Name of Your Organization:
Parasoft 网站:
www.parasoft.com
Compatible Capability:
Parasoft C/C ++测试 功能主页:
https://www.parasoft.com/products/ctest/
General Capability Questions Product Accessibility
Provide a short description of how and where your capability is made available to your customers and the public(required):
Parasoft C/C ++测试is available for licensed customers to download from the Parasoft customer portal athttps://parasoft.force.com/customerportal。可以在https://www.parasoft.com/products/ctest/。
映射问题 Map Currency Indication
描述您的功能指示最新的CWE内容用于创建或更新其映射的方法(required):
Parasoft publishes CWE maps on the CWE page of its website athttps://www.parasoft.com/compliance/cwe-compliance/。Links to individual products and versions are near the bottom of the page under“ Parasoft对CWE的支持”。Each map has a currency date of when the map was made with the latest information.
CWE的映射日期和版本的映射显示在每个CWE映射PDF文件的底部:
地图货币更新方法
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository(recommended):
Parasoft CWE功能映射的更新是每个产品版本的一部分。当时,审查了CWE的任何更改以及任何新的CWE规则。我们还评估了从现有映射中评估任何新的或更改的Parasoft规则,以使单个CWE ID与Parasoft规则更好地对齐。
MAP CURRENCY UPDATE TIME
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content(required):
Parasoft使用常规产品发行更新CWE地图,通常每年3-4次。
Documentation Questions CWE AND COMPATIBILITY DOCUMENTATION
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers(required):
Information about using CWE and Parasoft tools together can be found in several places. The best starting point is a brief overview of best practices and how the system is setup and works, and can be found in the knowledgebase in our customer portal athttps://parasoft.force.com/customerportal/CommunitiesMainPage(registration required). Under the title"Working with CWE security rules"。
本知识库文章说明了如何配置Parasoft工具以使用CWE规则并使用以CWE为中心的仪表板和报告以及在哪里获取更多信息。
The static analysis engines for each language have a user’s guide. (C/C++, .NET, Java). In the section"Built-in Test Configurations"您可以找到可用的预配置规则集。
There is a configuration ready to use for theCWE前25名而且,您还可以添加或减去规则以制定自己的配置,包括使用Parasoft Rulewizard以图形方式编写自己的自定义规则。每种受支持的语言中都有许多规则超出CWE的前25名。
All of these docs can be found in the installation directory after installing one of the static analysis products, as well as in the Parasoft customer portal (https://parasoft.force.com/customerportal) under"Documentation & Release Notes")
此外,在安装目录中,有一个文件记录了所有数百个单独的规则Parasoft工具。可以在工具本身的帮助系统中找到相同的信息。每个规则的文档都有一个部分,该部分解释了标题下的规则的安全问题“安全相关性”,
and at the bottom any references to standards associated with the rule. Search for CWE will find all rules that have a CWE reference.
Parasoft有一个"security compliance pack"that puts our reporting tool (DTP) into a CWE-centric configuration. This is described in the above knowledgebase article with links to current versions. The documentation is described in“ DTP的安全合规包”可以通过我们的客户门户网站获得https://parasoft.force.com/customerportal。
该配置使用幕后的特殊地图(请参阅CR_B.3.3) to convert standard Parasoft rule IDs to CWE IDs. This then allows you to see everything as if it were natively reported as CWE IDs. No lookups are needed to find issues related to a CWE ID, or which CWE ID a particular violation is, as its inherent in the reporting.
In above screen capture you can see at the two the list of CWE violations listed by CWE ID. You can drill into that chart and get the full list of violations of a particular ID. Another interesting CWE feature is charts and list based on the CWE technical impact, as see at the top right table with number of rules and violations by severity for each impact. On the bottom right, you see a tree map representing violations with each type of technical impact. This lets you concentrate on the problems most important to you.
