Professional Documents
Culture Documents
Enterprise PTTEP
Prepared By Chattrabhorn M
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 2
Executive Summary
This report details the application security assessment activities that were carried out, providing a summary of findings, compliance against
published policy requirements, and remediation actions required. Also provided is a detailed breakdown and cross reference between technical
findings and Coverity analysis results.
The intended audience for this report is an application security assurance team and their clients or end users. To review detailed code-level
findings, it is recommended that developers click this link to the Coverity Connect platform (https://pds-covcont-p01.pttdigital.com/
reports#p13247) in order to see source code annotated with remediation recommendations.
Overall Status No
Issues By Severity
A total of 101 security issues were found. Each issue was given a
severity based on the severity mapping. The chart below shows the
number of occurrences of each of the six severity values.
Category Count
Issues Marked "False Positive" or "Intentional" 0
Non-Security Issues 3
Issues Scored as "Informational" 0
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 3
Action Items
The code base was evaluated based on the policy in force. The policy has the following elements:
• The Security Score must meet or exceed the target set by the Assurance Level. See the Security Details section for more information.
• There must be no OWASP Top 10 issues among those found in the project. See the OWASP Top 10 section for details.
• There must be no CWE/SANS Top 25 issues among those found in the project. See the CWE/SANS Top 25 section for details.
• All snapshots must have been analyzed within 30 days. See the Analysis Details section for more information.
Coverity recommends the following actions in order to resolve critical outstanding issues, achieve compliance with policy, and improve the
overall security of the software.
The current results are sufficiently recent (less than 30 days old).
Security Details
The severity mapping shows how technical impacts (possible security flaws) are paired with severities. This severity mapping table also shows
the number of issues for each technical impact.
Severity Mapping Name: Carrier grade
Severity Mapping Description: Very stringent
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 4
Analysis Details
A Coverity project is a collection of one or more streams containing separately-analyzed snapshots. The latest snapshot in each stream is
used when reporting results for a project. This section gives details about the streams and the analysis performed for each snapshot.
Stream Name Snapshot ID Analysis Date Analysis Version Target
pttep-bankguarantee_web-bgs- 39791 2567-1-23 3:46:21 หลังเที่ยง 2022.12.0
dev
Each entry in the OWASP Top 10 refers to a set of CWE entries. Those entries may be individual weaknesses or families of weaknesses. See
the next section for further discussion.
The table below shows the number of issues found in each category of the OWASP Top 10 for 2017.
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 5
Each category in the Top 25 List mentions one primary CWE identifier (CWE ID). Such a CWE ID can refer to an individual weakness or to a
family of related weaknesses, since a given CWE ID may have children CWE IDs, which in turn may have children CWE IDs of their own. A
Coverity issue corresponds to the most relevant CWE ID. A CWE/SANS Top 25 Category will consist of all of the Coverity issues that
correspond to either the mentioned CWE ID or to one of its associated descendants.
The table below lists all the entries of the Top 25 and shows how many Coverity issues in the current project were found to be members of the
Top 25.
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 6
Summary: The software uses external input to construct a pathname that is intended to identify a file or directory that is located
underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can
cause the pathname to resolve to a location that is outside of the restricted directory.
Details: Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/"
separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One
of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent
directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames
such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal.more
details.
Remediation: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into
something that does.
Issue ID (CID) and Issue Source File and Line Number Component
Type
161525 /cms_2015/filemanagement/browse.aspx.cs:158 Other
Filesystem path, filename, or URI
manipulation
258710 /cms_class_library/AppCode/HRWSapi.cs:187 Other
Filesystem path, filename, or URI
manipulation
258715 /cms_class_library/AppCode/HRWSapi.cs:321 Other
Filesystem path, filename, or URI
manipulation
258752 /cms_class_library/AppCode/HRWSapi.cs:78 Other
Filesystem path, filename, or URI
manipulation
258759 /cms_class_library/AppCode/HRWSapi.cs:138 Other
Filesystem path, filename, or URI
manipulation
258764 /cms_class_library/AppCode/HRWSapi.cs:277 Other
Filesystem path, filename, or URI
manipulation
258797 /cms_2015/Startup.cs:97 Other
Filesystem path, filename, or URI
manipulation
258838 /cms_class_library/AppCode/HRWSapi.cs:232 Other
Filesystem path, filename, or URI
manipulation
265553 /cms_2015/payment/confirm.aspx.cs:359 Other
Filesystem path, filename, or URI
manipulation
273525 /cms_class_library/AppCode/HRWSapi.cs:122 Other
Filesystem path, filename, or URI
manipulation
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 7
Summary: The software uses external input to construct a pathname that is intended to identify a file or directory that is located
underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can
cause the pathname to resolve to a location that is outside of the restricted directory.
Details: Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/"
separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One
of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent
directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames
such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal.more
details.
Remediation: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into
something that does.
Issue ID (CID) and Issue Source File and Line Number Component
Type
273526 /cms_class_library/AppCode/HRWSapi.cs:71 Other
Filesystem path, filename, or URI
manipulation
273527 /cms_class_library/AppCode/HRWSapi.cs:270 Other
Filesystem path, filename, or URI
manipulation
273528 /cms_class_library/AppCode/HRWSapi.cs:225 Other
Filesystem path, filename, or URI
manipulation
273529 /cms_class_library/AppCode/HRWSapi.cs:171 Other
Filesystem path, filename, or URI
manipulation
273530 /cms_class_library/AppCode/HRWSapi.cs:314 Other
Filesystem path, filename, or URI
manipulation
273531 /cms_class_library/AppCode/HRWSapi.cs:48 Other
Filesystem path, filename, or URI
manipulation
273532 /cms_class_library/AppCode/HRWSapi.cs:31 Other
Filesystem path, filename, or URI
manipulation
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 8
Summary: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL,
typically causing a crash or exit.
Details: NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming
omissions.more details.
Remediation: If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences
can be prevented.
Issue ID (CID) and Issue Source File and Line Number Component
Type
161377 /cms_2015/App_Code/NumberToWords.cs:194 Other
Dereference null return value
205437 /cms_2015/account/permission_popup.aspx.cs:234 Other
Dereference after null check
258740 /cms_2015/App_Code/Mas_Employee.cs:421 Other
Dereference after null check
258852 /cms_2015/App_Code/Mas_Employee.cs:421 Other
Explicit null dereferenced
260013 /cms_2015/bgs/form.aspx.cs:2529 Other
Dereference after null check
265552 /cms_2015/payment/confirm.aspx.cs:395 Other
Dereference before null check
265897 /cms_2015/auto_batch/run_job.aspx.cs:166 Other
Dereference after null check
272890 /cms_2015/bank/reportbgs.aspx.cs:233 Other
Dereference after null check
274317 /cms_class_library/AppCode/HRWSapi.cs:319 Other
Dereference null return value
274412 /cms_2015/bank/reportRemark_popup.aspx.cs:197 Other
Dereference after null check
274464 /cms_2015/bank/reportbgs_popup.aspx.cs:215 Other
Dereference after null check
274590 /cms_2015/App_Code/Mas_Employee.cs:525 Other
Dereference after null check
274591 /cms_2015/App_Code/Mas_Employee.cs:525 Other
Explicit null dereferenced
275916 /cms_2015/auto_batch/run_job.aspx.cs:204 Other
Dereference before null check
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 9
Summary: The software uses a cross-domain policy file that includes domains that should not be trusted.
Details: A cross-domain policy file ("crossdomain.xml" in Flash and "clientaccesspolicy.xml" in Silverlight) defines a whitelist of domains
from which a server is allowed to make cross-domain requests. When making a cross-domain request, the Flash or Silverlight client will
first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make
requests, the request is made.more details.
Remediation: Avoid using wildcards in the cross-domain policy file. Any domain matching the wildcard expression will be implicitly
trusted, and can perform two-way interaction with the target server.
Issue ID (CID) and Issue Source File and Line Number Component
Type
54323 /cms_2015/bin/cms_2015.dll.config:59 Other
CORS requests allowed from all
origins
Summary: The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource
or perform an action.
Details: Assuming a user with a given identity, authorization is the process of determining whether that user can access a given
resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.more
details.
Remediation: Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully
mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.
