Common Weakness Enumeration

CWE Glossary Definition

Name of Your Organization:

Julia S.R.L.

Web Site:

www.juliasoft.com

Compatible Capability:

Julia

Capability home page:

https://portal.juliasoft.com

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Julia can be accessed starting from https://portal.juliasoft.com

The user needs to subscribe and then he/she can analyze 10KLOCs of Java software for free. The quick start describes the major steps in order to install the Eclipse plugin, set it up, and run the analysis.

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

This information can be found in our CWE compatibility coverage claim available at http://www.juliasoft.com/Apps/WebObjects/Julia.woa/wa/viewSection?id=535&lang=eng

The exact CWE version supported by Julia is reported after the title

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Once per year.

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

The description of each warning (available at http://www.juliasoft.com/eng/solutions/warnings) and checker (http://www.juliasoft.com/eng/solutions/checkers) lists the CWE identifiers covered by each warning or checker.

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):

https://static.juliasoft.com/docs/latest/pdf/EclipsePluginUserGuide.pdf

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):

https://static.juliasoft.com/docs/latest/pdf/EclipsePluginUserGuide.pdf

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

http://ww.juliasoft.com/cweclaim

Type-Specific Capability Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

The user can group the warnings by CWE id in the Julia Eclipse plugin. First of all, one should click the group button of the Julia view:

Then a configuration panel will appear:

By selecting only "CWE id" the view will show the warnings grouped by id, obtaining the view above.

Another way to access and search warnings by CWE id is through the pdf report. The pdf report of the analysis can be accessed through the Julia Eclipse plugin by clicking "Save generated files" and selecting the analysis-report file.

Inside the report, each warning is annotated with the CWE id:

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

As seen above, the CWE id of each warning is reported between squared brackets in the pdf report, or in the specific tree node in the Julia Analyses view.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

The CWE coverage claim is published at http://www.juliasoft.com/cweclaim

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):

Each checker is annotated with the CWE identifiers it covers. This information can be obtained starting from http://www.juliasoft.com/eng/solutions/checkers and selecting a specific checker.

SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):

See answer to CR_A.2.1 above

NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>

Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed (recommended):

The Analyses view in the Eclipse plugin shows only the identifiers that appear in at least one warning.

FINDING TASKS USING CWE IDENTIFIERS <CR_A.3.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

The user selects from the Eclipse plugin a set of checkers. The online documentation (http://www.juliasoft.com/eng/solutions/checkers) reports the CWE identifiers covered by each checker. In this way, the user can find out which security elements are covered by his specific analysis.

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

See answer to CR_A.2.1 above

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

The CWE Compatibility Claim available at http://www.juliasoft.com/cweclaim contains this information.

FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):

See answer to CR_A.2.1 above

FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CWE Identifiers for the individual security elements in the report (required):

See answer to CR_A.2.1 above

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE Identifiers that the owner claims the online capability’s repository covers (required):

This list is published online at http://www.juliasoft.com/cweclaim

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

The CWE identifier of each warning produced by Julia is reported inside the pdf analysis report, the Julia Analyses view of the Eclipse plugin, and inside the xml of the analysis results that can be downloaded through the Eclipse plugin.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s) (recommended):

See answer to CR_A.2.1 above, http://www.juliasoft.com/eng/solutions/checkers, and http://www.juliasoft.com/eng/solutions/warnings

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):

See answer to CR_A.2.1 above

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):

The Eclipse plugin allows the user to group the elements by CWE identifiers as described in CR_A.2.1 above.

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

In addition to the Eclipse plugin GUI, the user can access CWE-related data through the pdf report, and the xml file containing the analysis results.

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Gianni Zucchini

Title: CEO

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Gianni Zucchini

Title: CEO

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Gianni Zucchini

Title: CEO