Using results of a Polyspace® analysis, you can check your code for the following security standards:
CWE™: See also CWE Coding Standard and Polyspace Results.
CERT C: See also CERT C Coding Standard and Polyspace Results.
CERT C++: See also CERT C++ Coding Standard and Polyspace Results.
ISO/IEC TS 17961: See also ISO/IEC TS 17961 Coding Standard and Polyspace Results.
To adhere to a security standard, follow this workflow.
Check your code for the subset of defects and coding rules that correspond to the standard.
CWE: Use the
CWE subset for the
Find defects (-checkers).
CERT C: Use both the option to check defects and the option to check coding rules.
If you run a Code Prover analysis, the run-time errors are mapped to the CERT C standard. All Code Prover run-time checkers are enabled by default.
CERT C++: Use both the option to check defects and the option to check coding rules.
If you run a Code Prover analysis, the run-time errors are mapped to the CERT C++ standard. All Code Prover run-time checkers are enabled by default.
ISO/IEC TS 17961: Use both the option to check defects and the option to check coding rules.
Can I look for more defects than the subset that corresponds to the standard?
all for the options to find defects
and coding rules. The analysis looks for
all results that it can find,
including results mapped to the standard.
You can later filter out results that do not map to a security standard.
Can I look for specific IDs instead of all supported IDs from a standard?
custom for the options to find
defects and coding rules. Select defects and coding rules corresponding
to specific IDs only.
Save your configuration as a template so that you can reuse it later.
For information on:
After analysis, see results that correspond to the security standard.
To see the IDs from a security standard, on the Results List pane, check the CWE ID, CERT ID, CERT C++ ID, or ISO-17961 ID column. If you do not see the column, right-click any column header and enable the column.
If I did not choose a security standard before analysis, can I focus on the subset after analysis?
Narrow your review scope only to results that correspond to a security
standard. Instead of
All results in
Results List, select
CERT C++ checks, or
If both a defect and coding rule corresponds to the same security standard ID, will the analysis show both results?
The defect and coding rule violation both appear in your results list.
If you fix the issue, both results disappear in the next run. If you justify the issue, add your comments for one result and use auto-completion for the other.
Fix or justify each result. To keep track of your progress, assign the
To fix or
Justified. For results that you justified, enter comments
with your rationale.
Can I focus on a single ID after analysis? For instance, can I review all violations of a specific CWE ID together?
You can filter all results that correspond to a specific ID and review them together.
For instance, on the CWE ID column, click the (filter) icon. From the drop-down
list, select Custom. Use the
Can I review only specific IDs?
If you ran analysis for all IDs from a standard but want to focus on specific IDs only:
Address each desired ID individually:
Use the custom filter to filter each ID that you want to
focus on. Review the results for that ID. In other words,
fix or justify the results. Assign the status,
To fix or
Justified. For results that
you justified, enter comments with your rationale.
Filter out addressed IDs: Filter out
To fix or
Assign common status to remaining
IDs: Assign a common status and comment to the
remaining defects. To batch-edit these results,
Shift-select them and add the status
If you want to create a new status for these IDs, select Tools > Preferences and use the Review Statuses tab.
In this way, you can make sure that a generated report shows your rationale for IDs that you did not fix.
If you rerun analysis, the results show only the results that you did not fix, along with your rationale for not fixing. Generate a report that shows how you addressed violations of the standard.
To create a report tailored for a security standard, use one of the following templates during report generation:
ISO/IEC TS 17961:
For more information, see Generate Reports.
How is a security standard report template different from other templates?
In the chapter on defects or coding rules, a separate column shows the security standard ID for each result.
If I did not choose a security standard before analysis, can I focus on that subset in the report?
If you ran analysis for all defects
and coding rules, after analysis, narrow your review scope. Instead of
All results in Results
CERT checks or
checks. Then, generate a filtered report.
For information on filtered reports, see Generate Reports.
How do I ensure from the report that the analysis looked for violations of all supported security standard IDs?
The report appendix shows your options used. To make sure that Bug Finder looked for all supported IDs, check the appendix.
See if the security standard subset or the
all subset was used for the following options: