From 59339f2ead8a227a2987708f2ee6e94dafdb1424 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:19:41 +0000
Subject: [PATCH 01/10] Corrected spelling.

---
 tools/Contrast/readme.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/Contrast/readme.txt b/tools/Contrast/readme.txt
index 19b6fadaa2..fd43a987d3 100644
--- a/tools/Contrast/readme.txt
+++ b/tools/Contrast/readme.txt
@@ -1,4 +1,4 @@
-DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convienience and should not be considered an endorsement of this tool.
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
 
 Contrast is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to place the contrast.jar file in this directory in order to run the Benchmark with Contrast using one of the runBenchmark_wContrast scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
 

From 68418cf3d0262e6101271262be85c5297647a2e8 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:29:44 +0000
Subject: [PATCH 02/10] Added Seeker config and runners to Benchmark

---
 pom.xml                               | 111 +++++++++++++++++++++++++-
 tools/seeker/readme.txt               |   5 ++
 tools/seeker/runBenchmark_wSeeker.bat |  16 ++++
 tools/seeker/runBenchmark_wSeeker.sh  |  29 +++++++
 4 files changed, 157 insertions(+), 4 deletions(-)
 create mode 100644 tools/seeker/readme.txt
 create mode 100644 tools/seeker/runBenchmark_wSeeker.bat
 create mode 100644 tools/seeker/runBenchmark_wSeeker.sh

diff --git a/pom.xml b/pom.xml
index 5bd6319336..8eb75f8189 100755
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
 				</plugins>
 			</build>
 		</profile>
-		
+
 		<profile>
 			<id>benchmarkscore</id>
 			<build>
@@ -300,7 +300,110 @@
 				</plugins>
 			</build>
 		</profile>
-		
+
+		<profile>
+			<id>deploywseeker</id>
+			<properties>
+			   <skipTests>true</skipTests>
+			   <seeker.javaagent>-javaagent:${basedir}/tools/seeker/seeker-agent.jar</seeker.javaagent>
+			   <seeker.server.url>-Dseeker.server.url=https://server.example.com:8888</seeker.server.url>
+			   <seeker.project.key>-Dseeker.project.key=Benchmark</seeker.project.key>
+			</properties>
+			<build>
+			   <plugins>
+			   <plugin>
+			       <artifactId>maven-antrun-plugin</artifactId>
+			       <version>1.7</version>
+			       <executions>
+			       <execution>
+			           <id>ldap-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="run" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-init</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       </executions>
+			   </plugin>
+			   <plugin>
+			       <groupId>org.codehaus.cargo</groupId>
+			       <artifactId>cargo-maven2-plugin</artifactId>
+			       <version>1.6.0</version>
+			       <configuration>
+			       <container>
+			           <timeout>300000</timeout>
+			           <containerId>tomcat8x</containerId>
+			           <zipUrlInstaller>
+			           <url>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.38/bin/apache-tomcat-8.0.38.zip</url>
+			           </zipUrlInstaller>
+			       </container>
+			       <configuration>
+			           <configfiles>
+			           <configfile>
+			               <file>${basedir}/src/config/local/server.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           <configfile>
+			               <file>${basedir}/src/config/local/context.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           </configfiles>
+			           <properties>
+			           <cargo.jvmargs>
+			               ${seeker.javaagent} ${seeker.server.url} ${seeker.project.key} -Xss2m
+			           </cargo.jvmargs>
+			           <cargo.servlet.port>8443</cargo.servlet.port>
+			           <cargo.protocol>https</cargo.protocol>
+			           <cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+			           <cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+			           <cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+			           <cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+			           <cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+			           <cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+			           </properties>
+			       </configuration>
+			       </configuration>
+			   </plugin>
+			   </plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>deploywhcl</id>
 			<properties>
@@ -495,7 +598,7 @@ But it requires getting all the Log4j2 stuff configured right, and haven't done
 		</dependency>
 