Issue ID (CID) and Issue Source File and Line Number Component
Type
14216 /cms_2015/account/personal_setting.aspx.cs:361 Other
Missing authorization check
258712 /cms_2015/masterPage/Site.Master.cs:69 Other
Missing authorization check
258719 /cms_2015/App_Code/Mas_Employee.cs:715 Other
Missing authorization check
258721 /cms_2015/bgs/form.aspx.cs:2209 Other
Missing authorization check
258805 /cms_2015/home/login.aspx.cs:395 Other
Missing authorization check
258811 /cms_2015/brs/form.aspx.cs:2077 Other
Missing authorization check
258816 /cms_2015/account/permission_popup.aspx.cs:351 Other
Missing authorization check
263381 /cms_2015/bgs/form.aspx.cs:2230 Other
Missing authorization check
272264 /cms_2015/bank/fxSetup_import_popup.aspx.cs:177 Other
Missing authorization check
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 10
Summary: The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource
or perform an action.
Details: Assuming a user with a given identity, authorization is the process of determining whether that user can access a given
resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.more
details.
Remediation: Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully
mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.
Issue ID (CID) and Issue Source File and Line Number Component
Type
274309 /cms_2015/account/masEmployee.aspx.cs:94 Other
Missing authorization check
274310 /cms_2015/master/audit_Log.aspx.cs:88 Other
Missing authorization check
274311 /cms_2015/master/mas_Email.aspx.cs:89 Other
Missing authorization check
274312 /cms_2015/payment/form.aspx.cs:89 Other
Missing authorization check
274313 /cms_2015/master/Reassign.aspx.cs:89 Other
Missing authorization check
274315 /cms_2015/master/template_email_list.aspx.cs:88 Other
Missing authorization check
274318 /cms_2015/master/mas_Log.aspx.cs:88 Other
Missing authorization check
274319 /cms_2015/import/field_list.aspx.cs:88 Other
Missing authorization check
274320 /cms_2015/payment/paymentList.aspx.cs:98 Other
Missing authorization check
274321 /cms_2015/payment/popup_select_project.aspx.cs:65 Other
Missing authorization check
274322 /cms_2015/master/mas_Config.aspx.cs:92 Other
Missing authorization check
274323 /cms_2015/bank/facility.aspx.cs:88 Other
Missing authorization check
274324 /cms_2015/bank/fxSetup.aspx.cs:88 Other
Missing authorization check
274325 /cms_2015/master/mas_PaymentTeam.aspx.cs:80 Other
Missing authorization check
274327 /cms_2015/master/mas_All.aspx.cs:93 Other
Missing authorization check
274328 /cms_2015/payment/popup_select_bg.aspx.cs:65 Other
Missing authorization check
274329 /cms_2015/Summary/BG.aspx.cs:122 Other
Missing authorization check
274331 /cms_2015/Summary/BR.aspx.cs:106 Other
Missing authorization check
274332 /cms_2015/master/mas_Menu.aspx.cs:88 Other
Missing authorization check
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 11
Summary: The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource
or perform an action.
Details: Assuming a user with a given identity, authorization is the process of determining whether that user can access a given
resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.more
details.
Remediation: Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully
mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.
Issue ID (CID) and Issue Source File and Line Number Component
Type
274333 /cms_2015/account/permission.aspx.cs:88 Other
Missing authorization check
274413 /cms_2015/bank/reportRemark_popup.aspx.cs:192 Other
Missing authorization check
274461 /cms_2015/bank/reportbgs_popup.aspx.cs:210 Other
Missing authorization check
274479 /cms_2015/Summary/replacement_popup.aspx.cs:161 Other
Missing authorization check
Summary: A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
This simplifies phishing attacks.
Details: An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL.
By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
more details.
Remediation: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into
something that does.
Issue ID (CID) and Issue Source File and Line Number Component
Type
161438 /cms_2015/home/login.aspx.cs:303 Other
Open redirect
258744 /cms_2015/home/login.aspx.cs:444 Other
Open redirect
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 12
Severity: High
Technical Impact: Bypass protection mechanism
CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
This is categorized under the 6 in the CWE/SANS Top 25.
Summary: The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but
it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a
downstream component.
Details: Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those
inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to
insert additional statements that modify the back-end database, possibly including execution of system commands.more details.
Remediation: Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.
