CWE Mappings








  The first step in any kind of software assurance project is getting all the tools to talk the same language. If one tool uses one name and another has a different name, how can you be sure its the same problem? Also, how can you achieve any kind of automation and correlation between tools? The way is to map the native identifier to CWE.


The first tool that I am looking into is cppcheck. You can use the fake-make package to "build" the package. This step simply collects the defines, files, and include directories used during a build. The steps are something like this:

  • rpmbuild -ba package.spec
  • make clean
  • make-app
  • run_cppcheck
  • sed -f cppcheck.sed cppcheck.log

    To get to the point of doing automatic CWE mappings, I had to go through all the cppcheck source code and look for all the indentifiers. These were then checked against the CWE tables. This is the raw text of that mapping. To make a sed file easily applied, we need to format the output a certain way. Cppcheck allows you to specify the format its output. If you use something like: --template "{file}:{line}, {id}, {message}", then we have a regular ordered output for easy use. This is a sed file that you can use to convert the native identifier to CWE. Just follow the recipe above.