CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Compatibility > CWE-Compatible Products and Services  
ID

Name of Your Organization:

GrammaTech, Inc.

Web Site:

www.grammatech.com

Compatible Capability:

CodeSonar

Capability home page:

http://www.grammatech.com/products/codesonar

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

CodeSonar is sold under contract. On purchase, customers are provided with installation materials appropriate to their platform or platforms.

Once installed, CodeSonar analyzes software and issues a warning for each vulnerability detected. The warnings and other analysis artifacts are stored on a central hub, and are browsed through a web-based interface using an ordinary web browser.

Each warning includes the relevant CWE-ID(s), if any; every CWE-ID presented in the product's web GUI is linked to the official CWE site. Users can search and sort sets of warnings by CWE. Mechanisms are provided so that customers implementing custom checks can specify the CWE-IDs they deem to be associated with those checks, if they wish to do so.

Mapping Questions

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

The section in the manual that introduces the Common Weakness Enumeration states the version of CWE that the software’s set of mappings is based on (see Figure 1).

Figure 1. CodeSonar manual screenshot showing CWE version notification.

Figure 1 . CodeSonar manual screenshot showing CWE version notification.

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Every time we write a new check, we create a CWE mapping for it. Prior to any public release of the product, we review all mappings. We monitor changes to the CWE and review the mapping every time a relevant change is made.

Documentation Questions

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

CWE and CWE compatibility are described in a manual section titled “CWE: The Common Weakness Enumeration”. This is accessible through the manual table of contents as shown in Figure 2. Users can also readily locate the section using the manual’s search capability (see Figure 3) or index (see Figure 4).

A full copy of the manual section is provided in the Appendix, see <CR_5.4> for details.

Figure 2. CodeSonar Manual: CWE sections listed in the table of contents.
Figure 2 . CodeSonar Manual: CWE sections listed in the table of contents.

Figure 3. CodeSonar Manual: top search results for "CWE".
Figure 3 . CodeSonar Manual: top search results for "CWE".

Figure 4. CodeSonar Manual: index entries for
Figure 4 . CodeSonar Manual: index entries for "CWE".

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability's repository (required):

The manual section titled “CWE: The Common Weakness Enumeration” (see <CR_5.1>) has a subsection “CodeSonar: Searching by CWE-ID”, which explains how to search for warnings containing one or more specific CWE-IDs. This subsection is shown in Figure 5. A copy of the full section is provided in the Appendix, see <CR_5.4> for details.

Figure 5 . CodeSonar Manual: Searching by CWE-ID.
Figure 5 . CodeSonar Manual: Searching by CWE-ID.

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability's repository (required):

The manual section titled “CWE: The Common Weakness Enumeration” (see <CR_5.1>) has a subsection “CodeSonar: Locating CWE-IDs for a Warning”, which explains how to view the CWE ID or IDs associated with a warning or set of warnings. This subsection is shown in Figure 6. A copy of the full section is provided in the Appendix, see <CR_5.4> for details.

Figure 6 . CodeSonar Manual: Locating CWE-IDs  for a warning.
Figure 6 . CodeSonar Manual: Locating CWE-IDs for a warning.

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

The index listing for “CWE” is shown in Figure 4. Copies of the individual sections are provided in Appendix/ indexed_CWE_pages.pdf. These manual sections are confidential and are not for public distribution.

Type-Specific Capability Questions

Tool Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

The CodeSonar GUI provides a simple search tool in the header of every page, as shown in Figure 7. Users can specify searches based on CWE identifiers using this tool, or using an “Advanced Search” page. For example, suppose we want to search for warnings associated with CWE:416. Figure 8 shows a keyword-based search issued through the Simple Search Tool; Figure 9 shows the equivalent search issued through the Advanced Search page. The results are the same in both cases, and are shown in Figure 10.

Simple searches for CWE IDs can also be issued without the “categories” keyword (as shown in Figure 11), in which case they are treated as full text searches. These are simpler to specify, but may take longer than keyword-based searches, and include results where the ID string appeared in locations other than the “categories” field. For example, an unrelated warning may have been issued for a code excerpt that happens to include the string in a comment: this warning would be included in the search results along with any warnings that the CodeSonar analysis considered relevant to CWE:416.

Figure 7 . Every page of the CodeSonar GUI contains  the Simple Search Tool.
Figure 7 . Every page of the CodeSonar GUI contains the Simple Search Tool.

Figure 8 . Using the CodeSonar Simple Search Tool to  find all warnings associated with CWE:416.
Figure 8 . Using the CodeSonar Simple Search Tool to find all warnings associated with CWE:416.

Figure 9 . Using CodeSonar Advanced Search to find  all warnings associated with CWE:416.
Figure 9 . Using CodeSonar Advanced Search to find all warnings associated with CWE:416.

Figure 10 . Results of search for CWE:416 are the  same whether the search was executed using the Simple Search Tool (Figure 8) or Advanced  Search Page (Figure 9).
Figure 10 . Results of search for CWE:416 are the same whether the search was executed using the Simple Search Tool (Figure 8) or Advanced Search Page (Figure 9).

