-specific sets of guidelines. You can choose one of the following profiles:

  • CWE 4.15 - .NET
  • CWE 4.15 - Java
  • CWE Top 25 - .NET
  • CWE Top 25 - Java
  • CWE Top 25 - C++
  • CWE Top 25 + Cusp - .NET
  • CWE Top 25 + Cusp - Java
  • CWE Top 25 + Cusp - C++

The type of compliance profile (Java, .NET, C++) should match the data in the selected filter. For example, choose one of the .NET compliance profiles if the filter contains code analysis data on a .NET project.

CWE Compliance Report

The CWE Compliance Report enables you to demonstrate compliance and monitor progress toward your compliance policy. The following CWE widgets link to the CWE Compliance Report: 

The report includes data for the build ID and filter configured in the widget you clicked to access the report. The compliance status of the project is also determined by the compliance profile configuration specified in the widget you clicked to access the report (see CWE Widget Configuration Settings).

You can perform the following actions:

  • Click on one of the following links to open a sub-report:
  • Choose a state from the Compliance drop-down menu to filter weaknesses by their current state.
  • Click on a column header to sort the report.
  • Click a link in the Weakness column to go directly to the weakness in the Weakness Detection Plan report.
  • Click a value in the # of Violations column to view the violations in the Violations Explorer.
  • Click a value in the # of Deviations columns to view the suppressed violations in the Violations Explorer.
  • Click Download PDF to export a printer-friendly PDF version of the report data. If you added a custom graphic to DTP as described in Adding a Custom Graphic to the Navigation Bar, the PDF will also be branded with the graphic. 

Weakness Detection Plan

The Weakness Detection Plan shows how Parasoft code analysis rules map to weaknesses. This report is populated with data from the selected compliance profile (see Models and Profiles). 

Deviation Report

The Deviation Report shows information about which violations have been suppressed in the project. See Suppressing Violations for information about suppressions in DTP. Refer to the documentation for your analysis tool to learn about in-code suppressions.

By default, the report shows all guidelines, but you can enable Only Deviations to filter out guidelines that have no suppressions associated with them. You can also enable Hide Modification History to exclude the modification history for deviations. 

Build Audit Report

The Build Audit Report is native functionality in DTP. It shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with CWE during a regulatory audit.

In order to download an archive, the build has to be locked. See Build Audit Report for additional details.

Profiles

Profiles provide additional inputs that enable custom calculations. The Security Compliance Pack includes a set of profiles that enable the data to viewed in the context of CWE standards. See Models and Profiles for list of the profiles used for CWE compliance. You can create custom profiles if you want to customize how DTP reports CWE data. 

CWE Compliance Profiles

The default profiles show the correlation between CWE guidelines and Parasoft code analysis rules and are suitable for most normal use cases.

Do not modify the CWE profiles

We strongly advise you to avoid changing the default CWE profiles because doing so will affect any reports you may need to generate for auditing purposes.

If necessary, you can make a copy of the default profile and adjust the correlation between Parasoft code analysis rules and CWE guidelines to achieve your software quality and compliance goals

  1. Open Extension Designer and click the Model Profile tab.
  2. Expand the CWE Compliance model and choose one of the profiles. 
  3. Click Export Profile to download a copy. 
  4. Click Add Profile and enter a name.
  5. Click Confirm to create an empty profile. 
  6. Rename the copy of the default profile you exported and click Import Profile
  7. Browse for the copy and confirm to upload.
  8. Click Edit and make your adjustments. 
  9. Click Save.
  • No labels