Security Impact Analysis using Parasoft and Lattix

Security Impact Analysis using Parasoft and Lattix#

This documents how to produce a security impact report from Parasoft data, and then visualized in Lattix.

At a high level, Parasoft finds and reports security vulnerabilities. How important though, are the issues reported? One way of answering this is to use Lattix to visualize the impact of these vulnerabilities, and perform an impact analysis to transitive closure of each impact.

Overview#

  1. Perform a Static Code Analysis using the Parasoft CLI, selecting security taxonomies.

  2. Run a custom script provided by Lattix.

  3. Use Lattix to visualize the impact of the security vulnerabilities reported by Parasoft.

  4. Perform an impact analysis to transitive closure of each impact.

Assumptions#

  1. Parasoft CLI is installed and available in your PATH.

  2. Lattix is installed and available in your PATH.

  3. You have an Lattix LDZ project file available.

  4. You have a license to use the Lattix Python API

  5. The beautiful soup library is available in your Python installation.

Step 1: Parasoft Example CLI Call#

Before running this step, you should call your make command to produce a build specification file (e.g. compile_commands.jsonfrom a CMake invocation) suitable for consumption by Parasoft.

For more information on the steps to produce this, please consult the Official Parasoft Blog: Using Parasoft C/C++test With CMake for Static Analysis

Once you have a suitable input from your build to pass to Parasoft, the next step is to invoke the Parasoft Command Line interface with security checking (e.g. SEI CERT C++ Rules) enabled:

/opt/cpptest/cpptestcli -config "builtin://SEI CERT C++ Rules" -compiler gcc_11-64 -module . -input tools/linux_full_project/linux/compile_commands.json

Step 2 Running the Custom Script ParasoftReportToTagElement.py#

Typing the name of the script shows the help message, which is also accessible via the -h flag:

usage: ParasoftReportToTagElement.py [-h] [--pt_from PT_FROM] [--pt_to PT_TO] violation_report lattix_ldz

Here is an example invocation of this script.

For more details about the pathmap options --pt_from and --pt_to, please consult the VSCode Extension.

python3 /opt/lattix/custom_scripts/ParasoftReportToTagElement.py /home/me/report.xml /home/me/isoaglib/IsoAgLib.ldz --pt_from=/builds/lattix1 --pt_to=""

Step 3: Open LDZ File#

Open the LDZ file in Lattix Architect. The security vulnerabilities discovered by Parasoft should now be tagged automatically in Lattix Architect.

Step 4: Impact Analysis of a Security Vulnerability#

Run an impact analysis on a security vulnerability by going to the Impact Report menu in Lattix Architect. Select the security vulnerability you want to analyze the impact for, and run the report. The transitive closure of the impact of the security vulnerability will be shown in the impact report.

Support#

If you need any assistance running this script, please contact the Lattix technical support team at support@lattix.com.

Contents