Name of Your Organization:
Hangzhou Huawei Cloud Computing Technologies Co., Ltd
Web Site:
https://support.huaweicloud.com/codecheck/index.html
Compatible Capability:
CodeCheck
Capability home page:
https://support.huaweicloud.com/codecheck/index.html
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
You can find the introduction of the product "CodeCheck" on webpage: https://support.huaweicloud.com/productdesc-codecheck/devcloud_pdtd_30001.html
"CodeCheck" will provide code static analysis service for developer to find potential security vulnerabilities in the source code. And you can register a developer account on the website: https://devcloud.cn-north-4.huaweicloud.com/codechecknew.
During CWE evaluation process, you can follow the following step to verify the service provided by "CodeCheck". We already crate a testing account for evaluation purpose.
You can follow the process to access the service.
1. Got to the website: https://devcloud.cn-north-4.huaweicloud.com/codechecknew , you will get the follow sign in page. You can choose display language on the right-top of the page.
2. User can base their account type to change the different login method.
3. After login, the page will be as below.
In this page, you can finish normal process for code static analysis:
- "Rule Set": we provide several default rule set for C、C++、 java、 javascript. Each rule set include the default rules for common checking. You can modify the rule set to select or deselect the rules for the rule set. The rule set will associate with scan task when you create the scan task.
- "Rule": you can check the detail information of the rules.
- "Task": Create scan task or check task result. You can create a scan task for identified source and choose the scan rule set. After scan, you will get the scan result for this project.
Basic introduce:
Click "RuleSet" to get rule set information. Now we have several default rule set for C/C++/Java/Javascript.
You can click the rule set name to get the rule list of the rule set, as below page.
In this page, you can search by CWE id or export the rules as excel list as below page, you can find the rules detail and related CWE id.
Click "Rule" to get rule detail information. You can get all rules at here. The page will split to three area.
There are three areas in this page.
✓ Left area for search and filter condition, you can base on name, CWE id(dropdown box), severity, tag to search related rules.
✓ Middle area for search result list which matching the filter condition. You can click the rule to get the rule detail on the right area of the page.
✓ Right area for rule detail display. You can get the rule description, bad case, good case and related CWE id which is the website link on CWE website.
Click "issues" to get Scan result detail information.
After you click "issues" in the task result page, you can get scan result as below. In this page, you can check result by CWE id, or you can click "help" link on the issue tag to get the rule detail where you can find the rule related CWE ID.
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
On CodeCheck’s rule detail page, we provide the rule related CWE Id linkage to current CWE version for more detail.
For the CWE Id web linked path in the system display will link to the: https://cwe.mitre.org/data/definitions/[CWE ID].html
Currently, we are using CWE4.7 to map with our rules. And we noticed CWE 4.8 just released on June 2022, we are checking the difference between these two version.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
We start to map our rules to CWE since CWE 4.4 and we follow each new CWE version, especially focus on the new created CWE Id, expired CWE Id and the updated content/description/relation of CWE. We check those information on: https://cwe.mitre.org/data/reports/diff_reports/latest.html. Base on those information, we decide whether we need change rules’ related CWE. If some rules related CWE need be changed, we will put the change in next release of the CodeCheck.
And when we design a new rule, we follow the guide on: https://cwe.mitre.org/documents/cwe_usage/guidance.html. We search the key words of the rule’s purpose in CWE website(https://cwe.mitre.org/find/index.html) to find related CWE and based on the CWE description, related CVE to decide which CWE will be match with our rule.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
In CodeCheck overview website: https://support.huaweicloud.com/productdesc-codecheck/devcloud_pdtd_30001.html, we mentioned our rules compliance CWE as below.
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
- In CodeCheck overview website: https://support.huaweicloud.com/productdesc-codecheck/devcloud_pdtd_30001.html, we mentioned our rules compliance CWE as below.
- In Codecheck rule set page, you can export the rules detail as excel file. In the excel file, it will provide the CWE Id for related rule as below.
- In CodeCheck scan result page, you can export the defect list as excel file. In the excel file, it will provide the CWE Id for related rule as below.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
- In CodeCheck rule set page, you can export the rules detail as excel file. In the excel file, it will provide the CWE Id for related rule as below.
- In CodeCheck rule search page, search rules by CWE id;
- CodeCheck rule detail page, you can find the rule related CWE id. You can check the detail of the CWE id through the linkage
- CodeCheck scan result page, search scan result by CWE id;
- Scan result page, you can export scan result as excel file. You can get the defect related CWE.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
- In CodeCheck Rule detail page, you can find the rule description and good case and bad case. We base on those information to identifiers the related CWE id.
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
1. In CodeCheck Rule set page: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/ruleset, you can export rule detail as excel file.
Rule set for C language export: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/ruleset/33fc48f31a964b0680268dba7f846086/config
You can export each rule set as excel. In the excel file you can find the rule related CWE id.
2. In scan result, you can find the defect by CWE id, the Scan result search page as blow: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/task/5cbb45e7ccf742d7bc4f9f1af4bc9054/defects
3. You can export scan result to excel file, you can get each defect related CWE Id in the excel file.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
- Under Rule page: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/rules
- Change the search condition as "CWE ID".
- Input required CWE ID, then press search button, you will get the related rules list, click the rule name, you will get the detail information about the rule, you also can get the rule related CWE ID at the end of the detail.
- If you want get more about the CWE id, you can click the CWE id linkage, the CWE web page will pop up as below.
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
- After scan task finished, it will display the number of defects found in the task. For this example is 19 issues as below. You can click the defect number for detail.
- In scan result page, you can check the defect by related CWE Id like below page, it will display the numbers of defects under the CWE Id.
- You can choose individual CWE Id you want check. After click the CWE id, you will get related defects on the right of the page. For the example, we choose CWE Id = 22, current there are 3 defects under CWE22.
- If you want to get more about the defect, you can get help button on the defect title, then you will get the more about the defect, like: rule description, good case, bad case, also related CWE Id at the end of the help. You can click the CWE Id linkage for more about the CWE, it will jump to CWE website related to this CWE id.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
- Go to Rule set page: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/ruleset
- Choose the rule set for the language, you will get the rule list under the rule set. You can search the CWE id which you want to check in the rule set.
- You can export the rule list as excel file. In the excel file, you can heck the CWE coverage for this rule set as below.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
- When the user create a task, they should select a rule set to associate with the task. For rule set related CWE, you can reference the answer for question 12.
- After the scan finished, you can get the list for CWE related defects. And you also can export the scan result as excel file to check the CWE related defects. For more information, you can reference the answer for question 11.
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
You can reference the answer for question 11 to export a rule set as excel file. In the excel file you can get the rule related CWE id.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
You can reference the answer for question 10 to select individual CWE Id for rule set setting.
NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>
Provide a description of how the tool notifies the user that a task associated with a selected CWE identifier cannot be performed (recommended):
Under rule select page: https://devcloud.cn-north-4.huaweicloud.com/codechecknew/project/38718abbed98444293ed5bf8c8eec95b/codecheck/rules
Choose search item as "CWE ID", input searched CWE Id, then press search button. If we are not supporting searched CWE Id, search result will tell you: you can get related result. The search result will as below screen cut.
Service Questions
SERVICE COVERAGE DETERMINATION USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of the different ways that a user can use CWE identifiers to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
User can check the rule set or rule through search related CWE id, or export the rule set to excel file to check all rules related CWE id. For detail, you can reference the answer for question 10.
FINDING CWE IDENTIFIERS IN SERVICE REPORTS USING ELEMENTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CWE identifiers for the individual security elements in the report (required):
User can check the scan result page through search related CWE id, or export the scan result to excel file to check all defects related CWE id. For detail, you can reference the answer for question 11.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the service is effective at locating in software (required):
User can check the rule set or rule through search related CWE id, or export the rule set to excel file to check all rules related CWE id. For detail, you can reference the answer for question 10.
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
User can check the rule set or rule through search related CWE id, or export the rule set to excel file to check all rules related CWE id. For detail, you can reference the answer for question 10.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
User can search the rule name or CWE id in rule set or rule page to get the rule detail information. User also can check the rule related CWE id for more about the CWE id through the linkage.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Miao He
Title: Software service domain director
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Miao He
Title: Software service domain director
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Miao He
Title: Software service domain director
More information is available — Please edit the custom filter or select a different filter.
|