Added CHeckmarx IAST config and runners to Benchmark

pom.xml

@@ -404,6 +404,110 @@
 			</build>
 		</profile>
 
+		<profile>
+			<id>deploywcxiast</id>
+			<properties>
+				<skipTests>true</skipTests>
+			</properties>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>ldap-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="run" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-init</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.codehaus.cargo</groupId>
+						<artifactId>cargo-maven2-plugin</artifactId>
+						<configuration>
+							<container>
+								<timeout>300000</timeout>
+								<containerId>tomcat${tomcat.major.version}x</containerId>
+								<zipUrlInstaller>
+									<url>${tomcat.url}</url>
+								</zipUrlInstaller>
+							</container>
+							<properties>
+								<cargo.jvmargs>-XX:MaxPermSize=6G -Xms1G –Xmx8G</cargo.jvmargs>
+							</properties>
+							<configuration>
+								<configfiles>
+									<configfile>
+										<file>${basedir}/src/config/local/server.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+									<configfile>
+										<file>${basedir}/src/config/local/context.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+								</configfiles>
+								<properties>
+									<cargo.jvmargs>
+										-Xmx4G
+										-javaagent:${basedir}/tools/CxIAST/cx-launcher.jar
+										-Diast.home=${basedir}/tools/CxIAST/
+										-Xverify:none
+									</cargo.jvmargs>
+									<cargo.servlet.port>8443</cargo.servlet.port>
+									<cargo.protocol>https</cargo.protocol>
+									<cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+									<cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+									<cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+									<cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+									<cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+									<cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+								</properties>
+							</configuration>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>deploywhcl</id>
 			<properties>

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -58,6 +58,7 @@
 import org.owasp.benchmark.score.parsers.CASTAIPReader;
 import org.owasp.benchmark.score.parsers.CheckmarxESReader;
 import org.owasp.benchmark.score.parsers.CheckmarxReader;
+import org.owasp.benchmark.score.parsers.CheckmarxIASTReader;
 import org.owasp.benchmark.score.parsers.ContrastReader;
 import org.owasp.benchmark.score.parsers.Counter;
 import org.owasp.benchmark.score.parsers.CoverityReader;
@@ -644,13 +645,18 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 		TestResults tr = null;
 
         if ( filename.endsWith( ".csv" ) ) {
-            tr = new SeekerReader().parse(fileToParse);
+					String line1 = getLine( fileToParse, 0 );
+					if ( line2.contains("CheckerKey") && line2.contains("LastDetectionURL") ) {
+						tr = new SeekerReader().parse(fileToParse);
+					} else if ( line2.contains("CWE") && line2.contains("URL") ) {
+            tr = new CheckmarxIASTReader().parse(fileToParse);
+					}
         }
 
         else if ( filename.endsWith( ".ozasmt" ) ) {
             tr = new AppScanSourceReader().parse( fileToParse );
         }
-        
+
         else if ( filename.endsWith( ".faast" ) ) {
             tr = new FaastReader().parse( fileToParse );
         }

src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java

@@ -0,0 +1,68 @@
+/**
+ * OWASP Benchmark Project
+ * <p>
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Benchmark Project For details, please see
+ * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+ * <p>
+ * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ * <p>
+ * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details
+ *
+ * @author Grant Ongers <a href="https://www.securedelivery.io">Secure Delivery</a>
+ * @created 2020
+ */
+
+package org.owasp.benchmark.score.parsers;
+
+import org.apache.commons.csv.CSVFormat;
+import org.apache.commons.csv.CSVRecord;
+
+import java.io.File;
+
+public class CheckmarxIASTReader extends Reader
+{
+
+  public TestResults parse(File f) throws Exception
+  {
+    TestResults tr = new TestResults("Checkmarx CxIAST", true, TestResults.ToolType.IAST);
+
+    java.io.Reader inReader = new java.io.FileReader(f);
+    Iterable<CSVRecord> records = CSVFormat.RFC4180.withFirstRecordAsHeader().parse(inReader);
+    for (CSVRecord record : records)
+    {
+      String cwe = record.get("CWE");
+      String url = record.get("URL");
+
+      TestCaseResult tcr = new TestCaseResult();
+      try
+      {
+        if (url.length() >= 18)
+        {
+          String category = url.substring(1, url.indexOf("-"));
+          tcr.setNumber(Integer.parseInt(url.substring(url.indexOf("BenchmarkTest")+13, url.indexOf("BenchmarkTest")+18)));
+          if ( cwe.length() == 0 && category == "securecookie" ) tcr.setCWE(614); //CxIAST doesn't report on all 614
+          else if ( cwe.length() == 0 ) tcr.setCWE(0);
+          else tcr.setCWE(Integer.parseInt(cwe));
+        }
+      }
+      catch (NumberFormatException e)
+      {
+        System.out.println("> TParse error: " + record.toString());
+      }
+
+      if (tcr.getCWE() != 0)
+      {
+        tr.put(tcr);
+      }
+    }
+
+    tr.setTime("100");
+
+    return tr;
+  }
+
+}

tools/CxIAST/readme.txt

@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Checkmarx IAST is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the cxiast-java-agent.zip file in this directory in order to run the Benchmark with Checkmarx IAST using one of the runBenchmark_wCxIAST scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Checkmarx IAST.

tools/CxIAST/runBenchmark_wCxIAST.bat

@@ -0,0 +1,15 @@
+@ECHO OFF
+IF EXIST .\cx-launcher.jar (
+    CD ..\..
+
+    CALL mvn clean package cargo:run -Pdeploywcxiast
+
+    CD tools\CxIAST
+
+) ELSE (
+    ECHO Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    ECHO   *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    ECHO   *  put it into the /tools/CxIAST folder;
+    ECHO   *  unzip it; and then
+    ECHO   *  rerun this script.
+)

tools/CxIAST/runBenchmark_wCxIAST.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ -f ./cx-launcher.jar ]; then
+
+  if [ -d ./working ]; then
+
+    rm -r ./working/cache
+    echo ""
+    echo "Previous Checkmarx IAST results in tools/CxIAST removed"
+    echo ""
+
+  fi
+
+  cd ../..
+  chmod 755 target/classes/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywcxiast
+
+  echo "Download Checkmarx IAST report to results directory"
+
+else
+
+  echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    *  put it into the /tools/CxIAST folder;
+    *  unzip it; and then
+    *  rerun this script."
+
+fi