4.6.6. Common Weakness Enumeration (CWE) Compliance Checking Guide

4.6.6.1. Checking CWE Rules compliance with Axivion Suite

The Axivion Suite can be used to check compliance of your code with Common Weakness Enumeration (CWE) rules. These checks are implemented as stylechecks.

The following table shows the available checks. For some of them where static semantic analysis is required, you additionally have to activate and configure the rule StaticSemanticAnalysis.

Supported CWE rules (Common Weakness Enumeration)

Configuration

CWE checks implemented as stylechecks can be selected and configured like other stylechecks, see Stylechecks.

Many of the CWE checks have individual configuration options as shown in the GUI in order to fine-tune them to your needs.

Even though we ship a sensible default configuration, the CWE checks should be adapted to your projects and your individual threats. Additionally, some rules need to be configured to be effective:

  • Rule CWE-89: Provide option is_relevant_usage such that it detects calls in which SQL queries are constructed. By default, the relevant calls of sqlite and MySQL’s C API are detected.

  • Rule CWE-335 and CWE-337: Provide either option routines_returning_predictable_values or option whitelist to configure random number seeds allowed in your project.

  • Rule CWE-338: Provide option blacklist to block further weak random number generators.

  • Rule CWE-798: Set option suspect_detection_pattern to a regular expression matching the objects in your project which might hold credentials.

4.6.6.2. CWE Terms of Use

CWE™ is free to use by any organization or individual for any research, development,

and/or commercial purposes, per these CWE Terms of Use. Accordingly, The MITRE Corporation hereby grants you a non-exclusive, royalty-free license to use CWE for research, development, and commercial purposes. Any copy you make for such purposes is authorized on the condition that you reproduce MITRE’s copyright designation and this license in any such copy. CWE is a trademark of The MITRE Corporation. Please contact cwe@mitre.org if you require further clarification on this issue.

DISCLAIMERS

By accessing information through this site you (as “the user”) hereby agrees the

site and the information is provided on an “as is” basis only without warranty of any kind, express or implied, including but not limited to implied warranties of merchantability, availability, accuracy, noninfringement, or fitness for a particular purpose. Use of this site and the information is at the user’s own risk. The user shall comply with all applicable laws, rules, and regulations, and the data source’s restrictions, when using the site.

By contributing information to this site you (as “the contributor”) hereby represents and

warrants the contributor has obtained all necessary permissions from copyright holders and other third parties to allow the contributor to contribute, and this site to host and display, the information and any such contribution, hosting, and displaying will not violate any law, rule, or regulation. Additionally, the contributor hereby grants all users of such information a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute such information and all derivative works.