Added Seeker config and runners to Benchmark

pom.xml

@@ -32,7 +32,7 @@
 				</plugins>
 			</build>
 		</profile>
-		
+
 		<profile>
 			<id>benchmarkscore</id>
 			<build>
@@ -300,7 +300,110 @@
 				</plugins>
 			</build>
 		</profile>
-
+
+		<profile>
+			<id>deploywseeker</id>
+			<properties>
+			   <skipTests>true</skipTests>
+			   <seeker.javaagent>-javaagent:${basedir}/tools/seeker/seeker-agent.jar</seeker.javaagent>
+			   <seeker.server.url>-Dseeker.server.url=https://server.example.com:8888</seeker.server.url>
+			   <seeker.project.key>-Dseeker.project.key=Benchmark</seeker.project.key>
+			</properties>
+			<build>
+			   <plugins>
+			   <plugin>
+			       <artifactId>maven-antrun-plugin</artifactId>
+			       <version>1.7</version>
+			       <executions>
+			       <execution>
+			           <id>ldap-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="run" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-init</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       </executions>
+			   </plugin>
+			   <plugin>
+			       <groupId>org.codehaus.cargo</groupId>
+			       <artifactId>cargo-maven2-plugin</artifactId>
+			       <version>1.6.0</version>
+			       <configuration>
+			       <container>
+			           <timeout>300000</timeout>
+			           <containerId>tomcat8x</containerId>
+			           <zipUrlInstaller>
+			           <url>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.38/bin/apache-tomcat-8.0.38.zip</url>
+			           </zipUrlInstaller>
+			       </container>
+			       <configuration>
+			           <configfiles>
+			           <configfile>
+			               <file>${basedir}/src/config/local/server.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           <configfile>
+			               <file>${basedir}/src/config/local/context.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           </configfiles>
+			           <properties>
+			           <cargo.jvmargs>
+			               ${seeker.javaagent} ${seeker.server.url} ${seeker.project.key} -Xss2m
+			           </cargo.jvmargs>
+			           <cargo.servlet.port>8443</cargo.servlet.port>
+			           <cargo.protocol>https</cargo.protocol>
+			           <cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+			           <cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+			           <cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+			           <cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+			           <cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+			           <cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+			           </properties>
+			       </configuration>
+			       </configuration>
+			   </plugin>
+			   </plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>deploywhcl</id>
 			<properties>
@@ -495,7 +598,7 @@ But it requires getting all the Log4j2 stuff configured right, and haven't done
 		</dependency>
 
 		<!-- mvn dependency:analyze says these 4 artifacts are used but not included in the pom, but adding
-		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already? 
+		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already?
 		<dependency>
 			<groupId>org.apache.directory.shared</groupId>
 			<artifactId>shared-ldap</artifactId>
@@ -665,7 +768,7 @@ But it might be needed for Java 10, because I get this error, that I don't get w
 -->
 			<version>1.5.7</version>
 			<exclusions>
-				<!-- shared-ldap-schema module needs to be excluded to avoid multiple 
+				<!-- shared-ldap-schema module needs to be excluded to avoid multiple
 					schema resources on the classpath -->
 				<exclusion>
 					<groupId>org.apache.directory.shared</groupId>

tools/seeker/readme.txt

@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Seeker is a commercial tool. If you are interested in running Seeker on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the seeker-JAVA-agent.zip file in this directory in order to run the Benchmark with Seeker using one of the runBenchmark_wSeeker scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Seeker.

tools/seeker/runBenchmark_wSeeker.bat

@@ -0,0 +1,16 @@
+@ECHO OFF
+IF EXIST .\seeker-agent.jar (
+    CD ..\..
+
+    CALL mvn clean package cargo:run -Pdeploywseeker
+
+    CD tools\Seeker
+
+) ELSE (
+    ECHO Seeker is a commercial product, so you need a licensed version of Seeker in order to run it on the Benchmark.
+    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  put it into the /tools/CxIAST folder;
+    ECHO   *  unzip it;
+    ECHO   *  update pom.xml (deploywseeker section, seeker.server.url); and then
+    ECHO   *  rerun this script.
+)

tools/seeker/runBenchmark_wSeeker.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+if [ -f ./seeker-agent.jar ]; then
+
+  if [ -d ./working ]; then
+
+    rm -r ./working/cache
+    echo ""
+    echo "Previous Seeker results in tools/seeker removed"
+    echo ""
+
+  fi
+
+  cd ../..
+  chmod 755 target/classes/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywseeker
+
+  echo "Download Seeker report to results directory"
+
+else
+
+  echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    *  put it into the /tools/CxIAST folder;
+    *  unzip it;
+    *  update pom.xml (deploywseeker section, seeker.server.url); and then
+    *  rerun this script."
+
+fi