 		<!-- mvn dependency:analyze says these 4 artifacts are used but not included in the pom, but adding
-		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already? 
+		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already?
 		<dependency>
 			<groupId>org.apache.directory.shared</groupId>
 			<artifactId>shared-ldap</artifactId>
@@ -665,7 +768,7 @@ But it might be needed for Java 10, because I get this error, that I don't get w
 -->
 			<version>1.5.7</version>
 			<exclusions>
-				<!-- shared-ldap-schema module needs to be excluded to avoid multiple 
+				<!-- shared-ldap-schema module needs to be excluded to avoid multiple
 					schema resources on the classpath -->
 				<exclusion>
 					<groupId>org.apache.directory.shared</groupId>
diff --git a/tools/seeker/readme.txt b/tools/seeker/readme.txt
new file mode 100644
index 0000000000..0738841088
--- /dev/null
+++ b/tools/seeker/readme.txt
@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Seeker is a commercial tool. If you are interested in running Seeker on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the seeker-JAVA-agent.zip file in this directory in order to run the Benchmark with Seeker using one of the runBenchmark_wSeeker scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Seeker.
diff --git a/tools/seeker/runBenchmark_wSeeker.bat b/tools/seeker/runBenchmark_wSeeker.bat
new file mode 100644
index 0000000000..7cc0d55e57
--- /dev/null
+++ b/tools/seeker/runBenchmark_wSeeker.bat
@@ -0,0 +1,16 @@
+@ECHO OFF
+IF EXIST .\seeker-agent.jar (
+    CD ..\..
+
+    CALL mvn clean package cargo:run -Pdeploywseeker
+
+    CD tools\Seeker
+
+) ELSE (
+    ECHO Seeker is a commercial product, so you need a licensed version of Seeker in order to run it on the Benchmark.
+    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  put it into the /tools/CxIAST folder;
+    ECHO   *  unzip it;
+    ECHO   *  update pom.xml (deploywseeker section, seeker.server.url); and then
+    ECHO   *  rerun this script.
+)
diff --git a/tools/seeker/runBenchmark_wSeeker.sh b/tools/seeker/runBenchmark_wSeeker.sh
new file mode 100644
index 0000000000..380334a542
--- /dev/null
+++ b/tools/seeker/runBenchmark_wSeeker.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+if [ -f ./seeker-agent.jar ]; then
+
+  if [ -d ./working ]; then
+
+    rm -r ./working/cache
+    echo ""
+    echo "Previous Seeker results in tools/seeker removed"
+    echo ""
+
+  fi
+
+  cd ../..
+  chmod 755 target/classes/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywseeker
+
+  echo "Download Seeker report to results directory"
+
+else
+
+  echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    *  put it into the /tools/CxIAST folder;
+    *  unzip it;
+    *  update pom.xml (deploywseeker section, seeker.server.url); and then
+    *  rerun this script."
+
+fi

From b42ceb7d7709e55228a2d0389feca00301eeb677 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:31:11 +0000
Subject: [PATCH 03/10] Added CHeckmarx IAST config and runners to Benchmark

---
 pom.xml                                       | 104 ++++++++++++++++++
 .../owasp/benchmark/score/BenchmarkScore.java |  10 +-
 .../score/parsers/CheckmarxIASTReader.java    |  68 ++++++++++++
 tools/CxIAST/readme.txt                       |   5 +
 tools/CxIAST/runBenchmark_wCxIAST.bat         |  15 +++
 tools/CxIAST/runBenchmark_wCxIAST.sh          |  28 +++++
 6 files changed, 228 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
 create mode 100644 tools/CxIAST/readme.txt
 create mode 100644 tools/CxIAST/runBenchmark_wCxIAST.bat
 create mode 100644 tools/CxIAST/runBenchmark_wCxIAST.sh

diff --git a/pom.xml b/pom.xml
index 8eb75f8189..fbd8091894 100755
--- a/pom.xml
+++ b/pom.xml
@@ -404,6 +404,110 @@
 			</build>
 		</profile>
 
