The Engineering Challenge: "What" vs "How"
Static Application Security Testing (SAST) tools like SonarQube speak the language of CWE (Common Weakness Enumeration). This is a dictionary of "what" is wrong (e.g., "Improper Neutralization of Input").
Risk Management speaks the language of TLCTC. This is a taxonomy of "how" and "where" a system is compromised (e.g., "Exploiting Server").
To bridge this gap, we cannot simply map 1-to-1. We need Context-Aware Mapping. A buffer overflow (CWE-120) is not just a bug; it is a potential #2 Exploiting Server event if found in an API, or a #3 Exploiting Client event if found in a browser component.
The TLCTC Enumeration System (TLCTC-XX.YY)
Before writing code, we must establish our data standard. The TLCTC framework uses a structured enumeration system designed for machine readability:
- TLCTC- prefix ensures proper attribution.
- XX represents the primary cluster number (01-10).
- .YY suffix allows for future granular sub-categorization (.00 designates the high-level cluster).
TLCTC-02.00 // Exploiting Server (General)
TLCTC-08.00 // Physical Attack (General)
TLCTC-08.01 // Physical Attack (Direct Access Sub-type)Mapping Logic: The Rules Engine
The core of our integration is a mapping engine. It doesn't just look up IDs; it evaluates context.
%%{init: {
'theme': 'base',
'flowchart': { 'useMaxWidth': false, 'htmlLabels': true, 'curve': 'basis', 'nodeSpacing': 50, 'rankSpacing': 80 },
'themeVariables': { 'fontSize': '12px', 'fontFamily': 'Inter, sans-serif'}
}}%%
flowchart TD
CWE[Input: CWE ID] --> Type{Is Context Dependent?}
Type -->|No| Direct[Map to Static Category]
Type -->|Yes| Analyze[Analyze File Path/Component]
Analyze -->|Client/UI/Browser| C3[Tag: TLCTC-03.00]
Analyze -->|Server/API/Backend| C2[Tag: TLCTC-02.00]
Direct -->|Auth/Creds| C4[Tag: TLCTC-04.00]
Direct -->|Logic/Design| C1[Tag: TLCTC-01.00]
Direct -->|Resource Mgmt| C6[Tag: TLCTC-06.00]
style C3 fill:#fee2e2,stroke:#ef4444,stroke-width:2px,color:#000
style C2 fill:#fee2e2,stroke:#ef4444,stroke-width:2px,color:#000
style C4 fill:#fef3c7,stroke:#f59e0b,stroke-width:2px,color:#000
style C1 fill:#fef3c7,stroke:#f59e0b,stroke-width:2px,color:#000
style C6 fill:#fef3c7,stroke:#f59e0b,stroke-width:2px,color:#000
style CWE fill:#f3f4f6,stroke:#9ca3af,stroke-width:3px,color:#000
style Type fill:#fff,stroke:#333,stroke-width:2px,color:#000
Implementation: The SonarQube Plugin
Below is a reference implementation for a custom SonarQube `PostProjectAnalysisTask`. This Java class intercepts the analysis results and applies our mapping logic.
package org.sonarqube.plugins.tlctc;
import org.sonar.api.ce.posttask.PostProjectAnalysisTask;
import java.util.HashMap;
import java.util.Map;
public class TLCTCIntegrationPlugin implements PostProjectAnalysisTask {
private static final Map CWE_TO_TLCTC_MAP = initializeMapping();
private static Map initializeMapping() {
Map mapping = new HashMap<>();
// TLCTC-02.00 Exploiting Server (Default for Injection)
TlctcCategory serverExploit = new TlctcCategory("TLCTC-02.00", "Exploiting Server", false);
// TLCTC-03.00 Exploiting Client (XSS)
TlctcCategory clientExploit = new TlctcCategory("TLCTC-03.00", "Exploiting Client", false);
// 1. Direct Mappings
mapping.put("CWE-89", serverExploit); // SQL Injection
mapping.put("CWE-79", clientExploit); // XSS
mapping.put("CWE-798", new TlctcCategory("TLCTC-04.00", "Identity Theft", false));
// 2. Context Dependent Mappings (Memory Errors)
TlctcCategory contextDep = new TlctcCategory("TLCTC-02.00", "Exploiting Server", true);
mapping.put("CWE-119", contextDep); // Buffer Overflow
mapping.put("CWE-787", contextDep); // Out-of-bounds Write
return mapping;
}
// ... logic to iterate issues and apply DetermineContext() ...
} Handling Context Dependency
The most critical part of the code is handling the "Context Dependent" flag.
- Default Mapping: We default memory errors to `TLCTC-02.00` (Server), assuming that backend stability is the primary concern for SAST.
- Context Override: We inspect the file path. If it contains `/frontend/`, `/ui/`, or references client-side frameworks (e.g., React, compiled WASM), we switch the tag to `TLCTC-03.00`.
Mapping Reference Table
For teams who cannot build a custom plugin, you can start by updating your internal wikis or spreadsheets with this reference mapping.
| CWE Category | Sample CWEs | TLCTC Mapping | Rationale |
|---|---|---|---|
| Access Control | CWE-285, CWE-639 | TLCTC-01.00 | Abuse of Functions: Logic flaws, not code bugs. |
| Injection | CWE-89, CWE-77 | TLCTC-02.00 | Exploiting Server: Flaw in server-side implementation. |
| Client-Side | CWE-79, CWE-601 | TLCTC-03.00 | Exploiting Client: Flaw executes in user's agent. |
| Auth/Secrets | CWE-798, CWE-287 | TLCTC-04.00 | Identity Theft: Compromises the "Who", not the "How". |
Conclusion
Integrating the TLCTC framework with SonarQube bridges the gap between technical findings and strategic risk management. By automating this mapping, you move from "fixing bugs" to "blocking threat clusters."
This concludes our three-part series. We have gone from defining the roles of Programmer vs. Coder, to seeing the strategy in action, to writing the code that automates it. The next step is yours: download the plugin, update your dashboards, and start speaking the language of risk.
References
- Kreinz, B. TLCTC White Paper V1.9.1, Page 66, "Multi-Layer Notation Convention".
- Kreinz, B. TLCTC White Paper V1.9.1, Page 30, "Clarifications: Scope of Server vs Client Software".
- CWE List Version 4.16, MITRE Corporation.