CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Compatibility > CWE-Compatible Products and Services  
ID

Name of Your Organization:

Parasoft

Web Site:

www.parasoft.com

Compatible Capability:

Parasoft dotTEST

Capability home page:

https://www.parasoft.com/products/dottest/

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Parasoft dotTEST is available for licensed customers to download from the Parasoft customer portal at https://parasoft.force.com/customerportal. Additional information can be found at https://www.parasoft.com/products/dottest/.

Mapping Questions

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

Parasoft publishes CWE maps on the CWE page of its website at https://www.parasoft.com/compliance/cwe-compliance/. Links to individual products and versions are near the bottom of the page under "PARASOFT SUPPORT FOR CWE". Each map has a currency date of when the map was made with the latest information.

Map Currency Indication

The date of the mapping and version of CWE it’s mapped to appear at the bottom of each CWE map pdf file:

Map Currency Indication

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Updates to Parasoft CWE capability mappings are part of every product release. At that time, any changes to CWE are reviewed, as well as any new CWE rules. We also evaluate any new or changed Parasoft rules from the existing mappings to better align individual CWE IDs with Parasoft rules.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):

Parasoft updates CWE maps with its regular product releases which are typically 3-4 times per year.

Documentation Questions

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

Information about using CWE and Parasoft tools together can be found in several places. The best starting point is a brief overview of best practices and how the system is setup and works, and can be found in the knowledgebase in our customer portal at https://parasoft.force.com/customerportal/CommunitiesMainPage (registration required). Under the title "Working with CWE security rules".

CWE AND COMPATIBILITY DOCUMENTATION

This knowledgebase article explains how to configure the Parasoft tools to use CWE rules and use the CWE-centric dashboards and reports, as well as where to get further information.

The static analysis engines for each language have a user’s guide. (C/C++, .NET, Java). In the section "Built-in Test Configurations" you can find available preconfigured sets of rules.

CWE AND COMPATIBILITY DOCUMENTATION

There is a configuration ready to use for the CWE Top 25 and you can also add or subtract rules to make your own configuration, including writing your own custom rules graphically with Parasoft RuleWizard. There are many rules in each supported language that go beyond just the CWE Top 25.

All of these docs can be found in the installation directory after installing one of the static analysis products, as well as in the Parasoft customer portal (https://parasoft.force.com/customerportal) under "Documentation & Release Notes")

CWE AND COMPATIBILITY DOCUMENTATION

Also, in the installation directory, there is a file documenting all of the hundreds of individual rules Parasoft implements. The same information can be found in the help system of the tools themselves. The documentation for each rule has a section for that explains security issues with the rule under the header "Security Relevance",

CWE AND COMPATIBILITY DOCUMENTATION

and at the bottom any references to standards associated with the rule. Search for CWE will find all rules that have a CWE reference.

CWE AND COMPATIBILITY DOCUMENTATION

Parasoft has a "security compliance pack" that puts our reporting tool (DTP) into a CWE-centric configuration. This is described in the above knowledgebase article with links to current versions. The documentation is described in "Security Compliance Pack for DTP" which is available via our customer portal at https://parasoft.force.com/customerportal.

CWE AND COMPATIBILITY DOCUMENTATION

This configuration uses special maps behind the scenes (see CR_B.3.3) to convert standard Parasoft rule IDs to CWE IDs. This then allows you to see everything as if it were natively reported as CWE IDs. No lookups are needed to find issues related to a CWE ID, or which CWE ID a particular violation is, as its inherent in the reporting.

CWE AND COMPATIBILITY DOCUMENTATION

In above screen capture you can see at the two the list of CWE violations listed by CWE ID. You can drill into that chart and get the full list of violations of a particular ID. Another interesting CWE feature is charts and list based on the CWE technical impact, as see at the top right table with number of rules and violations by severity for each impact. On the bottom right, you see a tree map representing violations with each type of technical impact. This lets you concentrate on the problems most important to you.

This set of charts and dashboards comes with two default configurations that are customizable and editable by the end user as described in the docs. The two current templates offered are one for "CWE Top 25" and one for "CWE List". The List version includes all of the Parasoft rules that are currently mapped to CWE IDs and is larger than the Top 25 set. This is the list of rules that you would find in the CWE maps on our website at https://www.parasoft.com/compliance/cwe-compliance/.

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):

Using the Parasoft Security Compliance Pack with CWE configuration, all violations are reported using CWE identifiers, no map or search is required. See CR_5.1

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):

Using the Parasoft Security Compliance Pack with CWE configuration, all violations are reported using CWE identifiers, no map or search is required. See CR_5.1

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

The list of CWE items we cover is part of our map on our website at https://www.parasoft.com/compliance/cwe-compliance/. Links to individual products and versions are near the bottom of the page under "PARASOFT SUPPORT FOR CWE".

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL

Screen capture above is an example item from CWE map. (See CR_6.1)

Type-Specific Capability Questions

Tool Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

Using the Parasoft Security Compliance Pack with CWE configuration, all tasks are reported using CWE identifiers, no map or search is required. See CR_5.1

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. See CR_5.1

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. See CR_5.1

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. See CR_A.2.1

SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. See CR_A.2.1

SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. See CR_A.2.1

Media Questions

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

Parasoft Rules docs are provided in PDF with the tool installation, and online versions on our customer portal at https://parasoft.force.com/customerportal. Also the full list of CWE rules we support is available as a built-in configuration as well as a Top 25 configuration. These configurations are text editable properties files. The CWE maps on our web site at https://parasoft.force.com/customerportal are available pdf format.

There are two different GUIs that users can use. The preferred method is to use the DTP server via a web browser with the "Security Compliance Pack" and the CWE dashboards and reports (see CR_5.1). In that case everything is already reported using CWE IDs. The tool also has plugins to various code editors like Eclipse, IntelliJ, and Visual Studio. From those tools, you can output reports in a variety of formats such as pdf, html, xml, etc. If you choose this method you’ll need to translate the Parasoft IDs to CWE IDs using the CWE maps referenced above.

ELECTRONIC DOCUMENT FORMAT INFO

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

All tool output uses IDs, never just short names or titles.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s) (recommended):

The security compliance pack in our marketplace (see documentation in our customer portal https://parasoft.force.com/customerportal) contains 4 xml files with mappings.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER

The xml files are in the compliance pack itself, and the documentation shows what each is for as seen below. Check the latest docs for the latest updates.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER

Graphical User Interface (GUI) Questions

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. (See CR_A.2.1)

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):

Using Parasoft Security Compliance pack and CWE Dashboards, the items are all listed directly using CWE IDs. (See CR_A.2.1)

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

There are two different GUIs that users can use. The preferred method is to use the DTP server via a web browser with the "Security Compliance Pack" and the CWE dashboards and reports (see CR_5.1). In that case everything is already reported using CWE IDs. The tool also has plugins to various code editors like Eclipse, IntelliJ, and Visual Studio. From those tools, you can output reports in a variety of formats such as pdf, html, xml, etc. If you choose this method you’ll need to translate the Parasoft IDs to CWE IDs using the CWE maps referenced above.

CWE AND COMPATIBILITY DOCUMENTATION

Questions for Signature

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Arthur Hicken

Title: Evangelist

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Arthur Hicken

Title: Evangelist

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Arthur Hicken

Title: Evangelist

Page Last Updated: June 12, 2018