+		<profile>
+			<id>deploywcxiast</id>
+			<properties>
+				<skipTests>true</skipTests>
+			</properties>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>ldap-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="run" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-init</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.codehaus.cargo</groupId>
+						<artifactId>cargo-maven2-plugin</artifactId>
+						<configuration>
+							<container>
+								<timeout>300000</timeout>
+								<containerId>tomcat${tomcat.major.version}x</containerId>
+								<zipUrlInstaller>
+									<url>${tomcat.url}</url>
+								</zipUrlInstaller>
+							</container>
+							<properties>
+								<cargo.jvmargs>-XX:MaxPermSize=6G -Xms1G –Xmx8G</cargo.jvmargs>
+							</properties>
+							<configuration>
+								<configfiles>
+									<configfile>
+										<file>${basedir}/src/config/local/server.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+									<configfile>
+										<file>${basedir}/src/config/local/context.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+								</configfiles>
+								<properties>
+									<cargo.jvmargs>
+										-Xmx4G
+										-javaagent:${basedir}/tools/CxIAST/cx-launcher.jar
+										-Diast.home=${basedir}/tools/CxIAST/
+										-Xverify:none
+									</cargo.jvmargs>
+									<cargo.servlet.port>8443</cargo.servlet.port>
+									<cargo.protocol>https</cargo.protocol>
+									<cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+									<cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+									<cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+									<cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+									<cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+									<cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+								</properties>
+							</configuration>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>deploywhcl</id>
 			<properties>
diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index e37599de64..a5cb493137 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -58,6 +58,7 @@
 import org.owasp.benchmark.score.parsers.CASTAIPReader;
 import org.owasp.benchmark.score.parsers.CheckmarxESReader;
 import org.owasp.benchmark.score.parsers.CheckmarxReader;
+import org.owasp.benchmark.score.parsers.CheckmarxIASTReader;
 import org.owasp.benchmark.score.parsers.ContrastReader;
 import org.owasp.benchmark.score.parsers.Counter;
 import org.owasp.benchmark.score.parsers.CoverityReader;
@@ -644,13 +645,18 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 		TestResults tr = null;
 
         if ( filename.endsWith( ".csv" ) ) {
-            tr = new SeekerReader().parse(fileToParse);
+					String line1 = getLine( fileToParse, 0 );
+					if ( line2.contains("CheckerKey") && line2.contains("LastDetectionURL") ) {
+						tr = new SeekerReader().parse(fileToParse);
+					} else if ( line2.contains("CWE") && line2.contains("URL") ) {
+            tr = new CheckmarxIASTReader().parse(fileToParse);
+					}
         }
 
         else if ( filename.endsWith( ".ozasmt" ) ) {
             tr = new AppScanSourceReader().parse( fileToParse );
         }
-        
+
         else if ( filename.endsWith( ".faast" ) ) {
             tr = new FaastReader().parse( fileToParse );
         }
diff --git a/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java b/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
new file mode 100644
index 0000000000..1dd80ad87b
--- /dev/null
+++ b/src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java
@@ -0,0 +1,68 @@
+/**
+ * OWASP Benchmark Project
+ * <p>
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Benchmark Project For details, please see
+ * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+ * <p>
+ * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ * <p>
+ * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details
+ *
+ * @author Grant Ongers <a href="https://www.securedelivery.io">Secure Delivery</a>
+ * @created 2020
+ */
+
+package org.owasp.benchmark.score.parsers;
+
+import org.apache.commons.csv.CSVFormat;
+import org.apache.commons.csv.CSVRecord;
+
+import java.io.File;
+
+public class CheckmarxIASTReader extends Reader
+{
+
+  public TestResults parse(File f) throws Exception
+  {
+    TestResults tr = new TestResults("Checkmarx CxIAST", true, TestResults.ToolType.IAST);
+
+    java.io.Reader inReader = new java.io.FileReader(f);
+    Iterable<CSVRecord> records = CSVFormat.RFC4180.withFirstRecordAsHeader().parse(inReader);
+    for (CSVRecord record : records)
+    {
+      String cwe = record.get("CWE");
+      String url = record.get("URL");
+
+      TestCaseResult tcr = new TestCaseResult();
+      try
+      {
+        if (url.length() >= 18)
+        {
+          String category = url.substring(1, url.indexOf("-"));
+          tcr.setNumber(Integer.parseInt(url.substring(url.indexOf("BenchmarkTest")+13, url.indexOf("BenchmarkTest")+18)));
+          if ( cwe.length() == 0 && category == "securecookie" ) tcr.setCWE(614); //CxIAST doesn't report on all 614
+          else if ( cwe.length() == 0 ) tcr.setCWE(0);
+          else tcr.setCWE(Integer.parseInt(cwe));
+        }
+      }
+      catch (NumberFormatException e)
+      {
+        System.out.println("> TParse error: " + record.toString());
+      }
+
+      if (tcr.getCWE() != 0)
+      {
+        tr.put(tcr);
+      }
+    }
+
+    tr.setTime("100");
+
+    return tr;
+  }
+
+}
diff --git a/tools/CxIAST/readme.txt b/tools/CxIAST/readme.txt
new file mode 100644
index 0000000000..baf0599e18
--- /dev/null
+++ b/tools/CxIAST/readme.txt
@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Checkmarx IAST is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the cxiast-java-agent.zip file in this directory in order to run the Benchmark with Checkmarx IAST using one of the runBenchmark_wCxIAST scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Checkmarx IAST.
diff --git a/tools/CxIAST/runBenchmark_wCxIAST.bat b/tools/CxIAST/runBenchmark_wCxIAST.bat
new file mode 100644
index 0000000000..ab2e201739
--- /dev/null
+++ b/tools/CxIAST/runBenchmark_wCxIAST.bat
@@ -0,0 +1,15 @@
+@ECHO OFF
+IF EXIST .\cx-launcher.jar (
+    CD ..\..
+
+    CALL mvn clean package cargo:run -Pdeploywcxiast
+
+    CD tools\CxIAST
+
+) ELSE (
+    ECHO Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  put it into the /tools/CxIAST folder;
+    ECHO   *  unzip it; and then
+    ECHO   *  rerun this script.
+)
diff --git a/tools/CxIAST/runBenchmark_wCxIAST.sh b/tools/CxIAST/runBenchmark_wCxIAST.sh
new file mode 100644
index 0000000000..fb4daae48f
--- /dev/null
+++ b/tools/CxIAST/runBenchmark_wCxIAST.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ -f ./cx-launcher.jar ]; then
+
+  if [ -d ./working ]; then
+
+    rm -r ./working/cache
+    echo ""
+    echo "Previous Checkmarx IAST results in tools/CxIAST removed"
+    echo ""
+
+  fi
+
+  cd ../..
+  chmod 755 target/classes/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywcxiast
+
+  echo "Download Checkmarx IAST report to results directory"
+
+else
+
+  echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    *  put it into the /tools/CxIAST folder;
+    *  unzip it; and then
+    *  rerun this script."
+
+fi

