Name of Your Organization:
ValiantSec Technology Co.,Ltd
Web Site:
http://valiantsec.cn/
Compatible Capability:
CodeSense
Capability home page:
http://valiantsec.cn/product/?id=77
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
1.Open the official website of CodeSense http://www.ubisectech.com/product/?id=77, and first click the red button "试用产品(trail)"in the top right corner, as shown in Figure 1.
Figure-1 CodeSense's Homepage
2.Enter the application information, click the "提交(submit)"button to submit the application, as shown in Figure 2
Figure-2 Submit application information
3.After receiving the application, we will send the system login address, user name and user password.
4.The user can login to the CodeSense system with the login information received, as shown in Figure 3.Then click the "登录(land in)"button and login.
Figure-3 Login
5.the user login and start using our product as shown in Figure 4.
Figure-4 CodeSense’s dashboard
6.Click "新建项目(new project)"module to create a new project, as shown in Figure4.The user can upload his files.
Figure-5 start up Test Project
7.After the test is completed, the user can click the "CWE" button to view the test results, as shown in Figure6.
Figure-6 project Test Result
8.In the CWE view, the user can view the CWE information in the defect information area, as shown in the Figure7.
Figure-7 project Test Result Query Interface
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
Mappings 1: After logging in to the system , the user can select "检测模版(template)" module in the menu of "漏洞分析(analyze)", in the top of list, the user can view the official document pdf of the CWE and the official website URL link of CWE. Also, the user can view the template just like "**-CWE", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure8
Figure-8 CWE mapping
Mappings 2: After logging in to the system , the user can select "漏洞特征(feature)" module in the menu of "漏洞分析(analyze)", in the top of list, the user can view the official document pdf of the CWE and the official website URL link of CWE. Also, the user can view the template just like "cwe-name-cn", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure9
Figure-9 CWE mapping
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
We release our product once a quarter, we will update the vulnerability database and the CWE identification information mapped by the vulnerability. we will try our best to update the most recent CWE content in each release
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
Our product is update once a quarter, our customers get updated mapping relations in each release. We use the CWE 3.3 version ,which release date is June 20,2019 ,Some rules of CWE have been described in Chinese, and the latest update date is March 21, 2022
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
Mappings 1: After logging in to the system , the user can select "检测模版(template)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the official document of the CWE and the official website URL link of CWE. Also, the user can view the template just like "**-CWE", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure8
Mappings 2: After logging in to the system , the user can select "漏洞特征(feature)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the official document of the CWE and the official website URL link of CWE. Also, the user can view the template just like "cwe-name-cn", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure9
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
In the top of "检测模版(template)"module, the user can search by CWE ID, after searching, the corresponding CWEID rules will be displayed in the template list, as shown in the Figure10. Similar operations in the " 漏洞特征(feature)" and "任务结果(results)"
Figure-10 searching by CWE ID
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
In the top of "检测模版(template)"module, the user can search by CWE keywords, after searching, the corresponding CWEID rules will be displayed in the template list, as shown in the Figure11. Similar operations in the " 漏洞特征(feature)" and "任务结果(results)
Figure-10 searching by CWE keywords
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
CWE1:After logging in to the system , the user can select "检测模版(template)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the template just like "**-CWE", just CWE index , as shown in the Figure8
CWE2:After logging in to the system , the user can select "漏洞特征(feature)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the template just like "cwe-name-cn", just CWE index , as shown in the Figure9
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
After logging in to the system, the user can select "新建项目(new project)" and upload the code, then select the testing template of "ValiantSec-**-CWE" or "ValiantSec-Vuln-**". After analyzing complete, the user click "成功(success)", and then can view the result, as shown in the Figure11 .
Figure-11 CWE result
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
On the inspection result page, you can search for CWEID and CWE elements. After the search, the defect list displays all related types of problems analyzed this time. The problems are displayed according to "type + file + line number". Click on a single problem to display the positioning problem. the "data flow" of the problem, a detailed description of the problem, revisions that can be made for false positives,as shown in the figure 12
Figure-12 CWE result
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
After logging in to the system, users can view the list of CWEs supported by CodeSense (categorized by development language) on the "检测模板(template)" and "漏洞特征(feature)" pages under the menu "漏洞分析(analysis)", as shown in the figure13.
Figure-13 list of CWE result
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the tool is effective at locating in software (recommended):
On the "任务列表(Task List)" page of the "漏洞分析(Analysis)" menu, select a "successful" task, click "导出报告(Export Report)", the report type can now be "word, csv, pdf, xml", switch to the "分析报告(Analysis Report)" page , select the report just generated, click download, open the document locally, you can see the CWE related content in xml, as shown in the Figure 14.
Figure14 export report
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
Log in to the system, select "新建项目(New Project)", upload the source code, select the detection template as: "ValiantSec-**-CWE" or "ValiantSec-Vuln-**", and click Save. Switch to "漏洞分析(Analysis) to 任务列表( Task List)", wait for the completion of the detection task, click "成功(Success)", enter the detection result display page, switch the display mode to "CWE", you can get the CWE coverage list of this task ,as shown in the figure 15.
Figure14 list of task
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
Log in to the system, in "检测模板(templates)" of "漏洞分析(Analysis)", create a new template "selectCWE", select one or several CWEs from the preset templates, drag and drop them into the new template, click "完成(Finish)", and activate the template ; Then when creating a new project, select the newly created template "selectCWE", and in the generated task results, only the defects covered by the selected CWEs will be displayed , as shown in the figure 15.
Figure15 template of selectCWE
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
In the top of "检测模版(template)"module, the user can search by CWE keywords, after searching, the corresponding CWE ID rules will be displayed in the template list, as shown in the Figure11. Similar operations in the " 漏洞特征(feature)" and "任务结果(results)".
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):
After logging in to the system, users can view the list of CWEs supported by CodeSense (categorized by development language) on the "检测模板(template)" and "漏洞特征(feature)" pages under the menu "漏洞分析(analysis)", as shown in the figure13.
ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CWE identifier(s) (recommended):
Mappings 1: After logging in to the system , the user can select "检测模版(template)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the official document of the CWE and the official website URL link of CWE. Also, the user can view the template just like "**-CWE", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure8.
Mappings 2: After logging in to the system , the user can select "漏洞特征(feature)" module in the menu of "漏洞分析(analyze))", in the top of list, the user can view the official document of the CWE and the official website URL link of CWE. Also, the user can view the template just like "cwe-name-cn", after expanding the template, you can see the detailed rules of CWE(has been localized) , as shown in the Figure9.
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
In the top of "检测模版(template)"module, the user can search by CWE keywords, after searching, the corresponding CWEID rules will be displayed in the template list, as shown in the Figure11. Similar operations in the " 漏洞特征(feature)" and "任务结果(results)
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
After logging in to the system, the user can select "新建项目(new project)" and upload the code, then select the testing template of "ValiantSec-**-CWE" or "ValiantSec-Vuln-**". After analyzing complete, the user click "成功(success)", and then can view the result, as shown in the Figure11.
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):
On the "任务列表(Task List)" page of the "漏洞分析(Analysis)" menu, select a "successful" task, click "导出报告(Export Report)", the report type can now be "word, csv, pdf, xml", switch to the "分析报告(Analysis Report)" page , select the report just generated, click download, open the document locally, you can see the CWE related content in xml, as shown in the Figure 14.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Zhi Ling Yang
Title: Product Manager
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Zhi Ling Yang
Title: Product Manager
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Zhi Ling Yang
Title: Product Manager
More information is available — Please edit the custom filter or select a different filter.
|
