ANNEX 3'B,,

Final AES Source

Gode Review
Report
 Pno V&V

Final AES Source Code

Review Report
Independent Testing Services by an Established
International Certification Entity for the 2025
National and Local Elections (SBAC Ref. No.
0s-2024-rcE)

Approved by: 6 04t30t2025

Jack Cobb, Laboratory Director

Approved by: 04t30t2025

Wendy Owens, VSTL Program Director

Date: April 30, 2025

Disclaimer: This c!|npoign will be tested by an EAC acuedited VSTL to applicable strndards of thc WSG. All testing and rEfereoc.s
will be performed outside ofthe EAC Test and Certification Proglam

v. SC R-0 I -03 -P HI-03-0 1.02

0r 6
I.O INTRODUCTION

The purpose ofthis Source Code Review Report is to document the results of the source code review Pro
V&V conducted as part of certification testing on an Automated Election System (AES) as an
intemational certification entity (lCE) for the Republic of the Philippines Commission on Elections
(COMELEC). The purpose ofthis test campaign is to verif the hardware and software components for
use in the May 2025 National and Local Elections (2025 NLE) is operating properly, securely, and
accurately pursuant to Philippine Republic Act No. 9369 (RA9369), which amended RA 8436, the 2005
Eleclion Assistance Commission (EAC) Voluntary Voting System Guidelines (WSG) Version 1.0 (EAC
VVSG 1.0), and the and the Terms ofReference (TOR).

l.t References

The documents listed below were utilized in the development of this report:

o Philippine Republic Act 9369 (RA9369)

o Terms of Reference (TOR) for the hocurement of lndependent Testing Services by an

Established Intemational Certification Entity for the Republic ofthe Philippines Commission on
Elections (COMELEC) (SBAC Ref No. 05-2024-ICE)

o Election Assistance Commission 2005 Voluotary Voting System Guidelines (VVSG) Version
1.0, Volume I, "Voting System Performance Guidelines", and Volume II,'National Certificarion
Testing Guidelines"

1.2 Scope ofTesting

To meet the requirements ofthis test campaign, Pro V&V performed a source code review with respect to
the EAC WSC 1.0, RA9369, which amended RA 8436, and the TO& as applicable. All AES sub-
components will be evaluated to the requirements set forth by the EAC VVSG L0 as follows:

o EAC VVSG [.0 Volume I, Section 5: Softwarc Requirements

- Source Code Review, Compliance Build, Trusted Build, and Build Document Review

- Technical Documentation Package (TDP) Review

- Functional Configuration Audit (FCA)

1.3 TOR Requirements

For this project, the following specific TOR requirements related to the system software were identified:

(ANNEX TOR Section V Pruject Derails, Section E Specific Tesling ond Complionce Validation Requircments,
,ren 2) AES Source Code Review ofall TechProv-developed AES software and all other related components.
including all other extemal or third-party software that are used $ith it:
2.1 The source code r€view shrll cover sourcc code dctriled in SectioDs 2.1.1, 2.1.2, 2.1.3, atrd 2.1.4 rnd shrll
itrcludc verilicrtiotr rs dcscribcd in Section 2.1.5.

v. SC R-0 1 -03-PHl-03-0 1.02 )

0?7
 Section Requirements
The source review shall cover all TechProv-developed software (to include all
2.1.1 All AES software scrips, applications. tools. APIs. as applicablc) for COMELEC for use in the pre-
election, voting and post-election stases ofthe 2025 NLE.
The source review shall cover all other related components. including all other
2.1.2 llrternal software
extemal or third-party software that are used with it.
The source review shall cover all customer-off-th€-shelf(COTS) extemal
2.1.3 COTS software software used with the 2025 NLE AES, including, but not limited to, all operating
systems, databases. network applications, a.d management and support utilities.
2.1.4 Miscellaneous AES The source review shall covcr all miscellaneous AES components required in the
components TOR and customization requirements.
2.1.5 Verification and The source code review shall contain a verification to confirm or rebut all
report of criticrl fitrdinqs reported critical and maior findings ilom the LSCR, ifany.
2.2 The source code review procedure shall include among others:
Verification that the concemed operales only as designed and that it does not
2.2-l Functionrlitv contain any hidden functionalit), back doors. Trolan horse. and other similar
vulnerabilities that can out the integrity ofthe system in question.
verification that the source code does not contain and conditional compilation
2.2.2 Additional code
flacs, test flags, hardcoded passwords, or any such test coding
Identification ofcoding errors that could potentially result to imprcper exception
2.2.3 Coding errors
handlinc or mishandling of unexDected conditions,
Security analysis to identiry enors, inconsistencies, vulnerabilities and securit-v
2,2.4 Sccurity analysis
weakness in the cod€ that could lead to security failures.
Search lbr known gaps and software vulnerabilities relared to user access control,
2.2.5 Caps and
data enfy point, data flow analysis, data storage and retrieval, memory resources
vulnerabiliti€s
management and other critical components ofthe conccmqi system.
2.6 The source code revicw shrtl identify discrepancies or findinqs, includinq:
ldentification ofdiscrepancies or findings that threaten the integriq ofthe
2.6.1 Discrepancies
election or could cause the results oftestins to b€ not reDeatable.
Id€ntification ofdiscrepancies or findings that advers€ly alIect the
2.6.2 Discrepancies understandability, maintainability, or reliability ofthe AES in a significant
manner, but does not threaten the inlegrity of the election.
2.7 The source code review shall id€ntifv atrd assess technical risks in relrtiotr to the source code.
Technical risk shall be reported to the TEC for coordination with Steercom for
2.7.I 'l echnical risks appropriste action and for possible input to the development, provisioning, and
operationalization ofa continuity plan and compensating controls.

