Name of Your Organization:
School of Software, Tsinghua University
Web Site:
www.thss.tsinghua.edu.cn
Compatible Capability:
Tsmart Static Analyzer
Capability home page:
http://info.tsmart.tech
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
Users can purchase a formal license of Tsmart or request an evaluation copy of Tsmart by mailing to tsmart.project@gmail.com. More information can be found at http://info.tsmart.tech.
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
Tsmart's user manual contains detailed CWE mapping information including the CWE version in use, the relationship between internal defect names and their associated CWE identifiers along with links to the official CWE description page. For more information, please visit http://info.tsmart.tech/userManual/man_en.html#the-capability-of-tsmart.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
Updates to Tsmart's CWE capability mapping in both tool and documentation occur with every product release. A major release of Tsmart is scheduled in December every year.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
Tsmart's CWE capability mapping is updated in terms of tool and documentation once per year following the major releases.
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
In Section "Introduction", Subsection "Terms" (http://info.tsmart.tech/userManual/man_en.html#terms) describes the concept of CWE (Figure 1), while the subsection "CWE Compatibility" describes the concept of CWE compatibility and how Tsmart fulfills the requirements of CWE compatibility (Figure 2).
Figure 1 The definition of CWE.
Figure 2 The description of CWE compatibility.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
In Section "Usage", Subsection "Review of Analysis Results" (http://info.tsmart.tech/userManual/man_en.html#review-of-analysis-results) describes how to filter defects using CWE identifiers (Figure 3).
Figure 3 The description on how users filter defects using CWE identifiers.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
In Section "Usage", Subsection "Review of Analysis Results" (http://info.tsmart.tech/userManual/man_en.html#review-of-analysis-results) describes how each defect entry is associated with CWE identifiers. (Figure 4). Furthermore, each defect entry is associated with an internal defect name and the mapping from defect names to CWE identifiers is given in Subsection "The Capability of Tsmart" in Section "Introduction" (Figure 5).
Figure 4 The description on how each defect is associated with CWE identifiers.
Figure 5 The table that maps internal defect names to CWE identifiers.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
Tsmart allows users to specify CWE identifiers or defect names such that Tsmart checks the input source code against the specified defects. More specifically, the following command performs checks on the source code against CWE 190 and CWE 369.
> java -jar TsmartAnalyze.jar -manual [SRC_PATH] -cwe=190,369
The following command performs checks on the source code based on the given configuration /path/to/config.properties
> java -jar TsmartAnalyze.jar -manual [SRC_PATH] -config=/path/to/config.properties
where the employed configuration contains the following line, which specifies INTEGER_OVERFLOW and DIV_ZERO as target defect types.
checker.weaknessForCheck = INTEGER_OVERFLOW, DIV_ZERO
According to the CWE mapping information given in Tsmart document, INTEGER_OVERFLOW and DIV_ZERO correspond to CWE 190 and CWE 369, respectively.
Furthermore, the bug visualizer of Tsmart supports filtering defects by CWE identifiers or defect names in the search box, as Figure 6 shows.
Figure 6 Filtering defects by CWE identifier (top) or defect name (bottom).
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
An individual defect is associated with CWE identifiers. Once a CWE identifier is clicked, the description of certain CWE identifier along with a link to CWE reference is presented in the CWE detail panel under the "Bug List" panel, as Figure 7 shows.
Figure 7 Details of the associated CWE identifier for an individual defect.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
Users can obtain a list of CWE identifiers supported by Tsmart in Subsection "The Capability of Tsmart" in Tsmart documentation (http://info.tsmart.tech/userManual/man_en.html#the-capability-of-tsmart).
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE Identifiers that the owner claims the tool is effective at locating in software (recommended):
Currently Tsmart does not provide the CCR XML document.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):
The "Bug List" panel in the bug visualizer web page has a "CWE" column that lists associated CWE identifier(s) for each defect, as Figure 8 shows.
Figure 8 The CWE column that displays CWE identifiers for a list of defects.
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
Please refer to the answer to <CR_A.2.1>.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
Please refer to the answer to <CR_A.2.1>.
NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>
Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed (recommended):
If users specify an unsupported CWE identifier, Tsmart terminates instantly and prints an error message indicating that the given CWE identifier is currently unsupported. An example error message is as follows.
Unsupported CWE Number: 5
Please refer to the user manual for supported CWEs: http://info.tsmart.tech/userManual/man.html
where 5 is the specified CWE identifier in current analysis task.
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
The primary documentation is under HTML format. Users can access user manual in web browser and search for specific CWE-related texts via built-in search functionality which can be invoked by "Ctrl + F" typically. For example, one can search for "CWE compatibility" to obtain information on CWE compatibility of Tsmart, as Figure 9 shows.
Figure 9 Searching for "CWE compatibility" in HTML documentation.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element
(required):
In the defect reports, each defect entry has a "CWE" field that lists the associated CWE identifiers of certain defect. Each defect is also associated with a defect name in its "Weakness" field, and the given defect name can be mapped to its associated CWE identifiers according to CWE mapping relations in Tsmart documentation (http://info.tsmart.tech/userManual/man_en.html#the-capability-of-tsmart).
ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s)
(recommended):
CWE mapping relations is available in Subsection "The Capability of Tsmart" in Tsmart documentation (http://info.tsmart.tech/userManual/man_en.html#the-capability-of-tsmart).
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
The bug visualizer of Tsmart supports filtering defects by CWE identifiers or defect names in the search box, as Figure 6 shows.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
The "Bug List" panel in the bug visualizer web page has a "CWE" column that lists associated CWE identifier(s) for each defect, as Figure 8 shows.
Also, once a CWE identifier associated with an individual defect is clicked, the description of certain CWE identifier along with a link to CWE reference is presented in the CWE detail panel under the "Bug List" panel, as Figure 7 shows.
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):
The static analysis entry of Tsmart, namely TsmartAnalyze, outputs analysis results as an XML file under the specified output path. The resultant XML file is further processed by the bug visualizer module of Tsmart to present analysis results in a friendlier manner. Still, it is feasible to open the resultant XML file in a web browser of a text editor. An example XML file is shown in Figure 10. The resultant XML file stores defect entries along with detailed information such as defect types, defect names, locations and execution traces that lead to certain defects. A <result> element stores information on an individual defect where the weakness attribute stores the defect name. A <cweIds> element inside a <result> element record CWE numbers associated with a defect. Specific CWE-related text can be searched by built-in search functionality of the underlying web browser or text editor.
Figure 10 An example of partial resultant XML file.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Min Zhou
Title: Project Director
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Min Zhou
Title: Project Director
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Min Zhou
Title: Project Director
More information is available — Please edit the custom filter or select a different filter.
|
