Identify Applications Impacted by CWE 3.2

Results and Reports

When Veracode implements support for version 3.2 of the MITRE CWE list in June 2019, additional findings will cause policies to fail if they are configured to meet the OWASP 2017 or CERT security standards. Using Veracode Analytics, you can identify which applications contain findings that will fail policy when Veracode supports CWE 3.2.

About this task

To identify which applications in your application security program currently pass policy but will fail policy when Veracode implements support for CWE 3.2:

Procedure

  1. Navigate to Analytics > View By Findings.
  2. From the Findings pane, click Filter on the Current Policy dimension.


  3. In the Applications Current Policy field, select the name of a policy configured to meet the OWASP 2017 or CERT security standard.
    Note: PCI 3.2.1 contains the OWASP 2017, CERT, and SANS security standards.
  4. From the Findings pane, click Filter on the Policy or Sandbox Scan dimension.
  5. In the Findings Policy or Sandbox Scan field, select Policy to limit the results to findings from policy scans.
  6. From the Findings pane, click Filter on the Policy Rule Passed (Yes / No) dimension.
  7. In the Findings Policy Rule Passed (Yes / No) field, select Yes to limit the results to findings that currently do not cause your application to fail policy.
  8. From the Findings pane, click Filter on the ID dimension.
  9. In the CWE ID field, enter the CWE IDs that will be added to the standards included in your policy.
    • OWASP 2017: 117
    • CERT: 117, 121, 122, 123, 125, 191, 194, 195, 227, 253, 327, 331, 338, 456, 481, 664, 666, 672, 680, 685, 758, 762, 771, 772, 773, 775, 786, 789, 843, 908, 910
      Note: You can copy and paste this list directly into the CWE ID field.


  10. From the Findings pane, select the Application Name dimension and the Total Number of Findings - Application measure to include them as fields in your visualization.
    Note: Do not click the Filter or Pivot button for these fields. Just click on the name of the field.
  11. From the Findings pane, click Pivot on the Finding Status dimension to indicate in your visualization whether the findings are open or closed in the latest scan of your applications.
  12. Click Run.


    The results provide the total number of findings that will affect your policy compliance for each application with the update to CWE 3.2, which occurs with the June 2019 release of the Veracode Platform. At that time, you will need to remediate or mitigate the open findings to pass your policy.