1.4 Software Requirements Plan

The software requirements set forth in Section 5 ofEAC VVSG 1.0 were tested utilizing a combination of
review and functional testing during the Source Code Review, TDP Review, and FCA. Pro V&V has
detailed the following plan, as taken from the Project Implementation Plan for this project, to conduct the
source code review:

To perform the source code review, Pro V&V developed a toolbox of multiple automated source code
analysis tools to include: static code analyzers, secure analyzers, and web application analyzers. Pro V&V
then ran the selected tool against the source code provided. Any issues found were researched 8nd a
manual review was performed on any noted areas of interest. Pro V&V provided the LSCR team with the
initial reports to help accelerale the review performed by the LSCR team. Pro V&V reviewed all
proprietary utilities/tools/script/systems using the same methods to review the source code as the
proprietary application source code. An analysis was performed on COTS components to ensure they are
unmodified and are the documented versions for the system.

v. SC R-0 I -03-P HI-03-0 1.02 3

078
Pro V&V will use the Securify Content Automation Protocol (SCAP) to enumerate software flaws and
configuration issues related to security for operating systems and other COTS application that are part of
the documented system deployment as part ofthe Security Testing. Pro V&V audited all COTS software
to ensure they have not been modified or show any signs of tampering. This audit included the name of
the manufacturer, name of the product, and the version ofthe prnduct

2.1 Generallnformation

All lesting was conducted under the guidance of Pro V&V, Inc. by personnel verified by Pro V&V, Inc.
to be qualified to perform the testing. The reviews documented in this report were performed at the Pro
V&V, Inc. test facility located in Huntsville, AL.

Pro V&V utilized the following test support equipment during the source code review process

Table 2.0 Test Support Equipmenl

AES Code Support Equipment Version Description
Component Number
EMS, ACM, CCS. SonarQube 9.9.3 Source code quality static analysis tool
Online Voting Parasoft Jtest 10.7.1 Source code quality static analysis tool

2.0 AES SOURCE CODE REVIEW

The results of all Source Code Reviews compleled are summarized in the following subsections. Pro
V&V will pmvide a detailed analysis ofall testing in the Final Certification Test Report.

2.2 Source Code Review

The Source Code Review is a formal review of a customer submitted source code to specific
requirements. The requirements may be published standards, customer supplied requiremens, and/or third
party supplied requirements. This inspection may be performed manually or using an automated tool.

The Source Code Inspection is not a development activity. At no time dudng the Source Code lnspection
are the testers performing lhis review to write any source code, assist in code architecture design, or
suggest any code improvements

Pro V&V performed a Source Code Review oflhe AES software comprised ofthe EMS, ACM and CCS,
and all other related components, including all other extemal or third-party software that are used with it
will be performed during the test campaign. To iniliate the review process, Miru submitted the source
code for inspection. Pro V&V then performed the following types of source code inspections:
Compliance, Functional, COTS, Security, and Build.

Pro V&V performed a Source Code Review ofthe Overseas Vote Counting System (OVCS) software and
all other related components, including all other extemal or third-party software that are used with it will
be performed during the test campaign. To initiate the review process, Sequent submitted the source code
for inspection. Pro V&V then performed the following types of source code inspections: Compliance,
Functional, COTS, Security, and Build.

v. SC R-0 l -03-P Hl-03-0 1.02 I

0ls
Note: Pro V&V performed the FTB on-site in Hwnsville, Alabama USA, on Joruary 20, 2025 (Manila
Time) using documentation provide by Miru..

Pro V&V used three methods to review the proprietary source for the EMS, CCS, ACM, and OVCS:

( l) Where possible, automated tools were used to create as many efticiencies as possible

(2) A comparative review was used to only look at the changes from the previous version that were
certified and lhe modified source code

(3) A full manual review line by line was used for all new code.

All three melhods utilized the EAC WSG 1.0 coding standards as well as COMELEC additional
requirements.

2,2,1 Election Mrnasement Svstem (EMS)

Miru submitted the source code documented in Table 2.1 for review to the EAC 2005 vvSG. After the
final submission, Pro V&V generated SHA-256 hash values.

Table 2.1 EMS Software/Tirmware

Unique ldentlfier
Componetrt Name Version
(digital signature or SH4-256 hash value)
c6722el 45ead26 l da2cal 4d82aae6 I de I 8a67 22 I7 d47 0cb85 I 9
FTB 20250117 ems 1.4.13
ec608e29f70a5

The Miru's EMS Application is developed using the JavalJavaScript coding language. An analysis was
performed on submitted source code for readability, maintainability, auditability, and security. The
source code review included compliance to the EAC 2005 VVSG, Venion 1.0. [l is noted that the Miru
EMS source code was not written to the EAC 2005 VVSG, Version 1.0 coding standard. The Pro V&V
test procedures used for this source code review were VSTL-TP-200 and VSTL-TP-2I0, which are
presented in Attachment A ofthis document.

The strategy for evaluting the submined EMS application source code for compliance to the 2005 EAC
VVSC was to perform manual review for the header and file comments. After the review, the static
source code analysis tool was loaded with Miru's EMS source code and the tools were then executed. The
report produced from this scan was analyzed. Any discrepancies noted were documented and resolved.
Each identified finding was manually adjudicated. Any discrepancies discovered were documented and
submitted to Miru for resolution. This process performed one time and the source code was the souce
was re-scanned. The re-scans demonstrated successful implemenlation of all identified requirements
submitted for evaluation.