Figure 11 . Full-text search for string  "CWE:416". Will match all warnings associated with CWE:416, plus all  warnings that happen to contain that string in any field.
Figure 11 . Full-text search for string "CWE:416". Will match all warnings associated with CWE:416, plus all warnings that happen to contain that string in any field.

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

A CodeSonar Warning Report lists any CWE-IDs associated with the warning in a “Categories” section, as shown in Figure 12. The same information is also available in the tables of warnings presented on the Analysis page (Figure 13) and in Warning Search Results (Figure 14), through an available “Categories” column.

Figure 12. CodeSonar Warning Report, showing  location of associated CWE Identifiers.
Figure 12. CodeSonar Warning Report, showing location of associated CWE Identifiers.

Figure 13. Warnings tab of Analysis page, showing  available Categories column with CWE-IDs.
Figure 13. Warnings tab of Analysis page, showing available Categories column with CWE-IDs.

Figure 14. Warning Search Results page, showing available Categories column with CWE-IDs.
Figure 14. Warning Search Results page, showing available Categories column with CWE-IDs.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

A complete table of CWE Coverage information is available on the GrammaTech Codesonar web site:
http://www.grammatech.com/products/codesonar/CWE-Coverage-Statement.pdf.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):

A complete table is provided in the CodeSonar manual, in a section titled “CWE-IDs for CodeSonar Mnemonics”. The section is readily available through the manual table of contents (Figure 2), search facility (Figure 3), and index (Figure 4), as well as through internal links in the manual. A full copy of the manual section is provided in the Appendix, see <CR_5.4> for details.

SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):

CodeSonar ships with some checks disabled. This is controlled by settings in a set of configuration files.  A user can specify a single rule in one of these configuration files to enable all checks associated with a specified CWE Identifier.

SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):

The functionality described in the response to <CR_A.2.7> above satisfies this requirement too: configuration rules can be used to disable checks by CWE-ID as well as to enable them.

Media Questions

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

CWE-related content can be located in the CodeSonar Manual through the table of contents (Figure 2), search facility (Figure 3), and index (Figure 4), as described previously. The manual also supports full-text search for individual CWE Identifiers. For example, Figure 15 shows the results of searching for “CWE:416”: the search returns the CWE mapping documentation pages described in <CR_5.2> and <CR_5.3>, along with the documentation page for the CodeSonar Use After Free warning class, which is associated with CWE:416.

Figure 15 . Result of searching for  "CWE:416" in the CodeSonar manual.
Figure 15 . Result of searching for "CWE:416" in the CodeSonar manual.

CWE-IDs are included in three page types within the CodeSonar GUI. In all cases they are included in a “Categories” field that is also used to store other categorization information (such as Power of Ten rule numbers, where applicable).

  • A Warning Report (Figure 12) contains full information about a single warning issued by the CodeSonar analysis, and always includes a Categories field. This page type is generated in HTML format by default, but can be retrieved as text or XML. For searching:
    • HTML: use web client “Find” feature.
    • text: use web client “Find” feature, or save the file and use any text search facility.
    • XML: use XML viewer “Find” feature, or parse for <category> elements (each of which describes one of the categories for a given warning). The <category> element includes a url attribute; for CWE-IDs, this points to the ID documentation on the CWE website.
  • The Warnings tab (Figure 13) of an Analysis page contains a table of the warnings issued by the analysis. This table does not include a Categories column by default, but the user can add one if they wish. This page type is generated in HTML format by default, but can be retrieved as CSV or XML.
    • HTML: use web client “Find” feature.
    • CSV: use CSV viewer “Find” feature, or examine the column labeled “categories”.
    • XML: use XML viewer “Find” feature, or parse for <categories> elements (each of which contains all categories for a given warning, as a single string).
  • Warning Search Results (Figure 14) are presented as a table of warnings. This table does not include a Categories column by default, but the user can add one if they wish.  This page type is generated in HTML format by default, but can be retrieved as CSV or XML.
    • HTML: use web client “Find” feature.
    • CSV: use CSV viewer “Find” feature, or examine the column labeled “categories”.
    • XML: use XML viewer “Find” feature, or parse for <categories> elements (each of which contains all categories for a given warning, as a single string).

(XML schemata may change in future, but are always shipped with the product for easy reference).

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

The documentation gives a full description of each warning class along with direct links to the CWE definitions of any associated CWE-IDs. See Figure 16 for an example.

Figure 16. Warning class documentation  includes a list of associated CWE-IDs, each linked to its definition on the CWE  website.

Figure 16. Warning class documentation includes a list of associated CWE-IDs, each linked to its definition on the CWE website.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CWE identifier(s) (recommended):

See answer to <CR_A.2.6>.

Graphical User Interface (GUI) Questions

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CWE identifier(s) (required):

See answer to <CR_A.2.1>.

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability's elements, also describe the format of the mapping (required):

See answer to <CR_A.2.2>.

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

See answer to <CR_B.3.1>.

Questions for Signature

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Paul Anderson

Title: VP of Engineering

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Paul Anderson

Title: VP of Engineering

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Paul Anderson

Title: VP of Engineering


More information is available — Please select a different filter.
Page Last Updated: [an error occurred while processing this directive]