Issue ID (CID) and Issue Source File and Line Number Component
Type
46535 /cms_2015/App_Code/Mas_Employee.cs:1092 Other
Non-constant SQL
161285 /cms_2015/popup/employee_lookup.aspx.cs:307 Other
SQL injection
258836 /cms_class_library/clsDB.cs:691 Other
Non-constant SQL
265021 /cms_class_library/clsDB.cs:508 Other
Non-constant SQL
265022 /cms_class_library/clsDB.cs:464 Other
Non-constant SQL
273588 /cms_2015/master/Reassign.aspx.cs:270 Other
SQL injection
274314 /cms_2015/filemanagement/ucFile.ascx.cs:457 Other
Non-constant SQL
274462 /cms_2015/bank/reportbgs_popup.aspx.cs:147 Other
SQL injection
274463 /cms_2015/bank/reportRemark_popup.aspx.cs:149 Other
SQL injection
275777 /cms_2015/brs/popup_select_employee.aspx.cs:283 Other
SQL injection
275915 /cms_class_library/clsDB.cs:552 Other
Non-constant SQL
275983 /cms_class_library/clsDB.cs:727 Other
Non-constant SQL
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 13
Summary: The software contains dead code, which can never be executed.
Details: Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a
section of code to ever be executed.more details.
Issue ID (CID) and Issue Source File and Line Number Component
Type
265896 /cms_2015/auto_batch/run_job.aspx.cs:93 Other
Logically dead code
273682 /cms_2015/account/personal_setting.aspx.cs:371 Other
Logically dead code
274006 /cms_2015/calendar/ucCalendar.ascx.cs:96 Other
Logically dead code
274589 /cms_2015/App_Code/Mas_Employee.cs:838 Other
Logically dead code
Severity: Medium
Technical Impact: Denial of service, Resource consumption
CWE 404: Improper Resource Shutdown or Release
Summary: The program does not release or incorrectly releases a resource before it is made available for re-use.
Details: When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting
for all potential paths of expiration or invalidation, such as a set period of time or revocation.more details.
Remediation: Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.
Issue ID (CID) and Issue Source File and Line Number Component
Type
161204 /cms_class_library/clsExecuteProcedure.cs:983 Other
Resource leak
161229 /cms_2015/auto_batch/run_job.aspx.cs:197 Other
Resource leak
161262 /cms_2015/master/mas_Email_popup.aspx.cs:197 Other
Resource leak
161286 /cms_2015/App_Code/Mas_Employee.cs:258 Other
Resource leak
161307 /cms_2015/Summary/confirm.aspx.cs:204 Other
Resource leak on an exceptional
path
161316 /cms_2015/auto_batch/NotificationEmailAuto.aspx.cs:58 Other
Resource leak
161361 /cms_2015/bgs/confirm.aspx.cs:299 Other
Resource leak
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 14
Summary: The program does not release or incorrectly releases a resource before it is made available for re-use.
Details: When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting
for all potential paths of expiration or invalidation, such as a set period of time or revocation.more details.
Remediation: Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.
Issue ID (CID) and Issue Source File and Line Number Component
Type
161408 /cms_2015/App_Code/Mas_Employee.cs:716 Other
Resource leak
163909 /cms_2015/App_Code/Mas_Employee.cs:878 Other
Resource leak
258717 /cms_class_library/AppCode/HRWSapi.cs:249 Other
Resource leak
258732 /cms_class_library/AppCode/HRWSapi.cs:284 Other
Resource leak
258746 /cms_class_library/AppCode/HRWSapi.cs:85 Other
Resource leak
258787 /cms_class_library/AppCode/HRWSapi.cs:328 Other
Resource leak
258796 /cms_2015/payment/confirm.aspx.cs:331 Other
Resource leak
258808 /cms_2015/Startup.cs:106 Other
Resource leak
258825 /cms_class_library/AppCode/HRWSapi.cs:155 Other
Resource leak
258846 /cms_class_library/AppCode/HRWSapi.cs:194 Other
Resource leak
273524 /cms_class_library/AppCode/HRWSapi.cs:54 Other
Resource leak
Summary: The accidental exposure of sensitive information through sent data refers to the transmission of data which are either
sensitive in and of itself or useful in the further exploitation of the system through standard data channels.
Remediation: Specify which data in the software should be regarded as sensitive. Consider which types of users should have access
to which types of data.
Issue ID (CID) and Issue Source File and Line Number Component
Type
13968 /cms_2015/Global.asax.cs:17 Other
ASP.NET MVC version header
included
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 15
Methodology
Introduction
This report is a distillation of the output of the Coverity Code Advisor used on a particular code source base. Coverity Code Advisor is a static
analysis tool that is capable of finding quality defects, security vulnerabilities, and test violations through the process of scanning the output of a
specially-compiled code base. The information in this report is specific to security vulnerabilities detected by Coverity Code Advisor and their
categorization in the OWASP and CWE/SANS ranking systems.