Summarv !'indinss:

The first review of the source code concluded that the source was not compliant with the 2005 EAC
VVSG, Version 1.0. This was expected by Pro V&V because the code was not written to that standard.

v. SC R-0 l -03- P Hl-03-0 1.02 5

080
The source code submined performed much better when scanned by the two static code analyzers. There
were a few issues thal were submitted to Miru. Miru corrected all issues with source code updates or
provide validate engineering logic as to why the source code was not updated. Pro V&V feels the source
code is compliant to a published standard because the Parasoft Jtest tool enforces proper coding technics
for Java programming SonarQube performs static security and best practices for development.

VSTL-TP-200: Source Code lnsoection

The objective of this test case was to perform a formal review of a customer submitted source code to
specific requiremenr. The requirements were published standards for EAC 2005 VVSC.

During execution of this test procedure, it

was verified that the submitted source code met the
requirements ofthe review. The source code doesn't meet the specific requirements for commenting. The
review revealed that the source code was in compliance with the rcquired standards and that the source
code was written within the parameters of its design. The only finding that remained was the source code
contained some "commented est" code. It is best practice to remove this from production code.

VSTL-TP-2 I 0: Compliance Inspection

The Compliance lnspection consisted of the execution of SonarQube and examining the findings

During execution of lhis test procedure, it was verified that the submitted source code met the
requirements. The review revealed that the source code was in compliance with the required standards
and that the source code was written within the parameters of its design. Many ofthe findings ofthe tool
were deemed to be false posilives.

2.2.2 Consolidatinq and Canvassirq Svstem (CCS)

Miru submitted the source code documented in Table 2.2 for review to the EAC 2005 VVSG. After this
submission, Pro V&V generated SHA-256 hash values.

Table 2.2 CCS Software/Firmware

Unique ldentifier
Component Nsme Versi0n
(digital signature or SHA-256 hash value)
8595f528c3b2f647 a5236c868fc5a l2eal e I a7486al cI2M563b
front- 1.1.2 I 1.2
760b5b068f9
9bbfbc0a44 I a6fll37dc79fc I bea59768d953e49df993 70d8684
back-1.1.2 1.1.2
0b7bddecb228e

The Miru CCS Application is developed using the Java/JavaSoipt coding language. An analysis was
performed on submitted source code for readability, maintainability, auditability, and security. The
source code review included compliance to the EAC 2005 VVSG, Version 1.0. The Pro V&V test
procedures used for this source code review were VSTL-TP-200 and VSTL-TP-2t0, which are presented
in Attachment A ofthis document.

v. SC R-0 t -03 -P Hl-03 -0 1.02 6

0S\
The strategy for evaluating the CCS application source code for compliance to the 2005 EAC VVSG was
to perform manual review for the header and file comments. After the review, the static source code
analysis tool was loaded with Miru CCS source code and the tool was then executed. The report produced
from this scan was analyzed. Any discrepancies noted were documented and resolved. Each identified
finding was manually adjudicated. Any discrepancies discovered were documented and submitted to the
Miru for resolution and any discrepancies were documented. Each identified finding was manually
adjudicated. Any discrepancies discovered were documented and submitted Io the Miru for resolution.

Summan Findinss:

The first review of the source code concluded that the souce was not compliant with the 2005 EAC
VVSG, Version 1.0. This was expected by Pro V&V because the code was not written to that standard.
The source code submitted performed much better when scanned by the two static code analyzers. There
were a few issues that were submitted to Miru. Miru corrected all issues with source code updates or
provide validate engineering logic as to why lhe source code was not udated. Pro V&V feels lhe source
code is compliant to a published standard because the Parasoft Jtest tool enforces proper coding technics
for Java programming and SonarQube performs static security and best practices for development.

VSTL-TP-200: Source Code lnspection

The objective of this test case was to perform a formal review of a customer submitted source code to
specific requirements. The requirements were published standards for EAC 2005 VVSG.

During execution of this test procedure, it was verified that the submifted source code met the
requirements of the review. The source code doesn'l meet the specific requirements for commenting. The
review revealed that the source code was in compliance with the required standards and that the source
code was written within the parameteB of its design.

VSTL-TP-Z I 0: Comoliance Insoection

The Compliance lnspection consisted ofthe execution of SonarQube and examining the findings.

During execulion of this test procedure, it was verified that the submitted source code met the
requirements. The review revealed that the source code was in compliance with the required slandards
and that the source code was written within the parameters of its design. Many of the findings ofthe tool
were deemed to be false positives.

2.2.3 Automated Countins Machine (ACM)

Miru submined the source code documented in Table 2.3 for review to the EAC 2005 VVSG. After the
final submissiorq Pro V&V generated SHA-256 hash values.

v. SCR-0 I -03-PHI-03-01.02 1

ogt
 Table 2.3 ACM Software/Firmware

Unique ldentilier
Component Name Version
(digital signature or SHA-256 brsh velue)
phl-acm 3ad9befdc2e,l4dcf9 87 ac029 da2c I f 480babb9054a2 b0b I 04c8
3.4.0
(phl-acm-3.4.0.2ip) dc9 8dfl3 2 f5 09

phl-acm-hash-validator
c860de90b9 I f6c2 I dac2db00b94c I 0a5a38b9a65bdd7c879080
(phl-hash validator- 1.3.2
4l b95Maedc9e
1 .3.2.2ip)

phl-launcher d5 I I d8b I e3d44af5be6235d9ed8a349 I 50094a0a4r2379b2a6e

I .0.6
(phl-launcher- l.0.6.zip) fef2l937l86c8
phl-tmlocker f65 I 9ee4dc6402428aaae0c4c995df8d05 I 4e4e0bf4d303 87be
1.0.1
(phl-unlock-1.0. l.zip) 48ba047 a9b8d

phl-wipe_out 7bb8d6982c9320262849 l2c80l bdd67 I 868 I dc4dd8205c4cfl

t.2.3
(pttl-wipe out- l.2.3.zip) 4a3e6705647b9b

The Miru ACM application is developed using the Java/JavaScript coding language. An analysis was
performed on submined source code for readability, maintainability, auditability, and security. The
source code review included compliance to the EAC 2005 VVSG, Version 1.0. The Pro V&V test
procedures used for this source code review were VSTL-TP-200 and VSTL-TP-2IO, which are presented
in Attachment A oflhis document.

