Common Weakness Enumeration

CWEGlossary Definition

您的组织名称：

Veracode，Inc。

Web Site:

http://veracode.com

Compatible Capability:

Veracode Static Analysis

Capability home page:

https://analysiscenter.veracode.com/

Product Accessibility

简要说明如何以及在何处将您的能力提供给客户和公众（必需的）：

Veracode provides automated static and dynamic application security testing software and remediation services, delivered via a cloud-based platform.

Map Currency Indication

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings（必需的）：

作为我们2012年2月29日发布的2012年版本的一部分，以下文本将添加到Veracode平台上的帮助中心，标题为“ Veracode和CWE”：

Veracode始终使用CWE的最新版本，并在发布后的90天内更新了新版本。

Map Currency Update Approach

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository（受到推崇的）：

All Veracode findings are mapped to CWE categories. We revisit our mappings with every new CWE release, with any changes incorporated into the subsequent Veracode platform release.

MAP CURRENCY UPDATE TIME

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CWE content（必需的）：

作为我们2012年2月29日发布的2012年版本的一部分，以下文本将添加到Veracode平台上的帮助中心，标题为“ Veracode和CWE”：

Veracode始终使用CWE的最新版本，并在发布后的90天内更新了新版本。

CWE和兼容性文档

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers（必需的）：

每个VeraCode报告都在“评分方法”部分中包括有关CWE如何计入应用程序评分的描述：

The Veracode scoring system, Security Quality Score, is built on the foundation of two industry standards, the Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS). CWE provides the dictionary of security flaws and CVSS provides the foundation for computing severity, based on the potential Confidentiality, Integrity and Availability impact of a flaw if exploited.

There is also a section describing how every flaw is classified using CWE.

常见的弱点枚举（CWE）是可能导致安全问题的软件弱点或缺陷类型的行业标准分类。CWE广泛用于提供软件错误的标准分类法。VeraCode报告中的每个缺陷均根据标准CWE标识符进行分类。

有关CWE的更多指导和背景可在http://cwe.mitre.org/data/index.html。

最后，在VeraCode平台中，每个缺陷都直接链接到CWE网站，以便用户获得有关CWE类别本身的更详细信息。有关更多详细信息，请参阅问题8。

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS

提供您的文档的副本或指示到其位置，描述了您的客户如何使用CWE标识符在您的功能存储库中找到单个安全元素的特定详细信息（必需的）：

Use one or more criteria

在某些情况下，您可能需要查看应用程序缺陷的特定子集：

• 特定模块或源文件中的缺陷，或特定行号
• 特定类别的缺陷（例如，跨站点脚本）或CWE
• Flaws that are very likely to be exploited
• Very severe flaws
• 新缺点
• Flaws involving a particular function
• Flaws with pending, approved, or rejected mitigations
• Flaws with a particular effort to fix
• Any combination of the above

You can search for any of these criteria using the Search field at the top of the list of flaws. To search for a particular item:

1. Choose the column you want to search on from the Search drop-down list.
2. Enter your search criteria in the text box, or select the appropriate criterion from the drop-down list.
3. Type Enter or click the Go button. The list of flaws is filtered by the search criterion entered, and the search criterion entered is shown above the Flaw Viewer toolbar.

您可以通过查看滤波器标准列表左侧的缺陷计数来查看搜索返回多少缺陷。

Search by multiple criteria

If you wish to use multiple search criteria (e.g. finding all cross site scripting flaws in a given module), search by the first criterion, then enter the second criterion. Both search criteria will be displayed above the Search field in the list of search criteria.

If you add more than three search criteria, you can click the More link to view the full list of search criteria.

使用通配符

Filter types that take a string input (e.g., source file name, category, etc.) can use a wildcard. Entering a search string containing an asterisk (*) will look for items that contain one or more characters in place of that asterisk.

例如，搜索标记的类别 * debug *将返回“剩余调试代码”类别中的缺陷。

Use negative criteria

You can specify a filter using a negative criterion (i.e., is not equal to). Negative criteria can be used to exclude a set of flaws from display, such as hiding all informational flaws (Severity=0).

要使用负面标准，请执行以下操作：

1. Choose the column by which you want to search from the Search drop-down list.
2. 单击列表旁边的=按钮。这将按钮将按钮切换到Not equals（！=）状态。
3. 在文本框中输入搜索标准，或从下拉列表中选择适当的标准。
4. Type Enter or click the Go button. The list of flaws is filtered by the search criterion entered, and the search criterion entered is shown above the Flaw Viewer toolbar.

使用元素查找CWE标识符的文档

提供您的文档描述用户将遵循的过程的副本或指示，以查找与您功能存储库中个人安全元素相关的CWE标识符（必需的）：

View static results for an application

To access static results, go to the flaw viewer by clicking the Review link from the Applications list, then click the Triage Flaws link in the left navigation menu for the application. Then click on the Static Results link at the top of the page if it is not already selected.

