What is CWE / CQE?

The CWE™ (Common Weakness Enumeration) is a list of common software security weaknesses. Maintained by The MITRE Corporation and based on contributions from the general software community, the CWE is an evolving resource that defines and categorizes software weaknesses through a common vocabulary. It provides a benchmark for assessing software tools that purport to identify software weaknesses, and establishes a baseline for weakness mitigation and prevention.  Although its focus is on security, the CWE also applies in other high-assurance contexts. A weakness could lead to a security vulnerability that is intentionally exploited by an adversary, a safety hazard that is triggered by external inputs, or, in general, an incorrect system behavior (i.e., an effect that violates the system's requirements).

The CWE list comprises more than 700 entries and can be viewed hierarchically from several perspectives. For example, the Development Concepts view shows weaknesses coming from a number of sources, including incomplete or incorrectly implemented security functionality, improper input validation, and programming errors.  The latter category is directly related to the programming language that is used, with weaknesses ranging from error-prone features to constructs with unspecified semantics. Several well-publicized software security incidents have stemmed from Buffer Overflow or other C weaknesses that would have been detected and prevented in Ada by a static analysis tool such as CodePeer.  

The size and scope of the CWE and the growing number of CWE-related tools have led MITRE to establish the CWE Compatibility and Effectiveness Program, a formal review and evaluation process that consolidates and organizes information about security products and services. CodePeer and SPARK Pro have been designated as CWE-Compatible in this program, based on their ability to detect several of the CWE’s Top 25 Most Dangerous Software Errors:

• CWE-120 (Classic Buffer Overflow)

• CWE-131 (Incorrect Calculation of Buffer Size)

• CWE-190 (Integer Overflow or Wraparound)

View the complete list of CWE weaknesses detected by CodePeer and SPARK Pro.

CodePeer and SPARK Pro

CWE-Compatible Tools

AdaCore's CodePeer and SPARK Pro deep static analysis tools have been designated as
CWE-Compatible by the MITRE Corporation's Common Weakness Enumeration (CWE) Compatibility and Effectiveness Program.  Both tools can detect a variety of code weaknesses, including several that are among the CWE’s Top 25 Most Dangerous Software Errors.

CodePeer works on full Ada, analyzing every line of code and considering every possible input and every path through the program. The tool can be applied early in the development life-cycle to identify problems when they are much less costly to repair, and can also be used retrospectively on existing code bases to detect latent vulnerabilities. CodePeer can be tuned for usage at various levels, based on whether the priority is on maximizing the number of potential errors that are reported or on minimizing the number of false alarms.

Learn more about CodePeer »

SPARK Pro uses advanced proof technology to verify properties of programs written in the SPARK formally analyzable subset of Ada. The tool can prove properties including validity of data/information flow, absence of run-time errors, system integrity constraints (such as safe state transitions), and, for the most critical software, functional correctness with respect to formally specified requirements. SPARK Pro is a sound static analysis tool -- it will detect all violations of a property that it is attempting to verify -- with a very low false alarm rate.

Learn more about SPARK Pro »