The strategy for evaluating the ACM application source code for compliance to the 2005 EAC VVSC was
to perform manual review for the header and file comments. After the review, the slatic source code
analysis tool was loaded with Miru ACM source code and the tool was then executed. The report
produced from this scan was then analyzed. Any discrepancies noted were documented and resolved.
Each identified finding was manually adjudicated. Any discrepancies discovered were documented and
submitted to the Miru for resolution and any discrepancies were documented

Summarv Fi nd inss:

The first review of lhe source code concluded that the source was not compliant with the 2005 EAC
VVSG, Version 1.0. This was expected by Pro V&V because the code was not written to thal standard.
The source code submitted performed much better when scanned by the two static code analyzers. There
were a few issues that were submitted to Miru. Miru corrected all issues with source code updates or
provide validate engineering logic as to why the source code was not updated. Pro V&V feels the source
code is compliant to a published standard because the Parasoft Jtest tool enforc€s proper coding lechnics
for Java programming and SonarQube performs static security and best practices for development.

VSTL-TP-200: Source Code lnspection

The objective of this tesl case was to perform a formal review of a cuslomer submitted source code Io
specific requirements. The requirements were published standards for EAC 2005 VVSG.

v. SC R-0 I -03-PHl-}3-0 1.02

q8 3
During execution of this test procedure, it was verified that the submitt€d source code met the
requirements of the review. The source code do€sn't meet the specific requirements for commenting. The
review revealed that the source code was in compliance with the required standards and that the source
code was written within the parameters of its design.

VSTL-TP-2 I 0: Compliance Inspection

The Compliance Inspeclion consisted ofthe execution ofSonarQube and examining the findings.

During execution of this test procedure, it was verified that the submifted source code mel the
requirements. The review revealed that the source code was in compliance with the required standards
and that the souce code was written wilhin the parameters of its design. Many ofthe findings ofthe tool
were deemed to be false positives.

2.2.4 Uti[ties
Miru submitted the source code documented in Table 2.4 for review to the EAC 2005 VVSG. After the
final submissioq Pro V&V generated SHA-256 hash values.

Table 2.4 Utilities Softwsre/Firmware

Unique Identifier
Component Name Version
(digital signature or SHA-256 hash value)
otp-ge nerator 80629 da2235 c46fa3 I 07 a2fec4685 4c8834 I 8c I a744454c9330
I 1.0
(otp_generator_v L l .0.zip) 0bcb5070959db

usb-decryptor cbac9Becad4T 1 I 96tu0b6442e8ce83079bf4a756 I d80386fl a

1.0.0
(usb_decryptor_v l.0.0.zip) b63acf2934381
wpa!validator
5d 140870 14e64c3a47 46364a045e998c7 I 87d3f88672d1 b2d4
(wpat_validator vl.0.0.zi t.0.0
334edb84550885
p)
ph edas fc28e8e I eTbaa6d 187 c7857f4a20lbccacb I 5b l494l3e99ba0a
1 .0.0
(ph_edas.zip) 621d25dbal3l5

ph_edas_web bf92c4 d27 bbe9 e9 a666faf4005 06c8e54 dd7bff 7 6 dc7 aa247 9 tb

1.0.0
(ph-edas-web.zip) bbd74e00eb8c

ballot validator 8b7cd8bd'l 9fcf I 935bb0a57e6aae57cf7c?c59cec738 I 0 I 340c2

2.3.21
(phl-bv-2.3.21.2ip) 3d4b8402cae9

ballot-tracking-system c3 b84bdffi 06ee3 Tcdae I 895 dfe83903 7 382a1 3c6b5 527 424e7
1.0.0
(BTS-2-0210202s.2ip) 487c29946c528

The Miru Utilities are developed using the Java/JavaScript coding language for the utililies submitted as
part ofthe EMS-CCS package and C/C++ coding language for the utilities submitted as pan ofthe ACM
package. An analysis was performed on submitted source code for readability, maintainability,
auditability, and security. The source code review included compliance to the EAC 2005 VVSG, Version

v. SCR-0 l -03- P Hl-03-0 1.02 I

00t
1.0. The Pro V&V test procedures used for this source code review were VSTL-TP-2OO and VSTL-TP-
210, which are presented in Attachment A of this document.

The strategy for evaluating the Utilities source code for compliance to the 2005 EAC VVSG was to
perform manual review for the header and file comments. After the review, the static source code analysis
tool was loaded with Miru Utilities source code and the tool was then executed. The repon produced from
this scan was then analyzed. Any discrepancies noted were documented and resolved. Each identified
finding was manually adjudicated. Any discrepancies discovered were documented and submitted to Miru
for resolution.

Summary Findinqs:

The firsl review of the source code concluded that the source was not compliant with the 2005 EAC
VVSG, Version 1.0. This was expected by Pro V&V because the code was not written to that standard.
The source code submitted performed much better when scanned by the two static code analyzers. There
were a few;ssues that were submitted to Miru. Miru corrected all issues with source code updates or
provide validate engineering logic as to why the source code w:rs not updated. Pro V&V feels the source
code is compliant to a published standard because the Parasoft Jtest tool enforces proper coding technics
for Java programming and SonarQube performs static security and best practices for development.

VSTL-TP. 200: Sourc e Code lnspection

The objective of this tesl case was to perform a formal review of a customer submitted source code to
specific requirements. The requirements were published standards for EAC 2005 VVSG.

