Added two configurations for commercial IAST tools.

pom.xml

@@ -32,7 +32,7 @@
 				</plugins>
 			</build>
 		</profile>
-		
+
 		<profile>
 			<id>benchmarkscore</id>
 			<build>
@@ -300,7 +300,214 @@
 				</plugins>
 			</build>
 		</profile>
-
+
+		<profile>
+			<id>deploywseeker</id>
+			<properties>
+			   <skipTests>true</skipTests>
+			   <seeker.javaagent>-javaagent:${basedir}/tools/seeker/seeker-agent.jar</seeker.javaagent>
+			   <seeker.server.url>-Dseeker.server.url=https://server.example.com:8888</seeker.server.url>
+			   <seeker.project.key>-Dseeker.project.key=Benchmark</seeker.project.key>
+			</properties>
+			<build>
+			   <plugins>
+			   <plugin>
+			       <artifactId>maven-antrun-plugin</artifactId>
+			       <version>1.7</version>
+			       <executions>
+			       <execution>
+			           <id>ldap-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="run" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-server</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       <execution>
+			           <id>database-init</id>
+			           <phase>package</phase>
+			           <goals>
+			           <goal>run</goal>
+			           </goals>
+			           <configuration>
+			           <target>
+			               <ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+			               <reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+			               </ant>
+			           </target>
+			           </configuration>
+			       </execution>
+			       </executions>
+			   </plugin>
+			   <plugin>
+			       <groupId>org.codehaus.cargo</groupId>
+			       <artifactId>cargo-maven2-plugin</artifactId>
+			       <version>1.6.0</version>
+			       <configuration>
+			       <container>
+			           <timeout>300000</timeout>
+			           <containerId>tomcat8x</containerId>
+			           <zipUrlInstaller>
+			           <url>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.38/bin/apache-tomcat-8.0.38.zip</url>
+			           </zipUrlInstaller>
+			       </container>
+			       <configuration>
+			           <configfiles>
+			           <configfile>
+			               <file>${basedir}/src/config/local/server.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           <configfile>
+			               <file>${basedir}/src/config/local/context.xml</file>
+			               <todir>conf</todir>
+			               <overwrite>true</overwrite>
+			           </configfile>
+			           </configfiles>
+			           <properties>
+			           <cargo.jvmargs>
+			               ${seeker.javaagent} ${seeker.server.url} ${seeker.project.key} -Xss2m
+			           </cargo.jvmargs>
+			           <cargo.servlet.port>8443</cargo.servlet.port>
+			           <cargo.protocol>https</cargo.protocol>
+			           <cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+			           <cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+			           <cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+			           <cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+			           <cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+			           <cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+			           </properties>
+			       </configuration>
+			       </configuration>
+			   </plugin>
+			   </plugins>
+			</build>
+		</profile>
+
+		<profile>
+			<id>deploywcxiast</id>
+			<properties>
+				<skipTests>true</skipTests>
+			</properties>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>ldap-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="run" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseServer" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+							<execution>
+								<id>database-init</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="databaseInit" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath"/>
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.codehaus.cargo</groupId>
+						<artifactId>cargo-maven2-plugin</artifactId>
+						<configuration>
+							<container>
+								<timeout>300000</timeout>
+								<containerId>tomcat${tomcat.major.version}x</containerId>
+								<zipUrlInstaller>
+									<url>${tomcat.url}</url>
+								</zipUrlInstaller>
+							</container>
+							<properties>
+								<cargo.jvmargs>-XX:MaxPermSize=6G -Xms1G –Xmx8G</cargo.jvmargs>
+							</properties>
+							<configuration>
+								<configfiles>
+									<configfile>
+										<file>${basedir}/src/config/local/server.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+									<configfile>
+										<file>${basedir}/src/config/local/context.xml</file>
+										<todir>conf</todir>
+										<overwrite>true</overwrite>
+									</configfile>
+								</configfiles>
+								<properties>
+									<cargo.jvmargs>
+										-Xmx4G
+										-javaagent:${basedir}/tools/CxIAST/cx-launcher.jar
+										-Diast.home=${basedir}/tools/CxIAST/
+										-Xverify:none
+									</cargo.jvmargs>
+									<cargo.servlet.port>8443</cargo.servlet.port>
+									<cargo.protocol>https</cargo.protocol>
+									<cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+									<cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+									<cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+									<cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+									<cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+									<cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+								</properties>
+							</configuration>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>deploywhcl</id>
 			<properties>
@@ -495,7 +702,7 @@ But it requires getting all the Log4j2 stuff configured right, and haven't done
 		</dependency>
 
 		<!-- mvn dependency:analyze says these 4 artifacts are used but not included in the pom, but adding
-		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already? 
+		     them breaks the LDAP server startup. Maybe because apacheds-all includes them already?
 		<dependency>
 			<groupId>org.apache.directory.shared</groupId>
 			<artifactId>shared-ldap</artifactId>
@@ -665,7 +872,7 @@ But it might be needed for Java 10, because I get this error, that I don't get w
 -->
 			<version>1.5.7</version>
 			<exclusions>
-				<!-- shared-ldap-schema module needs to be excluded to avoid multiple 
+				<!-- shared-ldap-schema module needs to be excluded to avoid multiple
 					schema resources on the classpath -->
 				<exclusion>
 					<groupId>org.apache.directory.shared</groupId>

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -645,12 +645,13 @@ private static TestResults readActualResults(File fileToParse) throws Exception
 		TestResults tr = null;
 
 		if ( filename.endsWith( ".csv" ) ) {
-			if( filename.startsWith( "CxIAST") ) {
-				tr = new CheckmarxIASTReader().parse(fileToParse);
-			} else {
+			String line1 = getLine( fileToParse, 0 );
+			if ( line1.contains("CheckerKey") && line1.contains("LastDetectionURL") ) {
 				tr = new SeekerReader().parse(fileToParse);
-			}
-		}
+			} else if ( line1.contains("CWE") && line1.contains("URL") ) {		
+				tr = new CheckmarxIASTReader().parse(fileToParse);
+			} else System.out.println("Error: No matching parser found for CSV file: " + filename);
+        	}
 
 		else if ( filename.endsWith( ".ozasmt" ) ) {
 			tr = new AppScanSourceReader().parse( fileToParse );
@@ -666,7 +667,7 @@ else if ( filename.endsWith( ".json" ) ) {
 				tr = new CoverityReader().parse( fileToParse );
 			} else if ( line2.contains("Vendor") && line2.contains("Checkmarx") ) {
 				tr = new CheckmarxESReader().parse( fileToParse );
-			}
+			} else System.out.println("Error: No matching parser found for JSON file: " + filename);
 		}
 
 		else if ( filename.endsWith( ".sarif" ) ) {
@@ -1437,4 +1438,4 @@ private static Document getXMLDocument( File f ) throws Exception {
         return doc;
 	}
 
-}
+}

src/main/java/org/owasp/benchmark/score/parsers/CheckmarxIASTReader.java

@@ -46,28 +46,28 @@ private static int cweLookup(String checkerKey)
       case "CORS":
         return 346; // CORS
       case "CSRF":
-        return 352; // CSRF 
+        return 352; // CSRF
       case "Debug_Mode_Enabled":
         return 215; // Debug_Mode_Enabled
       case "Deserialize_Vulnerability":
-        return 502; // Deserialize_Vulnerability 
+        return 502; // Deserialize_Vulnerability
       case "Failed_Login_Without_Audit":
         return 778; // Failed_Login_Without_Audit
       case "File_Upload_To_Unprotected_Directory":
-        return 434; // File_Upload_To_Unprotected_Directory 
+        return 434; // File_Upload_To_Unprotected_Directory
       case "Improper_HTTP_Get_Usage":
-        return 650; // Improper_HTTP_Get_Usage 
+        return 650; // Improper_HTTP_Get_Usage
       case "Insecure_Cookie":
       case "Session_Id_Disclosure": //CxIAST does not define but it is same as Insecure_Cookie YE
         return 614; // Insecure_Cookie
       case "Insecure_Outgoing_Communication":
         return 311; // Insecure_Outgoing_Communication
       case "Insufficient_Session_Expiration":
-        return 613; // Insufficient_Session_Expiration 
+        return 613; // Insufficient_Session_Expiration
       case "LDAP_Injection":
-        return 90; // LDAP_Injection 
+        return 90; // LDAP_Injection
       case "Least_Privilege_Violation":
-        return 250; // Least_Privilege_Violation 
+        return 250; // Least_Privilege_Violation
       case "Log_Forging":
         return 117;
       case "Missing_X_Content_Type_Options_Header":
@@ -149,7 +149,7 @@ public TestResults parse(File f) throws Exception
         //"BenchmarkTest00000" - "BenchmarkTest99999"
             tcr.setNumber(Integer.parseInt(testCase.substring(testCase.length()-5, testCase.length())));
             if (tcr.getCWE() != 0)
-            {      
+            {
                  tr.put(tcr);
             }
 //      System.out.println(testCase+" "+tcr.getCWE()+" "+tcr.getCategory()); // For debugging YE

tools/Contrast/readme.txt

@@ -1,4 +1,4 @@
-DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convienience and should not be considered an endorsement of this tool.
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
 
 Contrast is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to place the contrast.jar file in this directory in order to run the Benchmark with Contrast using one of the runBenchmark_wContrast scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
 

tools/CxIAST/readme.txt

@@ -0,0 +1,5 @@
+DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
+
+Checkmarx IAST is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to unzip the cxiast-java-agent.zip file in this directory in order to run the Benchmark with Checkmarx IAST using one of the runBenchmark_wCxIAST scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Checkmarx IAST.

tools/CxIAST/runBenchmark_wCxIAST.bat

@@ -0,0 +1,28 @@
+@ECHO OFF
+IF EXIST .\cx-launcher.jar (
+  IF EXIST .\iast_cache (
+      rmdir /q /s .\iast_cache
+
+      IF EXIST .\logs (
+        rmdir /q /s .\logs
+      )
+
+      ECHO ""
+
+      ECHO Previous Checkmarx IAST results have been removed
+
+      ECHO ""
+  )
+    CD ..\..
+
+    CALL mvn clean package cargo:run -Pdeploywcxiast
+
+    CD tools\CxIAST
+
+) ELSE (
+    ECHO Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    ECHO   *  download the CxIAST Agent for Java ^(cxiast-java-agent.zip^) from the Server;
+    ECHO   *  put it into the /tools/CxIAST folder;
+    ECHO   *  unzip it; and then
+    ECHO   *  rerun this script.
+)

tools/CxIAST/runBenchmark_wCxIAST.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+if [ -f ./cx-launcher.jar ]; then
+
+  if [ -d ./iast_cache ]; then
+
+    rm -r ./iast_cache
+
+    if [ -d ./logs ]; then
+
+      rm -r ./logs
+
+    fi
+
+    echo ""
+    echo "Previous Checkmarx IAST results in tools/CxIAST removed"
+    echo ""
+
+  fi
+
+  cd ../..
+  chmod 755 target/classes/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywcxiast
+
+  echo "Download Checkmarx IAST report to results directory"
+
+else
+
+  echo "Checkmarx IAST is a commercial product, so you need a licensed version of Checkmarx IAST in order to run it on the Benchmark. If you have access to Checkmarx IAST and want to run the Benchmark against it you will have to:
+    *  download the CxIAST Agent for Java (cxiast-java-agent.zip) from the Server;
+    *  put it into the /tools/CxIAST folder;
+    *  unzip it; and then
+    *  rerun this script."
+
+fi