From 00bda154007139d4eaa5859a28f8f7997e223039 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:37:22 +0000
Subject: [PATCH 04/10] Brackets need escaping in batch files.

---
 tools/CxIAST/runBenchmark_wCxIAST.bat | 2 +-
 tools/seeker/runBenchmark_wSeeker.bat | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/CxIAST/runBenchmark_wCxIAST.bat b/tools/CxIAST/runBenchmark_wCxIAST.bat
index ab2e201739..8c375a8332 100644
--- a/tools/CxIAST/runBenchmark_wCxIAST.bat
+++ b/tools/CxIAST/runBenchmark_wCxIAST.bat
@@ -8,7 +8,7 @@ IF EXIST .\cx-launcher.jar (
 
 ) ELSE (
     ECHO Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
-    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  download the CxIAST Agent for Java ^(cxiast-java-agent.zip^) from the Server;
     ECHO   *  put it into the /tools/CxIAST folder;
     ECHO   *  unzip it; and then
     ECHO   *  rerun this script.
diff --git a/tools/seeker/runBenchmark_wSeeker.bat b/tools/seeker/runBenchmark_wSeeker.bat
index 7cc0d55e57..9061f17aa4 100644
--- a/tools/seeker/runBenchmark_wSeeker.bat
+++ b/tools/seeker/runBenchmark_wSeeker.bat
@@ -8,9 +8,9 @@ IF EXIST .\seeker-agent.jar (
 
 ) ELSE (
     ECHO Seeker is a commercial product, so you need a licensed version of Seeker in order to run it on the Benchmark.
-    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  download the CxIAST Agent for Java ^(cxiast-java-agent.zip^) from the Server;
     ECHO   *  put it into the /tools/CxIAST folder;
     ECHO   *  unzip it;
-    ECHO   *  update pom.xml (deploywseeker section, seeker.server.url); and then
+    ECHO   *  update pom.xml ^(deploywseeker section, seeker.server.url^); and then
     ECHO   *  rerun this script.
 )

From a16d0e259fd233a63d7eea30633e1261dae845dc Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:44:58 +0000
Subject: [PATCH 05/10] COrrected variable names.

