| Table of Contents |
|---|
Introduction
CWE™(Common Weakness Enumeration) aims to provide a common base to identify the type of software weakness (vulnerability).. International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. CWE™ gives a hierarchically structured list of weakness types to help identifying software vulnerabilities that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow.
| Anchor | ||||
|---|---|---|---|---|
|
...
Security Reviewer provides a consistent number of CWE 4.0 4 rules designed for detecting vulnerabilities inside source code. Each rule defines up to 12 variants and up to 50 API on which will applied, ande has its own CWE™ Identifier and Description, with related MITRE™ web site link, on which you can do a Search:
...
You Export the rules list in Excel CSV format with CWE™ details:
...
CWE™ Ruleset
You can execute the Static Analysis with CWE™ and CWE™ SANS Top 25 ruleset:
...
CWE™ Results
After Static Analysis Completion, even you chose a different rulesetRuleSet, each vulnerability detected has always its own CWE™ ID with the related web link:
...
In the Static Analysis Reports, each rule's violation shows the related clickable CWE™ ID:
...
CWE™ Capabilities
Requirement | Capability | Fulfillment Method |
CWE | Security, Dead code, Best practices Rules, Analysis Results and Reports | By using the search function in Security Reviewer, the vulnerability countermeasure information database, users are able to conduct a search using CWE identifiers as the keyword. |
CWE | Analysis Results | CWE identifiers are displayed in the “Results” section within each vulnerability countermeasure information pages. |
Reports | CWE identifier is displayed in the “Violations” section of the detailed information window of each vulnerability countermeasure information. | |
CWE | Security Reviewer Knowledge Center, User Guide | This material document will become the documentation necessary to describe and demonstrate CWE, CWE association and methods used to satisfy the compatibility requirements. |
Mapping | Security, Dead code, Best practices Rules, Analysis Results and Reports | Security Reviewer supports many of CWE 2.9, 3.1, 3.2 and 34.4 IDs related to Static Analysis |
Supported CWE™ per Programming Language (Tiobe Index Top 10)
...
(*6)WASC: Web Application Security Consortium is a non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
(*7)TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors.
https://www.tiobe.com/tiobe-index/
COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.