Name of Your Organization:
Software Security
Web Site:
https://www.softsafe-tech.com
Compatible Capability:
SoftSec SCA
Capability home page:
https://www.softsafe-tech.com/product/SCA
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
Open the official website https://www.softsafe-tech.com/product/sca, as shown in figure 1. 
Figure 1. Click the red circle "apply for use" in figure 2. 
Figure 2. Enter the application information and click the submit button to submit the application,as shown in figure 3. 
Figure 3. After receiving the application, we will send the login address, user name, password and user manual to your email. The user can log in to the SCA system with the login information received, as shown in Figure 4. 
Figure 4. Click "new project" to create a new project, as shown in Figure 5. 
Figure 5. Click "new version" to create a new version, as shown in Figure 6. 
Figure 6. After the test is completed, click the project name to enter the test result query page in Figure 7. 
Figure 7. Click the number hyperlink in the "component name" column to view the details of the vulnerabilities in the current component. The "Vulnerability Type" in the component vulnerability list shows the correspondence between the current vulnerabilities and CWE vulnerabilities. If it can exactly match the CWE vulnerabilities, then Display the CWE vulnerability number in the current list, as shown in the Figure 8 below: 
Figure-8 Component specific vulnerability list Click on the CWE number hyperlink to view the vulnerability details 
Figure-9 A list of vulnerabilities in a certain component
Click on the CWE number hyperlink in the figure above, and the page jumps to the description page of the CWE official website describing the current vulnerability, as shown in the following figure below: 
Figure-10 CWE official website Vulnerability description page
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
Users can view CWE through the product homepage (click the help button in the upper right corner, as shown in Figure 11 and 12
Figure 11.
Figure 12.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
We download the component's CWE vulnerability in real time every day and update it to the local database. We release our products 4 times a year, and each release will update the CWE content.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
We release our product 4 times every year. The user can get updated mapping relations in each release
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
Our CWE Documentation describes CWE and CWE compatibility at the beginning of the article as part (I) and part (II), by quoting the description of CWE and CWE compatibility on the CWE official website. Users can view CWE through the product homepage, and click the help button in the upper right corner to view CWE mapping relations file, as shown in Figure 11 and figure 12.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
The user can search for the CWE identity by applying the "vulnerability library" function on the home page to locate the corresponding vulnerability and description. The figure is shown as follows.
Figure 13.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
Click the number hyperlink in the "component name" column to view the details of the vulnerabilities in the current component. The "Vulnerability Type" in the component vulnerability list shows the correspondence between the current vulnerabilities and CWE vulnerabilities. If it can exactly match the CWE vulnerabilities, then Display the CWE vulnerability number in the current list, as shown in the figure below: 
Figure-14 Component specific vulnerability list Click on the CWE number hyperlink to view the vulnerability details 
Figure-15 A list of vulnerabilities in a certain component Click on the CWE number hyperlink in the figure above, and the page jumps to the description page of the CWE official website describing the current vulnerability, as shown in the following figure below: 
Figure-16 CWE official website Vulnerability description page
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
Refer to <CR_2.4>, users can download the CWE Compatibility Manual.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
The user can log in to the SCA system with the login information received, as shown in Figure 13. 
Figure 17.
Users can click “create a project” on the Project List page of the application to automatically analyze the known vulnerabilities included in the project: 
Figure 18 Creating projects 
Figure 19 Creating version
After the system detection is completed, the total number of project vulnerabilities is visible in the “All Vulnerabilities” column of the current project list, as shown in the following figure 
Figure-20 Project test results
Click the project name to enter the version list and display the vulnerability distribution of the version, as shown in the following figure: 
Figure-21 All components used in the project and their number of vulnerabilities
Click the number hyperlink in the "component name" column to view the details of the vulnerabilities in the current component. The "Vulnerability Type" in the component vulnerability list shows the correspondence between the current vulnerabilities and CWE vulnerabilities. If it can exactly match the CWE vulnerabilities, then Display the CWE vulnerability number in the current list, as shown in the figure below: 
Figure-22 Component specific vulnerability list
Click on the CWE number hyperlink to view the vulnerability details 
Figure-23 A list of vulnerabilities in a certain component
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
After the detection, the user can search for the CWE identity by applying the "vulnerability list" function on the home page to locate the corresponding vulnerability and description. The figure is shown as follows: 
Figure-24 CWE search in the context of Defect Results
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
Users can view CWE through the product homepage, and click the help button in the upper right corner to view CWE mapping relations file, as shown in Figure 11 and figure 12.