---
 src/main/java/org/owasp/benchmark/score/BenchmarkScore.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index a5cb493137..b2f3abe6d9 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -646,9 +646,9 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 
         if ( filename.endsWith( ".csv" ) ) {
 					String line1 = getLine( fileToParse, 0 );
-					if ( line2.contains("CheckerKey") && line2.contains("LastDetectionURL") ) {
+					if ( line1.contains("CheckerKey") && line2.contains("LastDetectionURL") ) {
 						tr = new SeekerReader().parse(fileToParse);
-					} else if ( line2.contains("CWE") && line2.contains("URL") ) {
+					} else if ( line1.contains("CWE") && line2.contains("URL") ) {
             tr = new CheckmarxIASTReader().parse(fileToParse);
 					}
         }

From afe89192e87d7867ba9820bf09bf71d339729709 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Fri, 6 Mar 2020 16:59:19 +0000
Subject: [PATCH 06/10] Corrected variable names.

---
 src/main/java/org/owasp/benchmark/score/BenchmarkScore.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index b2f3abe6d9..d5faa2d7d4 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -646,9 +646,9 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 
         if ( filename.endsWith( ".csv" ) ) {
 					String line1 = getLine( fileToParse, 0 );
-					if ( line1.contains("CheckerKey") && line2.contains("LastDetectionURL") ) {
+					if ( line1.contains("CheckerKey") && line1.contains("LastDetectionURL") ) {
 						tr = new SeekerReader().parse(fileToParse);
-					} else if ( line1.contains("CWE") && line2.contains("URL") ) {
+					} else if ( line1.contains("CWE") && line1.contains("URL") ) {
             tr = new CheckmarxIASTReader().parse(fileToParse);
 					}
         }

From a0cf8377ece2a07b8fdaa3e73df48d5c6d33aff6 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Sat, 7 Mar 2020 15:08:30 +0000
Subject: [PATCH 07/10] Clean up before CxIAST run

---
 tools/CxIAST/runBenchmark_wCxIAST.bat | 13 +++++++++++++
 tools/CxIAST/runBenchmark_wCxIAST.sh  | 11 +++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/tools/CxIAST/runBenchmark_wCxIAST.bat b/tools/CxIAST/runBenchmark_wCxIAST.bat
index 8c375a8332..cfedddb160 100644
--- a/tools/CxIAST/runBenchmark_wCxIAST.bat
+++ b/tools/CxIAST/runBenchmark_wCxIAST.bat
@@ -1,5 +1,18 @@
 @ECHO OFF
 IF EXIST .\cx-launcher.jar (
+  IF EXIST .\iast_cache (
+      rmdir /q /s .\iast_cache
+
+      IF EXIST .\logs (
+        rmdir /q /s .\logs
+      )
+
+      ECHO ""
+
+      ECHO Previous Checkmarx IAST results have been removed
+
+      ECHO ""
+  )
     CD ..\..
 
     CALL mvn clean package cargo:run -Pdeploywcxiast
diff --git a/tools/CxIAST/runBenchmark_wCxIAST.sh b/tools/CxIAST/runBenchmark_wCxIAST.sh
index fb4daae48f..48d27de0f1 100644
--- a/tools/CxIAST/runBenchmark_wCxIAST.sh
+++ b/tools/CxIAST/runBenchmark_wCxIAST.sh
@@ -2,9 +2,16 @@
 
 if [ -f ./cx-launcher.jar ]; then
 
-  if [ -d ./working ]; then
+  if [ -d ./iast_cache ]; then
+
+    rm -r ./iast_cache
+
+    if [ -d ./logs ]; then
+
+      rm -r ./logs
+
+    fi
 
-    rm -r ./working/cache
     echo ""
     echo "Previous Checkmarx IAST results in tools/CxIAST removed"
     echo ""

From 9b3b49f7c33d429755f490582fd69adf1acb20da Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@ongers.net>
Date: Sat, 7 Mar 2020 23:38:00 +0000
Subject: [PATCH 08/10] Clean up before Seeker run

---
 tools/seeker/runBenchmark_wSeeker.bat | 1 +
 tools/seeker/runBenchmark_wSeeker.sh  | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/tools/seeker/runBenchmark_wSeeker.bat b/tools/seeker/runBenchmark_wSeeker.bat
index 9061f17aa4..7ecab92e7f 100644
--- a/tools/seeker/runBenchmark_wSeeker.bat
+++ b/tools/seeker/runBenchmark_wSeeker.bat
@@ -1,5 +1,6 @@
 @ECHO OFF
 IF EXIST .\seeker-agent.jar (
+  
     CD ..\..
 
