您的组织名称:
AbsInt Angewandte Informatik GmbH 网站:
www.absint.com
兼容功能:
Astrée 功能主页:
http://www.absint.com/astree
一般能力问题 产品可访问性
简要说明如何以及在何处将您的能力提供给客户和公众(必需的):
Licensed customers of Astrée are provided download links to the latest versions of the software.
映射问题 Map Currency Indication
描述您的功能指示最新的CWE内容用于创建或更新其映射的方法(必需的):
The version of CWE content used and referenced is given in the tool's user manual. The user manual contains a dedicated chapter on CWE describing which weaknesses are addressed by Astrée's rule checking. This chapter always states the referenced CWE version.
Map Currency Update Approach
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository(推荐的):
每年有两个主要版本;在四月和十月。每个这样的主要版本都会更新映射。
MAP CURRENCY UPDATE TIME
描述您向客户解释的时间和地点,他们应该期望您能力映射的更新反映新近可用的CWE内容(必需的):
通常每年有两个主要版本,通常在4月和10月。映射至少通过这样的主要版本进行更新。
Documentation Questions CWE和兼容性文档
提供您的文档描述CWE和CWE兼容性的副本或指示的位置(必需的):
This description can be found in the user manual of Astrée,Chapter 7.18 Common Weakness Enumeration – CWE,请参阅屏幕截图。该用户手册可用于许可用户,并直接从工具GUI访问。
使用CWE标识符查找元素的文档
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository(必需的):
分析运行后,客户可以转到“规则违规”选项卡,然后选择(左键单击)感兴趣的CWE标识符。然后,发现表将仅显示映射到所选CWE标识符的发现。请参阅屏幕截图。
使用元素查找CWE标识符的文档
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository(必需的):
用户手册提供了该工具可以执行的每个检查列表以及相关的CWE标识符(或其他编码规则),如下所示:
Listed CWE identifiers link back to their description.
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
如果您的文档包括索引,请提供您在索引中“ CWE”下列出的项目和资源的副本。或者,提供指示这些“ CWE”项目在您的网站上发布的位置(推荐的):
The index lists the supported CWE identifiers. This list corresponds to the list of supported CWE identifiers found athttps://www.absint.com/rulechecker/compliance.htm(在TAB“ CWE”中)。
Type-Specific Capability Questions
Tool Questions 使用CWE标识符查找任务
给出详细的示例和解释用户如何通过寻找关联的CWE标识符来定位工具中的任务(必需的):
从结果概述中,用户可以切换到规则违规选项卡,只需双击CWE标识符即可。屏幕截图显示了带有规则违规选项卡的结果概述。
使用报告中的元素查找CWE标识符
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report(必需的):
在调查AstréeGUI的报告时,调查结果指出,CWE的CWE标识符与该发现类型相关。
In the offline HTML reports, each finding lists the CWE identifiers of violated CWEs.
获取声称的CWE标识符覆盖范围
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software(必需的):
CWE合规矩阵可以通过帮助 - > cwe符合矩阵列表访问每个CWE标识符,CWE CCR定义的声称的匹配精度元件。
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE
对用户如何使用所有CWE标识符找到覆盖范围索赔表示(CCR)XML文档的详细说明(推荐的):
AbsInt does currently not provide the CCR XML file.
获取与任务关联的CWE标识符列表
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks(推荐的):
Astrée's GUI lists all CWE identifiers associated with a task, i.e., finding, directly with the finding in its Findings view:
使用CWE标识符列表选择任务
描述用户通过提供CWE标识符列表的文件来选择一组任务的步骤和格式(推荐的):
用户可以导入XML文件指定用户感兴趣的CWE标识符。然后,该工具将仅显示与这些标识符相关的发现。文件格式如下,并在Astrée用户手册中详细描述:
<规则> 是 ... 是
使用单个CWE标识符选择任务
描述用户将通过使用单个CWE标识符浏览,选择和取消选择该工具的一组任务的步骤(推荐的):
The user may provide a DAX file as described above with a single CWE identifier of interest. He may also set a filter for the Findings view of the Astrée GUI to show just the findings associated with the given identifier:
请求的CWE标识符的非支持通知
Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed(推荐的):
The analysis results always contain the analysis configuration including a list of all CWE identifiers for which findings are reported. Identifiers not listed are not checked.
媒体问题 电子文档格式信息
提供有关您提供的不同电子文档格式的详细信息,并描述如何搜索它们与CWE相关的特定文本(必需的):
所有文档均以PDF格式提供。普通PDF观众提供全文搜索功能。
CWE标识符的电子文档列表
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element(必需的):
All documents show (at least) identifier plus title.
CWE标识符的电子文档元素
提供示例文档,以证明从功能的各个元素到相应的CWE标识符的映射(推荐的):
A mapping of checks performed by Astrée and associated CWE identifiers is given in the user manual. The format of the mapping is discussed in the answer to CR_A.3.1.
图形用户界面(GUI)问题 通过GUI 使用CWE标识符查找元素
给出详细的示例和解释GUI如何为用户提供“查找”或“搜索”功能,以通过寻找其关联的CWE标识符来识别您的功能元素(必需的):
请参阅CR.A.2.1的答案
GUI元素到CWE标识符映射
简要描述如何为单个安全元素列出相关的CWE标识符,或讨论用户如何使用CWE标识符和功能元素之间的映射,还描述了映射的格式(必需的):
请参阅CR.A.2.2的答案
GUI导出电子文档格式信息
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text(推荐的):
用户可以生成一个规则检查报告,其中包含CR.A.2.2中指出的所有与CWE相关的违规行为。这些报告可以作为HTML,文本和/或CSV文件生成。标准查看器可以搜索每种文件格式,以获取特定的CWE标识符。
签名问题 STATEMENT OF COMPATIBILITY
Have an authorized individual sign and date the following Compatibility Statement(必需的):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Christian Ferdinand
标题:首席执行官
准确性
拥有授权的个人标志和日期,以下准确性声明(推荐的):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Christian Ferdinand
标题:首席执行官
关于falsepitions和false-sengatives 和/或的声明
仅对于工具和服务 - 拥有授权的个人标志和日期,以下有关您的工具效率的说明,以识别安全元素(必需的):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Christian Ferdinand
标题:首席执行官
|
