Map Errors to CWE and CVSS Grades
Static source code analysis tool for C and C++ code
Brought to you by:
danielmarjamaki
Menu
▾
▴
Hi,
I have run cpp_check and collected a log of around 1000 detected errors and notes. I would really like to make sure I fix all the errors who have an equivalent CWE that is considered to have a severity with a base grade CVSS of 7 and above. Is it easy to map the errors to CWEs and then CVSS based grades ?
I mean the CVSS base grade, as these severities should really be contextualized with environment and dynamic info.
if you look at the xml output, each error has a cwe. I don't know in detail how cvss is mapped, but I assume the analysis would be impossible for cppcheck.
We use the severities "error" and "warning" for code that might cause undefined behavior. We use "style" when the problem is not related to undefined behavior. But well "style" can often point out critical bugs also. For Cppcheck it is very difficult to determine if a "style" violation is a critical bug or not.
@danielmarjamaki - Thanks for the info Daniel, appreciate the response. Maybe there is a tool more suited for this like coverity. We are using cppcheck already so I was hoping I could leverage that, do you know of any tools that show CVSS grade severities with the CWE ?
To me it seems impossible for a tool to estimate how critical a bug is. We can sometimes indirectly detect highly critical weaknesses like:
There are many "style" diagnostics that could detect such weaknesses. For instance they might warn that something is weird about conditions.
A weird condition could probably have both the lowest CVSS and the highest depending on where it is and what variables are used in the condition.
To estimate the security impact; I really believe that requires human knowledge.