CERT secure coding L1 level rules for Java, C, C++

vinod · November 8, 2018, 1:11am

Hi

CERT secure coding guidelines prioritize rules based on Severity, Likelihood and Remediation Cost

L1 rules are the ones with High severity, likely and inexpensive to repair.

For more details = https://wiki.sei.cmu.edu/confluence/display/perl/Risk+Assessment

CERT also provides priority information for Java,C, C++ rules:

https://wiki.sei.cmu.edu/confluence/display/java/Rule+or+Rec.+EE.+Risk+Assessments

https://wiki.sei.cmu.edu/confluence/display/c/GG.+Risk+Assessments

https://wiki.sei.cmu.edu/confluence/display/cplusplus/EE.+Risk+Assessments

SonarQube already has some coverage, if SonarQube can provide complete L1 rules coverage and mapping data for Java, C/ C++, it would be really great.

Thank you,

Vinod

Alexandre_Gigleux · November 15, 2018, 12:56pm

Hello Vinod,

Thanks for reaching out and putting this “Level” topic on the table. I was looking at it without taking the time to understand it. Now it’s clear and I have a way to prioritize which part of CERT we should cover first.

I like your idea and I believe we could imagine ways to make this “Level” information more visible in SonarQube.
Before thinking about that, we need to do a gap analysis between CERT and SonarJava and determine which Level 1 rules are missing.

I take the action to study that.

Thanks
Alex

saberduck · July 17, 2019, 10:03am

3 posts were split to a new topic: CERT rules for C++