CWE词汇表定义

Name of Your Organization:

Anhui USTC-Guochuang高信心软件有限公司

Web Site:

http://www.ustchcs.com

Compatible Capability:

USTCHC高置信度软件分析工具套件

Capability home page:

http://www.ustchcs.com/solution.html

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public(required):

USTCHC高置信度软件分析工具套件

地图货币指示

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings(required):

We regularly update the component library, which contains the latest CWE compliance content. Component library updates are provided in the form of upgrade packages, which the USTCHCS Analysis Tool obtains online or offline.

地图货币更新方法

表示您计划更新映射以反映当前的CWE内容的频率，并描述您在将其映射到存储库时与CWE内容保持合理最新的方法(recommended):

We will update weekly vulnerability database, and adopt the method of incremental updates, at the same time we will make a backup before updating the protection of historical data.

地图货币更新时间

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content(required):

我们每年两次发布产品。用户可以在每个版本中获得更新的映射关系。

CWE AND COMPATIBILITY DOCUMENTATION

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers(required):

用户可以通过单击“帮助文档”页面查看CWE，如图1所示。

Figure 1

使用CWE标识符查找元素的文档

提供您的文档的副本或指示到其位置，描述了您的客户如何使用CWE标识符在您的功能存储库中找到单个安全元素的特定详细信息（必需的）：

检测完成后，我们将列出所有漏洞及其相应的CWE号码。同时，我们将能够强调这些漏洞在代码中的位置，如图2所示。

Figure 2

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS

提供您的文档描述用户将遵循的过程的副本或指示，以查找与您功能存储库中个人安全元素相关的CWE标识符(required):

When the detection is completed, we will automatically generate a related report. You can click the CWE number to jump to the CWE official website. as shown in figure 3.

Figure 3

Figure 4

特定于类型的功能问题

FINDING TASKS USING CWE IDENTIFIERS

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier(required):

请参考<CR.5.2>。

使用报告中的元素查找CWE标识符

给出详细的示例和解释，以说明如何确定单个安全元素的报告，该工具允许用户确定报告中各个安全元素的关联的CWE标识符(required):

请参考<CR.5.3>。

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE

给出详细的示例和解释，说明用户如何获得所有者声称该工具有效定位软件的所有CWE标识符的列表(required):

请参考<CR.5.1>。

使用CCR提供索取的CWE标识符覆盖范围

Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the tool is effective at locating in software(recommended):

1. Open the official websitehttp://www.ustchcs.com/, as shown in figure 5. And click the "Trial" button on the page to open the product trial page.

   

   Figure 5

2. 输入申请信息，然后单击“提交”按钮提交申请。

   

   Figure 6

3. After receiving the application, we will contant with you and send installation package to your email.

获取与任务相关的CWE标识符列表

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks(recommended):

1. 用户将要测试的项目源代码导入VSCODE，如图7所示。

   

   Figure 7

2. Create a new project and automatically analyze the security defects in the code,as shown in figure 8.

   

   Figure 8

3. Click the “Project management” button to set the detection rules and compiler. Users can find and select the CWE rules they need , as shown in figure 9.

   

   Figure 9

4. 检测完成后，我们将列出所有漏洞及其相应的CWE号码。同时，我们将能够强调这些漏洞在代码中的位置，如图10所示。

   

   Figure 10

ELECTRONIC DOCUMENT FORMAT INFO

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text(required):

Our electronic document format is HTML or Excel. So users can easily search for specific CWE-related text by keyword searching. For example, we open the CWE Mapping Relations document, and search "CWE" by pressing "Ctrl + f", as shown in figure 11.

Figure 11

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS

如果功能的标准电子文档之一仅通过其短名称或标题列出安全元素提供示例文档，以说明如何为每个单独的安全元素列出相关的CWE标识符(required):

我们以表格的形式列出了映射关系，并且文档格式是Excel。用户可以通过搜索组件序列号或组件关键字来轻松找到相关的CWE ID。

通过GUI 使用CWE标识符查找元素

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s)(required):

用户可以通过在蓝色框中键入与CWE相关的文本来查找关联的CWE标识符。

Figure 12

GUI ELEMENT TO CWE IDENTIFIER MAPPING

简要描述如何为单个安全元素列出相关的CWE标识符，或讨论用户如何使用CWE标识符和功能元素之间的映射，还描述了映射的格式(required):

请参考<CR.5.3>。

兼容性

拥有授权的个人标志和日期以下兼容性声明(required):

“作为我组织的授权代表，我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”

名称：Ying Zhang

标题：营销专家

STATEMENT OF ACCURACY

Have an authorized individual sign and date the following accuracy Statement(recommended):

“作为我组织的授权代表，据我所知，我们功能存储库与CWE标识符之间的映射没有错误，我们的功能报告和这些CWE标识符在可用的CWE存储库中尽可能具体。“

名称：Ying Zhang

标题：营销专家

关于falsepitions和false-sengatives 和/或的声明

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements(required):

“As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

名称：Ying Zhang

标题：营销专家