This set of charts and dashboards comes with two default configurations that are customizable and editable by the end user as described in the docs. The two current templates offered are one for"CWE Top 25"还有一个"CWE List"。The列表version includes all of the Parasoft rules that are currently mapped to CWE IDs and is larger than the前25名set. This is the list of rules that you would find in the CWE maps on our website athttps://www.parasoft.com/compliance/cwe-compliance/。
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository(required):
Using the Parasoft Security Compliance Pack with CWE configuration, all violations are reported using CWE identifiers, no map or search is required. SeeCR_5.1
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
提供您的文档描述用户将遵循的过程的副本或指示,以查找与您功能存储库中个人安全元素相关的CWE标识符(required):
Using the Parasoft Security Compliance Pack with CWE configuration, all violations are reported using CWE identifiers, no map or search is required. SeeCR_5.1
与CWE相关材料的文档索引
如果您的文档包括索引,请提供您在索引中“ CWE”下列出的项目和资源的副本。或者,提供指示这些“ CWE”项目在您的网站上发布的位置(recommended):
我们涵盖的CWE项目列表是我们网站上地图的一部分https://www.parasoft.com/compliance/cwe-compliance/。Links to individual products and versions are near the bottom of the page under“ Parasoft对CWE的支持”。
Screen capture above is an example item from CWE map. (SeeCR_6.1)
Type-Specific Capability Questions
工具问题 FINDING TASKS USING CWE IDENTIFIERS
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier(required):
Using the Parasoft Security Compliance Pack with CWE configuration, all tasks are reported using CWE identifiers, no map or search is required. SeeCR_5.1
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report(required):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。看CR_5.1
获取声称的CWE标识符覆盖范围
给出详细的示例和解释,说明用户如何获得所有者声称该工具有效定位软件的所有CWE标识符的列表(required):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。看CR_5.1
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks(recommended):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。看CR_A.2.1
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers(recommended):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。看CR_A.2.1
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers(recommended):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。看CR_A.2.1
Media Questions 电子文档格式信息
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text(required):
Parasoft规则文档在PDF中提供了工具安装,以及我们的客户门户网站上的在线版本。https://parasoft.force.com/customerportal。另外,我们支持的CWE规则的完整列表可作为内置配置以及前25名configuration. These configurations are text editable properties files. The CWE maps on our web site athttps://parasoft.force.com/customerportalare available pdf format.
There are two different GUIs that users can use. The preferred method is to use the DTP server via a web browser with the"Security Compliance Pack"and the CWE dashboards and reports (seeCR_5.1). In that case everything is already reported using CWE IDs. The tool also has plugins to various code editors like Eclipse, IntelliJ, and Visual Studio. From those tools, you can output reports in a variety of formats such as pdf, html, xml, etc. If you choose this method you’ll need to translate the Parasoft IDs to CWE IDs using the CWE maps referenced above.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS
如果功能的标准电子文档之一仅通过其短名称或标题列出安全元素提供示例文档,以说明如何为每个单独的安全元素列出相关的CWE标识符(required):
All tool output uses IDs, never just short names or titles.
CWE标识符的电子文档元素
Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s)(recommended):
The security compliance pack in our marketplace (see documentation in our customer portalhttps://parasoft.force.com/customerportal)包含4个带有映射的XML文件。
The xml files are in the compliance pack itself, and the documentation shows what each is for as seen below. Check the latest docs for the latest updates.
Graphical User Interface (GUI) Questions FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI
给出详细的示例和解释GUI如何为用户提供“查找”或“搜索”功能,以通过寻找其关联的CWE标识符来识别您的功能元素(required):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。(SeeCR_A.2.1)
GUI元素到CWE标识符映射
简要描述如何为单个安全元素列出相关的CWE标识符,或讨论用户如何使用CWE标识符和功能元素之间的映射,还描述了映射的格式(required):
使用Parasoft Security Compliance Pack和CWE仪表板,使用CWE ID直接列出这些项目。(SeeCR_A.2.1)
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO
提供有关您提供的不同电子文档格式的详细信息(recommended):
There are two different GUIs that users can use. The preferred method is to use the DTP server via a web browser with the"Security Compliance Pack"and the CWE dashboards and reports (seeCR_5.1). In that case everything is already reported using CWE IDs. The tool also has plugins to various code editors like Eclipse, IntelliJ, and Visual Studio. From those tools, you can output reports in a variety of formats such as pdf, html, xml, etc. If you choose this method you’ll need to translate the Parasoft IDs to CWE IDs using the CWE maps referenced above.
Questions for Signature 兼容性
Have an authorized individual sign and date the following Compatibility Statement(required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Arthur Hicken
标题:传教士
STATEMENT OF ACCURACY
拥有授权的个人标志和日期,以下准确性声明(recommended):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Arthur Hicken
标题:传教士
关于falsepitions和false-sengatives 和/或的声明
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements(required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Arthur Hicken
标题:传教士
More information is available — Please select a different filter.
|
