updating

.github/dependabot.yml

@@ -0,0 +1,18 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    labels:
+    - dependencies

.github/workflows/codeql-analysis.yml

@@ -1,13 +1,15 @@
 name: "CodeQL"
 
+env: 
+  CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS: true
+
 on:
   push:
     branches: [ master ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
-  schedule:
-    - cron: '32 14 * * 0'
+  workflow_dispatch:
 
 jobs:
   analyze:
@@ -17,31 +19,35 @@ jobs:
       actions: read
       contents: read
       security-events: write
-
+    
     strategy:
       fail-fast: false
       matrix:
         language: [ 'java', 'javascript' ]
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v6
       # Get full history for spotless ratchetFrom
       with:
         fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    #- name: Autobuild
-    #  uses: github/codeql-action/autobuild@v1
+        queries: security-extended, security-experimental, security-and-quality
 
     - name: Build with Maven
       run: mvn -DskipTests=true install
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v4
+
+    - name: Upload Output
+      uses: actions/upload-artifact@v6
+      with:
+        name: ${{ matrix.language }} SARIF
+        path: ${{ runner.workspace }}/results/*.sarif
+

.github/workflows/maven.yaml

@@ -8,15 +8,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+    - name: Set up JDK 17
+      uses: actions/setup-java@v5
       with:
-        java-version: 1.8
-    - name: Run spotless check
+        java-version: 17
+        distribution: zulu
+    - name: Run Spotless check
       run: mvn spotless:check
-    - name: Run unit tests
-      run: mvn test
+    - name: Create WAR
+      run: mvn package
 

.gitignore

@@ -1,17 +1,20 @@
 .DS_Store
+.dccache
 .java-version
 .classpath
 .project
 .settings/
 .idea/
 *.iml
+.scannerwork/
 
 data/out.csv
+owasp-benchmark/
 reports/
-scripts/SonarQubeCredentials.sh
+src.zip
+src/main/resources/benchmark.properties
 target/
 testfiles/
 tools/Contrast/contrast.jar
 tools/Contrast/contrast.yaml
 tools/Contrast/working/
-

.mvn/extensions.xml

@@ -3,7 +3,7 @@
     <extension>
         <groupId>co.leantechniques</groupId>
         <artifactId>maven-buildtime-extension</artifactId>
-        <version>3.0.3</version>
+        <version>3.0.5</version>
     </extension>
 </extensions>
 

.mvn/jvm.config

@@ -0,0 +1,8 @@
+--add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
+--add-opens java.base/java.lang=ALL-UNNAMED
+
+--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED

DevStyleXml.prefs

@@ -2,4 +2,5 @@ eclipse.preferences.version=1
 indentationChar=space
 indentationSize=4
 lineWidth=999
-formatCommentJoinLines=false
+formatCommentJoinLines=true
+

README.md

@@ -1,6 +1,12 @@
-# OWASP Benchmark
-The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://owasp.org/www-project-zap">OWASP ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time.
+# OWASP Benchmark for Java
+The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://www.zaproxy.org/">ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool.
+
+The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP/BenchmarkUtils.
 
 The project documentation is all on the OWASP site at the <a href="https://owasp.org/www-project-benchmark">OWASP Benchmark</a> project pages. Please refer to that site for all the project details.
 
-The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+
+Running Benchmark Itself:
+* runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only)
+* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on.

VMs/Dockerfile

@@ -1,12 +1,12 @@
-# This dockerfile builds a container that pulls down and runs the latest version of Benchmark
+# This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava
 FROM ubuntu:latest
 MAINTAINER "Dave Wichers [email protected]"
 
 RUN apt-get update
 RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata
 RUN apt-get install -q -y \
-     openjdk-8-jre-headless \
-     openjdk-8-jdk \
+     openjdk-17-jre-headless \
+     openjdk-17-jdk \
      git \
      maven \
      wget \
@@ -15,7 +15,19 @@ RUN apt-get install -q -y \
 
 RUN mkdir /owasp
 WORKDIR /owasp
+
+# Download, build, install Benchmark Utilities required by crawler and scorecard generation
+RUN git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git
+WORKDIR /owasp/BenchmarkUtils
+RUN mvn install
+
+# Download, build BenchmarkJava
+WORKDIR /owasp
 RUN git clone https://github.com/OWASP-Benchmark/BenchmarkJava
+
+# Workaround for security fix for CVE-2022-24765
+RUN git config --global --add safe.directory /owasp/BenchmarkJava
+
 WORKDIR /owasp/BenchmarkJava
 RUN mvn clean package cargo:install
 
@@ -25,3 +37,8 @@ RUN echo bench:bench | chpasswd
 RUN chown -R bench /owasp/
 ENV PATH /owasp/BenchmarkJava:$PATH
 
+# start up Benchmark once, for 60 seconds, then kill it, so the additional dependencies required to run it are downloaded/cached in the image as well.
+# exit 0 is required to return a 'success' code, otherwise the timeout returns a failure code, causing the Docker build to fail.
+WORKDIR /owasp/BenchmarkJava
+RUN timeout 60 ./runBenchmark.sh; exit 0
+

VMs/buildDockerImage.sh

@@ -1,13 +1,13 @@
-# Pull in latest version of ubuntu
+# Pull in latest version of ubuntu. This builds an image using the OS native to this platform.
 docker pull ubuntu:latest
-# Remove any ubuntu:<none> image if it was left behind by a new version of ubunto:latest being pulled
+# Remove any ubuntu:<none> image if it was left behind by a new version of ubuntu:latest being pulled
 i=$(docker images | grep "ubuntu" | grep "<none" | awk '{print $3}')
 if [ "$i" ]
 then
   docker rmi $i
 fi
 
-# Since Docker doesn't auto delete anything, just like for the Ubunto update, delete any existing benchmark:latest image before building a new one
+# Since Docker doesn't auto delete anything, just like for the Ubuntu update, delete any existing benchmark:latest image before building a new one
 docker image rm benchmark:latest
 docker build -t benchmark .
 

createScorecards.bat

@@ -1,4 +1,3 @@
 # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
 call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 

createScorecards.sh

@@ -1,4 +1,3 @@
 source "scripts/verifyBenchmarkPluginAvailable.sh"
-#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
-mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
+MAVEN_OPTS="-Xmx8G" mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard