Name of Your Organization:
Capability home page:
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
SourceCheck supports the display of the current CWE Identifiers in the tool side, meanwhile, it also supports to upgrade the related data off-line.
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
The CWE standards used and cited are given in the SourceCheck user manual. There is a chapter in the user manual about CWE, which describes the relevant CWE information and declares the specific CWE version.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
Specifically, the data can be updated off-line with relevant frequency. Under standard circumstances, the relevant vulnerability database will be updated once a month, and the mapping relationship between vulnerabilities and CWE will be updated at the same time, and if a high risk is found, the vulnerability database should be updated in time within 8 hours, and other relevant mapping contents will be updated at the same time.
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
This description can be found in Chapter 16 (Appendix Chapter_CWE information) of the SourceCheck Operations Manual. See the screenshot for details.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
After the analysis is over, the user searches for the corresponding CWE number, displays the vulnerability information mapped to the CWE number, clicks on the vulnerability details, and enters the vulnerability details page to view the vulnerability details. Please check the screenshot.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
The user operation manual provides a list of each test performed by the tool and the related CWE logo (or other coding rules), as shown in the figure:
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
The supported CWE tags can be displayed in the full-text search library. Corresponding to (in the header CWE number) view the list of supported CWE identifiers.
Type-Specific Capability Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
During the process of detection and review, click on the specific component content under the “SourceCheck Application Details” to see the CWE Identifiers corresponding to the relevant vulnerability, as shown in the figure.
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
By clicking on the specific CVE list in the tool, you can clearly see the relevant CWE Identifiers, while entering the detailed information page, you can also see the content of CWE, as shown in the figure.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
A list of relevant disclosed vulnerability types can be seen in the current SourceCheck asset list, however, the inclusion of CWE is mainly based on disclosed component vulnerabilities, as shown in the figure.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
During the process of SourceCheck application package detection and review, the component vulnerability details obtained in the platform interface correspond exactly to the CWE identifiers, as shown in the figure:
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
SourceCheck users can get the list of relevant CWE information and instructions through the B/S platform and the manual, however, the CWE information is not all included and open at this stage, if you need to get relevant CWE information, we can provide a checklist.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
SourceCheck users can search and locate relevant information by viewing vulnerability and weakness types through the knowledge base provided by the platform. As shown in the figure.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
SourceCheck's CWE identifiers, which are mainly through the inclusion of vulnerability process to obtain the CWE type, and establish a mapping relationship between CWE and CVE in the relational database so that users can view the CWE identifiers in the client-side.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Jie Yin
Title: Product Manager
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Jie Yin
Title: Product Manager
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Jie Yin
Title: Product Manager