CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Compatibility > CWE-Compatible Products and Services  
ID

Name of Your Organization:

Shenzhen Secidea Network Security Technology Co., Ltd

Web Site:

https://www.secidea.com

Compatible Capability:

Secidea SCAP2000

Capability home page:

https://www.secidea.com/product/product/scap.html

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

  1. Open the webpage for our Scap2000 product https://www.secidea.com/product/product/scap.html as shown in Figure 1.

    Figure 1 Scap2000 product page

  2. Click on the "apply for trial" as shown in Figure 2

    Figure 2 Apply for Trial

  3. Enter the application information and submit, as shown in Figure 3.

    Figure 3 Application Detail

  4. After the application is approved, we will send the tool’s login address, username and password to the email provided during application.

  5. The user can login with the provided username and password and start using our product as shown in Figure 4.

    Figure 4 Page After Login

  6. User can click "New Project" to create a new project, which will be tested by our backend SAST tool. This is shown in Figure 5.

    Figure 5 Create New Product

  7. Once the tool finishes testing, click the project name to view the test results, the page also shows CWE information together with detailed defect information. This is shown in Figure 6.

    Figure 6 Test Result

Mapping Questions

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

We indicate the most recent CWE content used to create or update our tool’s CWE mappings in our tool’s CWE related documents. Those documents can be downloaded from our website. After Login, users can download CWE documents via the following steps,

  1. Click the "Help" button as shown in Figure 7

    Figure 7 Help Button

  2. Download the CWE related documents, as shown in Figure 8.

    Figure 8 Help Page with CWE Documents

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Whenever we add or modify the defects that our tool detects, we review the CWE info associated with the defect to make sure that it reflects the latest CWE content. We also review our CWE mappings each time we release a new version.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):

Our product is updated twice a year. Our customers get updated mapping relations in each release.

Documentation Questions

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

We provide two documents regarding CWE for our customers:

  1. "CWE_Documentation.pdf", which explains the basics of CWE by quoting CWE website contents and how our tool uses CWE identifiers.

  2. "CWE_mapping_relations.pdf", which is a detailed list of the defects that our tool can detect and their corresponding CWE identifiers.

Our tool's CWE documentation is available on our website after login. The steps to download those are:

  1. Click the "Help" button as shown in Figure 7

  2. Download the CWE related documents, as shown in Figure 8.

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):

This is provided in our "CWE Documentation" section 3 "Search via CWE Identifiers".

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):

This is provided in our "CWE Documentation" section 4 "View CWE Identifiers of Vulnerabilities".

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

The documents we provide are specifically related to CWE. Those documents are provided on our website. Details of how to find those documents from our website are in

See answer to <CR.5.1>.

.

Type-Specific Capability Questions

Tool Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

A User can locate tasks in the tool by looking for their associated CWE identifiers by following steps below,

  1. Users click "new project" on the project list page to create a new project and automatically analyze the security defects in the code. On the create project page, enter the project name and import the project source code, as shown in Figure 9.

    Figure 9 Create New Test Project

  2. b) Click OK to set the detection rules and compiler, as shown in Figure 10. Click the "question mark" button behind the rule set to set the defect rules. The corresponding CWE number can be viewed after each defect, as shown in Figure 11.

    Figure 10 Detection Result

  3. After the detection, the problem list area of the detection results can be grouped and displayed according to the CWE type, as shown in Figure 12.

    Figure 11 View Results by CWE Identifiers

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

For a software project, our tool produces a list of potential vulnerabilities in the software. In the result page, user can click on each reported vulnerability to see the detailed vulnerability page. In the detailed vulnerability page, we provide CWE identifier as shown in Figure 12.

Figure 12 Vulnerability Detail Page

The user can also click on the CWE identifier on the vulnerability page which links to CWE website that provide more details on the CWE identifier. This is shown in Figure 13.

Figure 13 Link to CWE website

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

The list of CWE identifiers that our tool is effective is provided via our tool’s CWE documents (CWE_mapping_relations.pdf). The documents can be downloaded from "Help" page as shown in Figure 8.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):

Please see answers to Question 11 <CR_A.2.2>.

SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):

Please see answers to Question 10 <CR_A.2.1>

NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>

Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed (recommended):

If a user search specific CWE ID in the result of a task, it means that task with searched CWE Identifier cannot be performed.

Media Questions

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

We provide our electronic documents in PDF formats. Users can search any specific CWE-related text in PDF reader (e.g., Adobe Acrobat Reader).

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

Our electronic documents have CWE identifiers in the table so that users can search specific CWE identifier easily.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CWE identifier(s) (recommended):

Please see Figure 12 and Figure 14. In Figure 12, we show that the CWE identifiers are given for each discovered vulnerability. In Figure 14, we show that all vulnerability results as grouped by CWE identifiers.

Graphical User Interface (GUI) Questions

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):

The results of our tool can be grouped by CWE ID. Users can then search specific CWE ID in the result page and get the related elements as shown in Figure

Figure 14 Search by CWE ID

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):

As shown in Figure 12, in the detailed vulnerability page, our tool displays the associated CWE identifiers for that vulnerability.

Questions for Signature

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Dawei QI

Title: Chief Technology Officer

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."

Name: Dawei QI

Title: Chief Technology Officer

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Dawei QI

Title: Chief Technology Officer

Page Last Updated: March 01, 2022