页面底部的网格是可排序的，可用于选择特定的缺陷。网格显示缺陷ID，严重性，可利用性，参数，CWE，位置，状态和缓解状态。单击特定发现会导致缺陷查看器提示您将源代码的本地副本加载到页面顶部的源代码查看器中。

View dynamic results for an application

To access dynamic results, go to the flaw viewer by clicking the View link from the Applications list, then click the Triage Flaws link in the left navigation menu for the application. Then click on the Dynamic Results link at the top of the page if it is not already selected.

与静态扫描结果一样，页面底部的网格是可排序的，可用于选择特定的缺陷。网格显示缺陷ID，严重性，参数，CWE，URL，状态和缓解状态。单击特定的发现将在页面上半部分中显示其他详细信息。

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site（受到推崇的）：

Our documentation does not currently include a master index.

特定于类型的功能问题

使用CWE标识符查找任务

给出详细的示例和解释用户如何通过寻找关联的CWE标识符来定位工具中的任务（必需的）：

VeraCode的CWE覆盖范围地图可在我们面向公共的公司网站上找到http://www.veracode.com/directory/CWE-SANS-TOP-25.html。This information is also available to customers via the Help Center on the Veracode platform.

使用报告中的元素查找CWE标识符

给出详细的示例和解释，以说明如何确定单个安全元素的报告，该工具允许用户确定报告中各个安全元素的关联的CWE标识符（必需的）：

有关如何使用VeraCode平台的分类缺陷接口查找CWE标识符的详细信息，请参阅问题8。这是一个以开发人员为中心的界面，用于深入到单个缺陷的细节。

In the HTML and PDF reports, the Findings and Recommendations are grouped first by severity (Very High to Very Low) and then by CWE identifier within each severity level. For each CWE identifier, the report contains a table of all flaw occurrences with that CWE identifier. A brief description for the CWE category is provided, along with a hyperlink to that category’s page on cwe.mitre.org.

获取声称的CWE标识符覆盖范围

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software（必需的）：

VeraCode的CWE覆盖范围地图可在我们面向公共的公司网站上找到http://www.veracode.com/directory/CWE-SANS-TOP-25.html。This information is also available to customers via the Help Center on the Veracode platform.

We claim that the service is effective at locating all CWE categories listed. Veracode scans undergo rigorous testing to minimize False Positives and False Negatives before introducing them into production.

This list reflects the CWEs that Veracode tests for using automated static and dynamic scanning. The Veracode platform may report flaws in other CWEs if the results of a manual penetration test are included alongside the scan results. Where a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case (e.g., CWE 80 is preferred for cross-site scripting over its child CWEs). This list is updated frequently.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS

对用户如何使用所有CWE标识符找到覆盖范围索赔表示（CCR）XML文档的详细说明，所有者声称该服务在软件中有效定位（受到推崇的）：

Veracode does not currently provide a CCR document.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS

给出详细的示例和解释用户如何获得与工具任务相关联的所有CWE标识符的列表（受到推崇的）：

The Veracode service does not provide direct access to any other products.

ELECTRONIC DOCUMENT FORMAT INFO

提供有关您提供的不同电子文档格式的详细信息，并描述如何搜索它们与CWE相关的特定文本（必需的）：

HTML，PDF和XML格式可用报告。可用的报告包括摘要报告，详细报告或PCI报告，所有这些报告包含所有缺陷的CWE映射。还可以通过VeraCode结果API检索缺陷数据，包括CWE映射。通常用于查看这些数据格式的所有程序具有内置的搜索功能。

CWE标识符的电子文档列表

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element（必需的）：

CWEidentifiers are always displayed prominently whenever short names are used.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER

提供示例文档，以证明从功能的各个元素到相应的CWE标识符的映射（受到推崇的）：

A sample Veracode PDF report can be found on our public-facing corporate website athttp://www.veracode.com/solutions/get-a-report.html。

通过GUI 使用CWE标识符查找元素

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CWE identifier(s)（必需的）：

在VeraCode平台中，可以通过CWE类别对缺陷列表进行排序和过滤。VeraCode Analytics允许用户查询其应用程序清单以了解特定CWE类别的流行率。有关使用CWE标识符查找单个安全元素的更多详细信息，请参阅问题7。

GUI ELEMENT TO CWE IDENTIFIER MAPPING

简要描述如何为单个安全元素列出相关的CWE标识符，或讨论用户如何使用CWE标识符和功能元素之间的映射，还描述了映射的格式（必需的）：

Every flaw is associated with a CWE category in the GUI. Hyperlinks to the CWE category on mitre.org are provided alongside the flaw description. Refer to Question 8 for more details on how to find CWE identifiers using the Triage Flaws interface of the Veracode platform.

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text（受到推崇的）：

HTML，PDF和XML格式可用报告。可用的报告包括摘要报告，详细报告或PCI报告，所有这些报告包含所有缺陷的CWE映射。还可以通过VeraCode结果API检索缺陷数据，包括CWE映射。

STATEMENT OF COMPATIBILITY

Have an authorized individual sign and date the following Compatibility Statement（必需的）：

See answer to above.

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

标题：研究副总裁

准确性

Have an authorized individual sign and date the following accuracy Statement（受到推崇的）：

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

标题：研究副总裁

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES and/or

FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements（必需的）：

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

标题：研究副总裁