diff --git a/pom.xml b/pom.xml
index 5bd6319336..fbd8091894 100755
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
-
+
benchmarkscore
@@ -300,7 +300,214 @@
-
+
+
+ deploywseeker
+
+ true
+ -javaagent:${basedir}/tools/seeker/seeker-agent.jar
+ -Dseeker.server.url=https://server.example.com:8888
+ -Dseeker.project.key=Benchmark
+
+
+
+
+ maven-antrun-plugin
+ 1.7
+
+
+ ldap-server
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+ database-server
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+ database-init
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+
+
+ org.codehaus.cargo
+ cargo-maven2-plugin
+ 1.6.0
+
+
+ 300000
+ tomcat8x
+
+ http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.38/bin/apache-tomcat-8.0.38.zip
+
+
+
+
+
+ ${basedir}/src/config/local/server.xml
+ conf
+ true
+
+
+ ${basedir}/src/config/local/context.xml
+ conf
+ true
+
+
+
+
+ ${seeker.javaagent} ${seeker.server.url} ${seeker.project.key} -Xss2m
+
+ 8443
+ https
+ false
+ TLS
+ ../../../../.keystore
+ changeit
+ tomcat
+ true
+
+
+
+
+
+
+
+
+
+ deploywcxiast
+
+ true
+
+
+
+
+ maven-antrun-plugin
+
+
+ ldap-server
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+ database-server
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+ database-init
+ package
+
+ run
+
+
+
+
+
+
+
+
+
+
+
+
+ org.codehaus.cargo
+ cargo-maven2-plugin
+
+
+ 300000
+ tomcat${tomcat.major.version}x
+
+ ${tomcat.url}
+
+
+
+ -XX:MaxPermSize=6G -Xms1G –Xmx8G
+
+
+
+
+ ${basedir}/src/config/local/server.xml
+ conf
+ true
+
+
+ ${basedir}/src/config/local/context.xml
+ conf
+ true
+
+
+
+
+ -Xmx4G
+ -javaagent:${basedir}/tools/CxIAST/cx-launcher.jar
+ -Diast.home=${basedir}/tools/CxIAST/
+ -Xverify:none
+
+ 8443
+ https
+ false
+ TLS
+ ../../../../.keystore
+ changeit
+ tomcat
+ true
+
+
+
+
+
+
+
+
deploywhcl
@@ -495,7 +702,7 @@ But it requires getting all the Log4j2 stuff configured right, and haven't done
1.5.7
-
org.apache.directory.shared
diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index da5cce72fe..f09743619e 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -645,12 +645,13 @@ private static TestResults readActualResults(File fileToParse) throws Exception
TestResults tr = null;
if ( filename.endsWith( ".csv" ) ) {
- if( filename.startsWith( "CxIAST") ) {
- tr = new CheckmarxIASTReader().parse(fileToParse);
- } else {
+ String line1 = getLine( fileToParse, 0 );
+ if ( line1.contains("CheckerKey") && line1.contains("LastDetectionURL") ) {
tr = new SeekerReader().parse(fileToParse);
- }
- }
+ } else if ( line1.contains("CWE") && line1.contains("URL") ) {
+ tr = new CheckmarxIASTReader().parse(fileToParse);
+ } else System.out.println("Error: No matching parser found for CSV file: " + filename);
+ }
else if ( filename.endsWith( ".ozasmt" ) ) {
tr = new AppScanSourceReader().parse( fileToParse );
@@ -666,7 +667,7 @@ else if ( filename.endsWith( ".json" ) ) {
tr = new CoverityReader().parse( fileToParse );
} else if ( line2.contains("Vendor") && line2.contains("Checkmarx") ) {
tr = new CheckmarxESReader().parse( fileToParse );
- }
+ } else System.out.println("Error: No matching parser found for JSON file: " + filename);
}
else if ( filename.endsWith( ".sarif" ) ) {
@@ -1437,4 +1438,4 @@ private static Document getXMLDocument( File f ) throws Exception {
return doc;
}
-}
\ No newline at end of file
+}
diff --git a/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java b/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
index f787efd29c..872d5dc658 100644
--- a/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
+++ b/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
@@ -46,28 +46,28 @@ private static int cweLookup(String checkerKey)
case "CORS":
return 346; // CORS
case "CSRF":
- return 352; // CSRF
+ return 352; // CSRF
case "Debug_Mode_Enabled":
return 215; // Debug_Mode_Enabled
case "Deserialize_Vulnerability":
- return 502; // Deserialize_Vulnerability
+ return 502; // Deserialize_Vulnerability
case "Failed_Login_Without_Audit":
return 778; // Failed_Login_Without_Audit
case "File_Upload_To_Unprotected_Directory":
- return 434; // File_Upload_To_Unprotected_Directory
+ return 434; // File_Upload_To_Unprotected_Directory
case "Improper_HTTP_Get_Usage":
- return 650; // Improper_HTTP_Get_Usage
+ return 650; // Improper_HTTP_Get_Usage
case "Insecure_Cookie":
case "Session_Id_Disclosure": //CxIAST does not define but it is same as Insecure_Cookie YE
return 614; // Insecure_Cookie
case "Insecure_Outgoing_Communication":
return 311; // Insecure_Outgoing_Communication
case "Insufficient_Session_Expiration":
- return 613; // Insufficient_Session_Expiration
+ return 613; // Insufficient_Session_Expiration
case "LDAP_Injection":
- return 90; // LDAP_Injection
+ return 90; // LDAP_Injection
case "Least_Privilege_Violation":
- return 250; // Least_Privilege_Violation
+ return 250; // Least_Privilege_Violation
case "Log_Forging":
return 117;
case "Missing_X_Content_Type_Options_Header":
@@ -149,7 +149,7 @@ public TestResults parse(File f) throws Exception
//"BenchmarkTest00000" - "BenchmarkTest99999"
tcr.setNumber(Integer.parseInt(testCase.substring(testCase.length()-5, testCase.length())));
if (tcr.getCWE() != 0)
- {
+ {
tr.put(tcr);
}
// System.out.println(testCase+" "+tcr.getCWE()+" "+tcr.getCategory()); // For debugging YE
diff --git a/tools/Contrast/readme.txt b/tools/Contrast/readme.txt
index 19b6fadaa2..fd43a987d3 100644
--- a/tools/Contrast/readme.txt
+++ b/tools/Contrast/readme.txt
@@ -1,4 +1,4 @@
-DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convienience and should not be considered an endorsement of this tool.