During execution of this test procedure, it was verified that the submitted source code met the
lequirements ofthe teview. The source code doesn't meet the specific requirements for commenting. The
review revealed that the source code was in compliance with the required standards and that the source
code was nritten within rhe parameters of its design.

VSTt--TP -210: Comoliance nsDection

The compliance lnspection consisted ofthe execution of sonareube and examining the findings.

During execution of this test procedure, it was verified that the submitted source code met the
requirements. The review revealed that the source code was in compliance with the required slandards
and thal the source code r.lzs written within the parameters of its design. Many of the findings of the tool
were deemed to be false positives.

2.2.5 OVCS

sequent submitted the sourre code documented in Table 2.4 for review to the EAC 2005 vvsc.
Table 2,5 OVCS Software/Firmware

Component Name Unique ldentifier

Version
(digital signature or SItA-256 hash value)

v. SCR-0 t -03-PHI-03-0 1.02 l0

08 5
 admin-portal-build- a223b62ab200 40 cezle5 fe5 c45f695cf6 c6c52 4f2e69 a6e922e0 c
8.0.8-rc.4
latest.tar.gz 38cc7 6099a4f

a2c4db9 I f33ad2c36cb0842ffc7 7 97 Zcb I fb3 85048b0728 I 8f8f

b3-build-latest.tar.gz 8.0.8-rc.4
I c0380b2f997

ballot-verifi er-build- 9 dc2da0f21 af0dZ1 e600cadd78 I 9e I 3673fll5fe5550Oa4bfffc34

8.0.8-rc.4
latest.tar.gz aal6ea4752f

a8024d3ebd84d263c5083 I bd47adf98f2f46f5Mfbe9e7 64 1 a02

braid-bui ld-latest.tar.gz 8.0.8-rc.4
6fe76f48a0l I
Table 2.5 OVCS Software/Firmware (continued)

Unique ldentifier
Component Name Version
(digital signature or SHA-256 hash value)
9b69335b778 I e2 I dfc602fbe7 e4B9fefl 06d0b5ceebbfa28 I 9d
harvest-bui ld-latest.tar.gz 8.0.8-rc.4
5l e86eff63c8

97 I bc9ccO I 5ec0 I 8cdc687cd48ea6dee7 c5858lbb7 6d57 4d7 c4

immudb-bui ld-latest.tar.gz 8.0.8-rc.4
ecc 1cf56348c0

immudb-init-build- 53 I 1 59d6 l2bc6c9f479d9eff12f0ld2lf555623b9fl8 lbcec023

8.0.8-rc.4
lalest. tar.gz a2e0a559a497

keycloak-build- 0I 74a02db6d70be3e99 I 67b80ab449305988d060c7364d089

8.0.8-rc.4
latest.tar.gz 533a6055e6d lce

voting-portal-build- c6e52fU502420942d38aafledc9Oe5e488f7e03e2f7 I dI 6df070

8.0.8-rc.4
latest.tar.gz d27910b68e29

windmill-build- ed57b6029fOc8 I 060f1 de1 9A I 06642b69cfc60f70 I 34fd8433

8.0.8-rc.4
latest.tar.gz 49272f0284e2e

The Sequent OVCS application is developed using the Rust and JavaSffipt coding language. An analysis
was performed on submitted source code for readability, maintainability, auditability, and security. The
source code review included compliance to the EAC 2005 VVSG, Version 1.0. The Pro V&V test
procedures used for this source code review were VSTL-TP-20O and VSTL-TP-210, which are presented
in Attachment A ofthis document.

Summarv Findincs

The first review of the source code concluded that the source was not compliant with the 2005 EAC
VVSG, Version 1.0. This was expected by Pro V&V because the code wasn't \4ritten to that standard.
The source code submitted performed much better when scanned by the two static code analyzers. There
were a few issues that were submitted to Sequent. There were a few issues that were submitted to
Sequent. Sequent corrected all issues with source code updates or provide validate engineering logic as to
why the source code was not updated. Pro V&V feels the source code is compliant to a published
standard because the Parasoft Jtest tool enforces proper coding technics for JavaScript programming and
SonarQube performs static security and best practices fot development.

v. SCR-0 1 -03-P HI-03-0 1.02 a3e

0si
Note: Pro V&V perforned the FTB on-site in Huntsville, Alabama USA, on February 24, 2025 (Manila
Time) using documentation prcvide by Sequent.

2.3 TOR Requlrement Findings

Section 2.1.1 4 l AES Software

Requirement

The source review shall cover alt TechProv-developed software (to include all scripts, applications, tools,
APIs, as applicable) for COMELEC for use in the pre-election, voting and post-election stages of the
2025 NLE.

Test Methodoloev

Inspection and Review: Pro V&V developed a tool box of multiple automated source code analysis tools
to include: static code analyzers, secure analyzers, and web application analyzers. Pro V&V then ran the
selected tool against the source code provided. Any issues found were researched and a marual review
was performed on any noted areas of interest. Pro V&V provided the LSCR team with the initial reports
to help accelerate the review performed by the LSCR team.

Summary Findinss

There were no critical or major findings in this version ofOVCS source code.

2,1.2 Externil software

Reouirement

The source review shall cover all other related components, including all other extemal or third-party
software that are used with it-

Test Methodology

lnspection and Review: Pro V&V reviewed any proprietary utilities/tools/scripVsystems using the sarne
methods to review the source code as the proprietary application souce code- Analysis was performed on
COTS components to ensure they are unmodified ard are the documented versions for the system.

Pro V&V used the Security Content Automation Protocol (SCAP) toenumerate software flaws and
configuration issues related to security for operating systems and other COTS application that are part of
the documented system deployment.

Pro V&V audited all COTS software to ensure they had not been modified or showed any signs of
tampering. This audit included the name ofthe manufacturer, name ofthe product, and the version ofthe
product.

y. SCR-0 l -03-PHI-}3-0 1.02 12 lPage

os7
Summar,v Findings

There were no critical or major findings in this in the extemal software. All extemal software was liee of
modification, and did not show any signs of tampering.

2.1.3 COTS sofhdsro

Req uirement

The source review coverd all customer-off-the-shelf (COTS) extemal software used with the 2025 NLE
AES, including, but not limited to, all operating systems, databases, network applications, and
management and support utilities.

Test Methodology

Inspection and Review: Pro V&V reviewed any proprietary ulilities/tools/script/systems using the same
methods to review lhe source code as the proprietary application source code. Analysis was performed on
COTS components to ensure they are unmodified and are the documented versions for the system.

Pro V&V used the Security Content Automation Protocol (SCAP) to enumerate software flaws and
configuration issues related to security for operating systems and other COTS application that are part of
the documented system deployment.

Pro V&V audited all COTS software to ensure they had not been modified or showed any signs of
tampering. This audit included the name ofthe manufacturer, name ofthe product, and the version ofthe
product.

Summary Findinss

There were no critical or major findings in this version of COTS source code. AII COTS software was
free ofmodification, and did not show any signs oftampering.

2-1.4 Miscellatreous AES comDoDcots

Requirement

The source review shall cover all miscellaneous AES components required in the TOR and customization
req uirements.

Test Methodolosv

Inspectiol and Review: ho V&V reviewed any proprietary utilities/tools/scripvsystems using the same
methods to review the source code as the proprietary application source code. Analysis was performed on
COTS components to ensure they are unmodified and are the documented versions for the system.

v. SC R-0 I -03-PHl-03-0 1.02 ll

08s
Pro V&V used the Security Content Automation Protocol (SCAP) to enumerate software flaws and
configuration issues related to security for operating systems and other COTS application that are pan of
the documented system deployment.

Pro V&V audited all COTS software to ensure they had not been modified or showed any signs of
tampering. This audit included the name ofthe manufacturer, name of the product, and the version of the
product.

Summarv Findines

There were no critical or major findings in the source code of the miscellaneous AES components. The
software reviewed was free ofmodificalion, and did not show any signs of tampering

2,1.5 Verilication and report ofcriticd finditrqs

Requirement

The source code review shall contain a verification to confirm or rebut all reported critical and major
findings from the LSCR, ifany.

Tesl M losy

A final report, describing the method and results along with details of the documents providing proof of
how code complied will be issued by Pro V&V to COMELEC.

The Final Report on the source code review will be submitted with:

a summary lising of the names of the software reviewed with a general description of each,
number of lines ofcode by each

a summary listing of all critical and major findings or discrepancies, with information on which
software and which module said discrepancy or finding was found, a general description of the
why it is a critical or major finding or discrepancy, and whether it was addressed or not (and why
not), including the corresponding references to the specific page or section in said report.

Summary Findines

Any critical findings that are found during the static analysis code scans will be manually reviewed,
complied and sent to the vendor for a response to all findings.

Any critical findings that were found in the previous static code security scans that were provided to the
vendors were fixed in this latest release of the source code. The source code is compliant and has no
major critical findings

Section 2.2 Tbc source code review procedurc shrll include rmotrs othcrs:

2.2.1 Futrctiotrrlitv

v. SC R-0 1 -03-PHl-03-0 1.02 l"t

08s
Requiremenl

verification that the concemed operates only as designed and that it does not contain any hidden
functionality, back doors, Trojan horse, and other similar vulnerabilities, that can put the integrity of the
system in question.

Test Methodolos.v

Inspection and Review: Pro V&V developed a tool box of multiple automaled source code analysis tools
to include: static code analyzers, secure analyzers, and web application analyzers. Pro V&V then ran the
selected tool against the source code provided. Any issues found were researched and a manual review
was performed on any noted areas of interest. Pro V&V provided the LSCR team with the initial reports
to help accelerate the review performed by the LSCR team.

Summarv Findi ngs

All source code had security code scans to verilJ lhat no back doors, Trojan horse, or similarly
vulnerabilities are included in the code. All code was subjected to multiple types of security scans to
ensure lhat all code has obtained thorough coverage. All findings iiom the static code analyzers were sent
lo the vendor for responses and were also tested inside the security testing portion ofthe campaign.

2.2.2 Additional code

Requirement

Verification thal the source code does not contain and conditional compilation flags, test flags, hardcoded
passwords, or any such test coding.

Test Methodolo CY

Insp€ction and Review: Pro V&V developed a tool box of multiple automated source code analysis tools
to include: static code analyzers, secure analyzers, and web application analyzers. pro V&V then ran the
selected tool against the source code provided. Any issues found were researched and a manual review
performed on any noted arcas of interesl. Pro V&V provided the LSCR team with the initial reports to
help accelerate the review performed by the LSCR team.

Summarv Findi ngs

All source code was scanned through multiple automated somce code static analysis tools lo ensure thal
no test code, hardcoded passwords, or compilation flags are included. All findings fiom lhe slatic code
analyzers were sent to the vendor for responses and were also tested inside the security testing portion of
the campaign.

v. SC R-0 l -03-PHI-03-0 1.02 l5

090
2.2.3 Codinq errors

Requiremenl

ldentification ofcoding enors that could potentially result to improper exception handling or mishandling
of unexpected conditions.

