CERT secure coding L1 level rules for Java, C, C++

java
security
cpp
c
cert

(Vinod Anandan) #1

Hi

CERT secure coding guidelines prioritize rules based on Severity, Likelihood and Remediation Cost

L1 rules are the ones with High severity, likely and inexpensive to repair.

For more details = https://wiki.sei.cmu.edu/confluence/display/perl/Risk+Assessment

CERT also provides priority information for Java,C, C++ rules:

https://wiki.sei.cmu.edu/confluence/display/java/Rule+or+Rec.+EE.+Risk+Assessments

https://wiki.sei.cmu.edu/confluence/display/c/GG.+Risk+Assessments

https://wiki.sei.cmu.edu/confluence/display/cplusplus/EE.+Risk+Assessments

SonarQube already has some coverage, if SonarQube can provide complete L1 rules coverage and mapping data for Java, C/ C++, it would be really great.

Thank you,

Vinod


(Alexandre Gigleux) #3

Hello Vinod,

Thanks for reaching out and putting this “Level” topic on the table. I was looking at it without taking the time to understand it. Now it’s clear and I have a way to prioritize which part of CERT we should cover first.

I like your idea and I believe we could imagine ways to make this “Level” information more visible in SonarQube.
Before thinking about that, we need to do a gap analysis between CERT and SonarJava and determine which Level 1 rules are missing.

I take the action to study that.

Thanks
Alex


(Frédéric Depale) #4

Hi,

I am interested by the check of the CERT rules C and C++ .

Have you got more details about :

  • the list of rules already implemented ?

  • the CERT level already implemented ?

  • your roadmap about the development of CERT C / C++ rules

Thanks a lot,

Frédéric Depale