     CALL mvn clean package cargo:run -Pdeploywseeker
diff --git a/tools/seeker/runBenchmark_wSeeker.sh b/tools/seeker/runBenchmark_wSeeker.sh
index 380334a542..968bcc46cf 100644
--- a/tools/seeker/runBenchmark_wSeeker.sh
+++ b/tools/seeker/runBenchmark_wSeeker.sh
@@ -2,9 +2,6 @@
 
 if [ -f ./seeker-agent.jar ]; then
 
-  if [ -d ./working ]; then
-
-    rm -r ./working/cache
     echo ""
     echo "Previous Seeker results in tools/seeker removed"
     echo ""

From 02491c2839d089873c1a90c8e9c860715a4ef98f Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Mon, 9 Mar 2020 19:51:55 -0400
Subject: [PATCH 09/10] Update BenchmarkScore.java

Fix formatting in changed lines to match original file. Delete duplicate code added accidentally for parsing .faast files.
---
 .../owasp/benchmark/score/BenchmarkScore.java | 26 ++++++++-----------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index 396c6f1931..698d2c46f1 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -644,22 +644,18 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 		String filename = fileToParse.getName();
 		TestResults tr = null;
 
-        if ( filename.endsWith( ".csv" ) ) {
-					String line1 = getLine( fileToParse, 0 );
-					if ( line1.contains("CheckerKey") && line1.contains("LastDetectionURL") ) {
-						tr = new SeekerReader().parse(fileToParse);
-					} else if ( line1.contains("CWE") && line1.contains("URL") ) {
-            tr = new CheckmarxIASTReader().parse(fileToParse);
-					}
-        }
-
-        else if ( filename.endsWith( ".ozasmt" ) ) {
-            tr = new AppScanSourceReader().parse( fileToParse );
-        }
+		if ( filename.endsWith( ".csv" ) ) {
+			String line1 = getLine( fileToParse, 0 );
+			if ( line1.contains("CheckerKey") && line1.contains("LastDetectionURL") ) {
+				tr = new SeekerReader().parse(fileToParse);
+			} else if ( line1.contains("CWE") && line1.contains("URL") ) {		
+				tr = new CheckmarxIASTReader().parse(fileToParse);
+			}
+        	}
 
-        else if ( filename.endsWith( ".faast" ) ) {
-            tr = new FaastReader().parse( fileToParse );
-        }
+		else if ( filename.endsWith( ".ozasmt" ) ) {
+			tr = new AppScanSourceReader().parse( fileToParse );
+		}
 
 		else if ( filename.endsWith( ".faast" ) ) {
 			tr = new FaastReader().parse( fileToParse );

From 45456911a892738c85e9c755e7b5affd545cac90 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Mon, 9 Mar 2020 19:58:13 -0400
Subject: [PATCH 10/10] Update BenchmarkScore.java

---
 src/main/java/org/owasp/benchmark/score/BenchmarkScore.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
index 698d2c46f1..f09743619e 100644
--- a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
+++ b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -650,7 +650,7 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 				tr = new SeekerReader().parse(fileToParse);
 			} else if ( line1.contains("CWE") && line1.contains("URL") ) {		
 				tr = new CheckmarxIASTReader().parse(fileToParse);
-			}
+			} else System.out.println("Error: No matching parser found for CSV file: " + filename);
         	}
 
 		else if ( filename.endsWith( ".ozasmt" ) ) {
@@ -667,7 +667,7 @@ else if ( filename.endsWith( ".json" ) ) {
 				tr = new CoverityReader().parse( fileToParse );
 			} else if ( line2.contains("Vendor") && line2.contains("Checkmarx") ) {
 				tr = new CheckmarxESReader().parse( fileToParse );
-			}
+			} else System.out.println("Error: No matching parser found for JSON file: " + filename);
 		}
 
 		else if ( filename.endsWith( ".sarif" ) ) {