Test Methodolosy

lnspection and Review: Pro V&V developed a tool box of multiple automated souce code analysis tools
to include: static code analyzen, secure analyzers, and web application analyzers. Pro V&V then ran the
selected tool against the source code provided. Any issues found were researched and a manual review
was performed on any noted areas of interest. Pro V&V provided the LSCR team with the initial reports
to help accelerate the review performed by the LSCR team.

Summary Findings

All source code will be scanned through multiple

automated source code static analysis tools to ensue
that no improper exception handling or mishandling of unexpected conditions arc included. All findings
from the static code analyzers were sent to the vendor for responses.

2.2..1 Securitv analvsis

Requirement

Security analysis to identifo enon, inconsistencies, vulnerabilities and security weakness in the code thal
could lead to security failures.

Test Methodologl

lnspection and Review: Pro V&V developed a tool box of multiple aulomated source code analysis tools
to include: static code analyzers, secure analyzers, and web application analyzers. Pro V&V then ran the
selected tool against the source code provided. Any issues found were researched and a manual review
was performed on any noted areas of interest. Pro V&V provided the LSCR team with the initial reports
to help accelerate the review performed by the LSCR team.

Summary Findings

All source code had security code scans toveri! that therc is no weakness in the code that could lead to
security failures. All code was subjected to multiple types of security scans lo ensure that all code had
obtained thorough coverage. All findings fiom the static code analyzers were sent to the vendor for
responses and were also tested inside the security testing portion ofthe campaign.

v. SC R-0 1 -03-PHl-03-0 1.02 r6I i

091
2.2.5 (;aps and vulnerabilitics

Reouirement

Search for known gaps and software vulnerabilities related to user access control, data entry point, data
flow analysis, data storage and retrieval, memory resources management, and other critical components of
the concemed system.

Test Methodoloey

Inspection and Review: Pro V&V developed a tool box of multiple automated source code analysis tools
to include: static code analyzers, secure analyzers, and web application analyzers. Pro V&V then ran the
selecled tool against the source code provided. Any issues found were researched and a manual review
was performed on any noted areas of interest. Pro V&V provided the LSCR tearn with the initial reports
to help accelerate the review performed by the LSCR team.

Summa.r]' Findines

All source code had security code scans to verify that there are no gaps or weakness in the code that could
lead to security failures.All code was subjected Io multiple types of security scans to ensurc that all code
has obtained thorough coverage. All findings fiom the static code analyzers were sent to the vendor for
responses and were also tested inside the security testing portion oflhe campaign.

slqtion 2.6 The source

2.6.1 I)iscrepancies

Reouirement

ldentification of discrepancies or findings that threaten the integrity of the election or could carBe the
results oftesting to be not repealable.

'fest Methodolog)

All discrepancies will be identified,

reported, and assigned a level (discrepancy or anomaly). Each
discrepancy will be tracked from identification thmugh resolution.

Summary Findings

All source code had security code scans to veriry that there are no gaps or weakness in the code that could
All code was subjected to multiple types ofsecurity scans to ensure that all code
lead to security failures.
has obtained thorough coverage. All findings from the static code analyzers were sent to the vendor for
responses and were also tested inside the security testing portion ofthe campaign.

v. S(lR-0 I 43-PHI-03-01.02 t7

09?
2.6.2 Discreoancies

Reouirement

Idenlification of discrepancies or findings that adversely affect the understandability, maintainability, or

reliability ofthe AES in a significant manner, but does not threaten the integrity ofthe election.

Test Methodolosy

All discrepancies will be identified, reported, and assigned a level (discrepancy or anomaly). Each
discrepancy will be tracked from identification through rcsolution.

Summarv Findines

All source code had security code scans to veriry that there are no discrepancies in the code that could
lead to security failures. All code was subjected to multiple types of security scans to ensure that all code
has obtained thorough coverage. All findings from the static code analyzers were sent to the vendor for
responses and were also tested inside the security testing portion ofthe campaign.

Section 2.7 The source code review shell identifv s assess technical risks in relation to tbe source code

Requirement

Technical risks shall be reported to lhe TEC for coordination with SteeCom for appropriate action and
for possible input to the development, provisioning, and operationalization of a continuity plan and
compensating controls.

Test Methodoloey

All technical risks discovered in relation to the source code will be reported to the TEC for coordination
with SleerCom for appropriate action and for possible input to the development, provisioning. and
operationalization ofa continuity plan and compensaling controls.

Summary Irindings

All source code had security code scans to verif

that there are no technical risks in the code that could
All code was subjected to muhiple types ofsecurity scans Io ensure that all code
lead to security failures.
has obtained thorough coverage. All findings from the stalic code analyzers were se to the vendor for
responses and were also tested inside the securily testing portion ofthe campaign.

3.0 SUMMARYRECOMMENDATION

Based on the reviews performed and the results obtained, the EMS, CCS, ACM, Utilities, and the OVCS
described in this report demonstraled successful implementation of all identified requirements submitted
for evaluation. There are no critical or major findings in these versions of Miru or Sequent source code.
Pro V&V recommends proceeding with a trusted build ofthe identified versions of these applications.

