Using GNAT Pro Assurance 22, customers can request a detailed list of known problems, each keyed to The MITRE Corporation’s Common Vulnerability Enumeration (CVE) database. Vulnerability reports are provided in machine-readable CVE JSON format as well as human-readable PDF reports. In addition, AdaCore now produces Software Bills of Materials (SBOM) supplied in the industry-standard Software Package Data Exchange (SPDX) format, allowing automated incorporation into customers’ vulnerability management and reporting systems.
GNAT Pro Assurance is the top-tier edition of AdaCore’s GNAT Pro product line and offers a complete Ada solution: a comprehensive suite of development and verification tools, a configurable run-time library, and several specialised small-footprint runtimes. It is geared toward developers of safety- and/or security-critical applications that require long-term maintenance, including but not limited to projects that need to meet domain-specific software assurance standards.
For safety certification, such standards include DO-178C (airborne software), EN 50128 (rail), ECSS-E-ST-40C and ECSS-Q-ST-80C (space), and ISO 26262 (automotive and industrial systems). On the security side, relevant standards include DO-326A / ED-202A and DO-356A / ED-203A (airworthiness).
For each of these safety or security standards, certification and/or qualification material for specific run-time libraries and/or tools are available to GNAT Pro Assurance customers through an optional certification support service.
Unique to GNAT Pro Assurance, the sustained branch service allows a customer to choose a specific version of the technology and receive workarounds or product updates for that version as needed to deal with critical issues. This offers guaranteed product stability, with controlled evolution to correct problems that do not have realistic workarounds.
“The challenge with software security is that vulnerabilities can and will be discovered after a system has been deployed, and systems are typically multi-layered with interdependent components from different vendors,” explained Alexander Senier, Lead of Cybersecurity at AdaCore. “A vulnerability that one vendor fixes might require an expensive correction in another component; if that vendor fails to make that correction, then the entire system may be insecure. With GNAT Pro Assurance, our customers don't get into such a situation. We provide sustained branches, we perform automatic analyses of known vulnerabilities on those branches and make them available to customers, we analyse whether security issues found in current GNAT Pro versions are present in sustained branches and port security fixes to those older versions if necessary. This enables customers to have their systems deployed securely throughout the project’s lifetime.”