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the tool is effective at locating in software (recommended):
Currently we do not provide CCR XML documentation.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
On the test result set page, the "CWE ID" column details the CWE identifier mapped to each open source component vulnerability. And the mapping relationship between each CVE tag and CWE tag will also be displayed on the detailed description page containing known open source component vulnerabilities. 
Figure-25 Component specific vulnerability list
Click on the CWE number hyperlink to view the vulnerability details 
Figure-26 A list of vulnerabilities in a certain component
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
Please refer to <CR_A.2.1>.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
Please refer to <CR_A.2.1>.
NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>
Provide a description of how the tool notifies the user that a task associated with a selected CWE identifier cannot be performed (recommended):
When you search a CWE ID but there is no result, the tool notifies the user that a task associated with a selected CWE identifier cannot be performed. 
Figure 27.
Service Questions
SERVICE COVERAGE DETERMINATION USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of the different ways that a user can use CWE identifiers to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
Check cwe vulnerability through detection component 
Figure-28 CWE search in the component View CWE vulnerabilities through the vulnerability list of the asset library in use 
Figure 29. Search CWE vulnerabilities through vulnerability library 
Figure 30.
FINDING CWE IDENTIFIERS IN SERVICE REPORTS USING ELEMENTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CWE identifiers for the individual security elements in the report (required):
Click on the CWE number hyperlink in the figure above, and the page jumps to the description page of the CWE official website describing the current vulnerability, as shown in the following figure below: 
Figure 31. 
Figure 32.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the service is effective at locating in software (required):
The user can search for the CWE identity by applying the "vulnerability library" function on the home page to locate the corresponding vulnerability and description. The figure is shown as follows. 
Figure 33.
Online Capability Questions
FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):
Please refer to <CR_A.2.2>.
ONLINE CAPABILITY INTERFACE TEMPLATE USAGE <CR_A.4.1.1>
Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):
https://sca-uat.softsafe-tech.com/entry/login?redirect=%2Fsca
FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_A.4.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CWE identifiers for the individual security elements in the report (required):
Please refer to <CR_A.3.2>.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the online capability’s repository covers (required):
Please refer to <CR_A.2.1>.
ONLINE CAPABILITY ELEMENT TO CWE IDENTIFIER MAPPING <CR_A.4.5>
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CWE identifier(s), otherwise enter N/A (required):
We provide detailed information about CWE vulnerabilities. Users can also use the Vulnerability link of CWE,Click on the link in the figure above, and the page jumps to the description page of the CWE official website describing the current vulnerability, as shown in the following figure below
Figure 34. 
Figure 35.
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
We provide reports in various formats, including Word, Excel,PDF,and SPDX v2.2. For example, users can search CWE-related text in the PDF report by pressing Ctrl+F and typing search words. 
Figure 36.
A sample electronic report is as follows: 
Figure 37.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):
We list the mapping relationship in the form of a table, and the document format is PDF. Users can easily find the relevant CWE ID by searching component serial number or component keyword
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
Please refer to <CR_A.2.1>.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
Please refer to <CR_A.2.1>.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Dan Lin
Title: Product Manager
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Dan Lin
Title: Product Manager
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Dan Lin
Title: Product Manager
More information is available — Please edit the custom filter or select a different filter.
|