v. SC' R-0 I -0 3 -P Hl-03 -0 l. 02 l8

09.1
 ATTACHMENT A

v. scR-0 t -03-PHI-q3-01.02 t91

og t
 Pno V&V
vtTL IE!T PRO(f DIT.E: \-sTL-TP-:0r)-t.0

..e,,
fid.: S<o.(. C od. !os{.(u@ Rrqrir.errr: l00i EAC \1'SG. l'oloo. I & tr. S.$<n 5
.lnrhor: 1\' O$'.a! \irsioo: lornal
Pr o.tdur. Drr(rbtiotr: Ptocadnc lo ba follo\rrd dtrnrg 6a pcd.roro.a ofr SiJottr Coda !olpa(!oa.
Or'.ni.N: Th Sotrtl Cod. Iq3p.doo ii a fqtn l lld.ls of . cu!!q&r $bBincd iorr.(. co& to lp.cifc
Ttr aqrri,!,Ur o.t b. pi$lrsh.d !ood{ds. cur&.r qphd tlqErEH's. .odq lLnd Fn
flTptrd rquir-qt. Tbn rorycair or-v bc pcrfoa aorny. d Brag - fltod.rd tool. T!. Sd.c. Cod.
hsP.chon G d r d?tlloF.d -!lt-r At Do !c lhiE tb Scnrct Co& bspc<u 8. rb E*r1 FfdE'ng 6n3
Gr.rr,s lo tltlt rd)' lGca codc- .r$st i. co& icliEcinr. d6rF d 3$S!an ra-rr cod! rq:El@g

f.rtPloctdEra:
Iha ca!t@ srrba! s saEltG co& fq ratpcctro,o- A &rgqaatioa r oa& !r to stll t!${t!rads tL inipactroo s![
t codttad rlirr.i Oocr ttc rcEnrm b.r! b..! cn*lisicd tb. t F of Sourr. Co& ,ETc<too l1ll b. a.d to
b. &LrEsd ho V&V Ffa6 bcah mrt d orqrr:d Strrrc Co& Irytuos tu tu f.fbBtng qF:
o Cc4rct larp<to - 15IL I? :lGt.0
r Futrood Iorpcctio - \STL T? l:0-l 0
. COTS !sip.cu6 - VSII. TP llGl.0
. S.ctIrr!' hiFctroa - \TTL T? ]{{ll 0
. B8ild hrpftrEo - 1-,S[ 1" ]5c I 0

\codrag o tha coErrat or custoolr rlqur.nEti r.8Edati@ od). ba Ffqu.d aad ootlrr Source Coda
IrsFtirtr or b. Ffard. -{.irr tht Scoct Codr l.o5Ftco is .oodtr I r.pdt of ots.ri i.Gr rtrcrcprccs. ud
rllrt.i $rllt nrEd. Tbs rqr6r Dra! t r rtro&l@ tlpon or ba pn ofalaaiar.lpart

Pt! VlV. b..

!sfL-TP-l(}0-l 0 Snr. Corlo Bro
Prl I oll
Ilft a..rE it ..a 3.&rLa rl,- ,rfr.a.
C.r.6dntitl r.d Pr.e.i..rt'r

v. SC R-0 l -03-PHI-03-0 1.02 20 I

03 !
 Pnc: V&V
rsrl TEsI PROC EDTAI: \'SrL-r?-:10-1.0

'"].
Titlc r
lmr 's6. I & tr. S.olco
.{uthor: li- \_tr:ionr
Pr ocrdura Aoc.dlr !o b. follorr.d rb. ofr
Or c lto4h $a ID.:pactroo 1: t!}. of coda urqxttr.rn. It (ltrPtu lxg
IlbortLd co& Solhtarc U oLr Te.,l StT) l!. rpcctic rlerur L'r Tht spctifir L'r arlX could bc brli ll,lutcd
fed.ril- supplt.d fte .i l!' .]]. :qrphtd
dat.'irrl.qa f c oda (oryLro.€ iJe barag corrF ad

Proccdun:
I Rtcrilr .od citdog rhc SUT F rt \:STL CM nr .gadbog of Tqs lr.rDs ,!d TGgr D.E.
L IXttooc rf ttc io+ccto q,rll bc I ryl lin-b!.Le rospcaio q a tui({ ia!!r.!q.
J ,f,.* rtrlF!€o.is - 1.T6.{ DsFtla- .!.rrc rt r.frrE . t6t rools 6 i[x.ILd ad tilidar.tt {rqtle ro
\ 5 r L ltot!'u lrr@.r -EsP.rr". Oo". t ttst canrv*r !s
FlgcrtT (@6!Er{. phct rh strr rcoiL
lcst €t(t o|@l
J. Er.$. 6a rutolBlad rogl.
5 If ttr raEx.,io* a @.r tE tr'-li. r!+ccto'' r ddlr,.dioo (r& ro ba D& irt rhr fta !trT.ctioo i"
a trlri.l rn prcta.. . .aqrtso 6f F?raGljv l,+ccfqt rocr co&.
6. It tL i!+..lt!a t! .! i,rrr.I Dlp.ctird" ri.o e qdrfed Fro \'&1. cqfopc rrll raspccr <rry Lc of tu SUT
&d \rlidat tlrf i c{9 tta raod-d o. t!$!rtc.!r a $ b;"g coqtr{ o-
7. If tbr rospcctin n .a ilspc.ld of Fqli@dv i&I,cct{ sorc. .!d.. tt ! . g.IG.{ Pio tr'.t\: trplor.. *ill
ryl tkoqllll SI4 rd c.q.'t rh Es lrtllilie ro d.|arr e.nraFd r.a of ti Stt. ,t
ee&&{ \-.*V cqplorrt s qE.' s uifcrt tr af tlt SLt U rrlrAr r cas tc
.6ikd r r!{pirffi n r5 "E{r'chgld
bciag cqrtd to
3. A&r ttc Coopliact Irspcctio of SLIT tes b..! co,ql6.d. dl isru.s d! rlcnd.d ,nd rc?od.d.
9 T[a cr$toe'' tDly ba dloEd to r@i{r.lha isslEs od rls{borir 6. SUL

Pi! f iY. L.-

!'STL-T!-:) Al 0 Co.ide. L?.cro
*. ..--,H.: *,s.!.i,r.. r.L..{.
Cota. i.l..d ?rotri.rr.r

v. SC R-0 I -03-PH1-03-0 1.02 2l l P; ;r c

0 I 6