About CWE
CWE (Common Weakness Enumeration) is a software community project that is responsible for creating a catalog of software weaknesses and
vulnerabilities and is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. The
Common Weakness Scoring System (CWSS) provides a method by which to identify and compare weaknesses.
CWE is used by vulnerability-listing efforts such as CWE/SANS Top 25 and OWASP Top 10, among others, to create generalized lists of
ranked vulnerabilities. Some, but not all, of the issues reported by Coverity are mapped to CWE-listed vulnerabilities. The Common Weakness
Risk Assessment Framework (CWRAF) is a methodology for prioritizing software weaknesses in the context of the software’s use. A CWRAF
“severity mapping” prioritizes issues according to their CWE technical impact values. There are 8 technical impacts:
1. modify data,
2. read data,
3. create a denial-of-service that results in unreliable execution,
4. create a denial-of-service that results in resource consumption,
5. execute unauthorized code or commands,
6. gain privileges or assume identity,
7. bypass protection mechanism,
8. hide activities
CWRAF and CWSS allow users to rank classes of weaknesses independently of any particular software package, in order to prioritize them
relative to each other.
The part of the severity mapping that’s relevant for this work is the Technical Impact Scorecard. It maps a technical impact to a severity value
between Informational (the lowest) and Very High (the highest). This value is known variously as the technical impact’s “score” or its “severity”.
This document uses “severity”.
Scoring Methodology
An issue from Coverity's code analysis will contribute to the security score when it has a CWE ID where the CWE ID maps to at least one of the
eight technical impact values, at least one the mapped technical impact values has a severity level greater than Informational, and the issue
has not been marked as "False Positive" or "Intentional". A severity mapping determines the mapping of technical impact values to severity
levels and it is an issue's assigned severity level that is used for the security score calculation. For an issue where its CWE ID maps to more
than one of the eight technical impact values, a single technical impact value will be assigned to the issue, where the highest relevant severity
level will determine which technical impact value gets assigned, with ties for the highest severity level being broken arbitrarily.
The severity levels from the Security Details section are used to determine the security score, with the possible severity levels being Very High,
High, Medium, Low, and Very Low. The highest severity level that has at least one issue associated with it will greatly influence the security
score. Additional issues with the highest severity level will have a greater impact on reducing the security score than will additional issues with
a relatively lower severity level. As such, it's important to address issues with the highest severity level.
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b
Coverity Security Report ® 16
While the full range of a possible security score is from 0 to 100, with 100 being the best value possible, only a project with a highest severity
level of Very Low that contains 6 or less Very Low severity level issues can receive a score of 100. A project would need to contain more than
30000 Very High severity level issues to receive a score lower than 30. Meanwhile, a project with a highest severity level of Very Low would
need to contain more than 30000 Very Low severity level issues to receive a score lower than 70.
To give some further context, consider the standard Target Assurance Levels plus their corresponding Target Security Score values of AL1
(90), AL2 (80), AL3 (70), and AL4 (60) relative to the highest severity level that has at least one issue associated with it.
• If Very High severity level issues exist, it will be nearly impossible to achieve AL3 (70), and it will be quite a challenge to achieve AL4 (60).
• If all of the Very High severity level issues have been addressed, but at least one High severity level issue exists, it will be nearly
impossible to achieve AL2 (80), and it will be a reasonable challenge to achieve AL3 (70), with AL4 (60) being within easier reach.
• If all of the Very High and High severity level issues have been addressed, but at least one Medium severity level issue exists, it will be
nearly impossible to achieve AL1 (90) and quite challenging to achieve AL2 (80), while AL3 (70) is more likely to be within reach, and AL4
(60) should be a relatively easy target to reach.
About Coverity
Coverity is a leading provider of quality and security testing solutions. The company, founded in the Computer Science Laboratory at Stanford
University, provides an array of tools that assist developers in addressing critical quality and security issues early in the development cycle,
thus saving development organizations from remediating issues late in the development cycle or after release when they are much more
costly. Many major software development organizations, including 8 of the top 10 global brands and 9 of the top 10 software companies,
deploy Coverity analysis tools. Coverity also maintains a free, cloud based analysis platform, called Scan, for the Open Source Community.
PTTEP Confidential
Jan 23, 2024 4:02 PM Portions copyright © 2024 Synopsys, Inc. Document ID f1edc789-46b4-4b6e-acaa-9c6e763ada3b