Missing CWEs from security compliance pack

Cody978Cody978 Posts: 1

I'm trying to configure custom tests for C/C++ static analysis. I'm using Mitre CWE's library and some are in the CWE Top 25 + On the Cusp 2019. I do have the Security Compliance pack installed. However, some CWE which are listed on the Top 25 + On the Cusp 2019 are not shown in the rule tree in test configuration. For example, CWE-306 and CWE-862 are not listed in the built-in rule tree under the built-in Top 25+ test.

Parasoft -> Test Configuration -> Built-in -> Compliance Pack -> Security Pack -> CWE Top 25 + On the Cusp 2019.
Under static -> Rules Tree -> Common Weakness Enumeration. There should be 40 CWE listed (25 + 15), but there are only 27
Version: 9.7.15.20191108

Comments

  • mhernandezmhernandez Posts: 7 admin

    Hello,

    The reason why you see 27 rules and cannot find a rule mapping to CWE-306 and CWE-862 is that not all CWE’s are relevant in all contexts or languages, so there are some for which we have no checkers in some programming languages. If the rules do not apply to the C/C++ development, no rule is mapped.

    To learn more about how our C++test rules map to the CWE Top 25 + On the Cusp 2019, please find the rule mappings attached for C++test 10.4.3 and 2020.1

Sign In or Register to comment.