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
Contrast is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to place the contrast.jar file in this directory in order to run the Benchmark with Contrast using one of the runBenchmark_wContrast scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
diff --git a/tools/CxIAST/readme.txt b/tools/CxIAST/readme.txt
new file mode 100644
index 0000000000..baf0599e18
--- /dev/null
+++ b/tools/CxIAST/readme.txt
@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Checkmarx IAST is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the cxiast-java-agent.zip file in this directory in order to run the Benchmark with Checkmarx IAST using one of the runBenchmark_wCxIAST scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Checkmarx IAST.
diff --git a/tools/CxIAST/runBenchmark_wCxIAST.bat b/tools/CxIAST/runBenchmark_wCxIAST.bat
new file mode 100644
index 0000000000..cfedddb160
--- /dev/null
+++ b/tools/CxIAST/runBenchmark_wCxIAST.bat
@@ -0,0 +1,28 @@
+@ECHO OFF
+IF EXIST .\cx-launcher.jar (
+ IF EXIST .\iast_cache (
+ rmdir /q /s .\iast_cache
+
+ IF EXIST .\logs (
+ rmdir /q /s .\logs
+ )
+
+ ECHO ""
+
+ ECHO Previous Checkmarx IAST results have been removed
+
+ ECHO ""
+ )
+ CD ..\..
+
+ CALL mvn clean package cargo:run -Pdeploywcxiast
+
+ CD tools\CxIAST
+
+) ELSE (
+ ECHO Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+ ECHO * download the CxIAST Agent for Java ^(cxiast-java-agent.zip^) from the Server;
+ ECHO * put it into the /tools/CxIAST folder;
+ ECHO * unzip it; and then
+ ECHO * rerun this script.
+)
diff --git a/tools/CxIAST/runBenchmark_wCxIAST.sh b/tools/CxIAST/runBenchmark_wCxIAST.sh
new file mode 100644
index 0000000000..48d27de0f1
--- /dev/null
+++ b/tools/CxIAST/runBenchmark_wCxIAST.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+if [ -f ./cx-launcher.jar ]; then
+
+ if [ -d ./iast_cache ]; then
+
+ rm -r ./iast_cache
+
+ if [ -d ./logs ]; then
+
+ rm -r ./logs
+
+ fi
+
+ echo ""
+ echo "Previous Checkmarx IAST results in tools/CxIAST removed"
+ echo ""
+
+ fi
+
+ cd ../..
+ chmod 755 target/classes/insecureCmd.sh
+ mvn clean package cargo:run -Pdeploywcxiast
+
+ echo "Download Checkmarx IAST report to results directory"
+
+else
+
+ echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+ * download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+ * put it into the /tools/CxIAST folder;
+ * unzip it; and then
+ * rerun this script."
+
+fi
diff --git a/tools/seeker/readme.txt b/tools/seeker/readme.txt
new file mode 100644
index 0000000000..0738841088
--- /dev/null
+++ b/tools/seeker/readme.txt
@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Seeker is a commercial tool. If you are interested in running Seeker on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the seeker-JAVA-agent.zip file in this directory in order to run the Benchmark with Seeker using one of the runBenchmark_wSeeker scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Seeker.
diff --git a/tools/seeker/runBenchmark_wSeeker.bat b/tools/seeker/runBenchmark_wSeeker.bat
new file mode 100644
index 0000000000..7ecab92e7f
--- /dev/null
+++ b/tools/seeker/runBenchmark_wSeeker.bat
@@ -0,0 +1,17 @@
+@ECHO OFF
+IF EXIST .\seeker-agent.jar (
+
+ CD ..\..
+
+ CALL mvn clean package cargo:run -Pdeploywseeker
+
+ CD tools\Seeker
+
+) ELSE (
+ ECHO Seeker is a commercial product, so you need a licensed version of Seeker in order to run it on the Benchmark.
+ ECHO * download the CxIAST Agent for Java ^(cxiast-java-agent.zip^) from the Server;
+ ECHO * put it into the /tools/CxIAST folder;
+ ECHO * unzip it;
+ ECHO * update pom.xml ^(deploywseeker section, seeker.server.url^); and then
+ ECHO * rerun this script.
+)
diff --git a/tools/seeker/runBenchmark_wSeeker.sh b/tools/seeker/runBenchmark_wSeeker.sh
new file mode 100644
index 0000000000..968bcc46cf
--- /dev/null
+++ b/tools/seeker/runBenchmark_wSeeker.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+if [ -f ./seeker-agent.jar ]; then
+
+ echo ""
+ echo "Previous Seeker results in tools/seeker removed"
+ echo ""
+
+ fi
+
+ cd ../..
+ chmod 755 target/classes/insecureCmd.sh
+ mvn clean package cargo:run -Pdeploywseeker
+
+ echo "Download Seeker report to results directory"
+
+else
+
+ echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+ * download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+ * put it into the /tools/CxIAST folder;
+ * unzip it;
+ * update pom.xml (deploywseeker section, seeker.server.url); and then
+ * rerun this script."
+
+fi