This is a MAJOR change. This commit rips out all the utilities included with Benchmark to score it, run crawlers on it, etc. Those utilities are now in a seperate project called BenchmarkUtils. BenchmarkUtils produces a maven plugin that is now used by all the scoring and crawling scripts updated in this commit. You have to clone BenchmarkUtils, then run: mvn install, to get the plugin (which is built and installed locally).

Author: davewichers

.gitignore

@@ -3,14 +3,15 @@
 .classpath
 .project
 .settings/
+.idea/
+*.iml
+
+data/out.csv
 reports/
+scripts/SonarQubeCredentials.sh
 target/
 testfiles/
 tools/Contrast/contrast.jar
 tools/Contrast/contrast.yaml
 tools/Contrast/working/
 
-.idea/
-*.iml
-
-scripts/SonarQubeCredentials.sh

createAnonScorecards.sh

@@ -1,2 +1,3 @@
-mvn validate -Pscorecard -Dexec.args="-cr anonymousScoringConfig.yaml"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=data/anonymousScoringConfig.yaml
 

createScorecards.bat

@@ -1,2 +1,4 @@
-call mvn validate -Pscorecard
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
+call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 

createScorecards.sh

@@ -1,2 +1,4 @@
-mvn validate -Pscorecard
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
+mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 

data/anonymousScoringConfig.yaml

@@ -0,0 +1,4 @@
+# This configuration simply enables anonymous scoring mode
+
+anonymousmode: true # If true, anonymize names of commercial tools
+

data/benchmark-crawler-http.xml

@@ -25,63 +25,6 @@
     </licenses>
 
     <profiles>
-        <profile>
-            <id>crawler</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.tools.BenchmarkCrawler</mainClass>
-                                    <arguments>
-                                        <argument>${addlArg1}</argument> <!-- -f here -->
-                                        <argument>${addlArg2}</argument> <!-- filename here -->
-                                    </arguments>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-        <profile>
-            <id>scorecard</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.score.BenchmarkScore</mainClass>
-                                    <systemProperties>
-                                        <systemProperty>
-                                            <key>java.awt.headless</key>
-                                            <value>true</value>
-                                        </systemProperty>
-                                    </systemProperties>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
 
         <profile>
             <id>findsecbugs</id>
@@ -655,30 +598,6 @@
             </build>
         </profile>
 
-        <profile>
-            <id>time</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.score.WriteTime</mainClass>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
     </profiles>
 
     <dependencies>
@@ -709,13 +628,6 @@
             <version>1.4</version>
         </dependency>
 
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <!-- latest is: <version>2.7</version>, but 2.7+ requires Java 8 -->
-            <version>2.6</version>
-        </dependency>
-
         <dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
@@ -730,20 +642,6 @@
             <version>1.7.32</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-csv</artifactId>
-            <!-- Latest is: <version>1.8</version>, but 1.7+ requires Java 8 -->
-            <version>1.6</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <!-- <version>3.10</version> is latest, but 3.9+ requires Java 8 -->
-            <version>3.8.1</version>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-core</artifactId>
@@ -902,25 +800,6 @@
             <version>2.3.6</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.jfree</groupId>
-            <artifactId>jcommon</artifactId>
-            <version>1.0.24</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.jfree</groupId>
-            <artifactId>jfreechart</artifactId>
-            <!-- <version>1.5.1</version> This is latest version, but requires Java 8. 1.5.0 is last version to support Java 7. -->
-            <version>1.5.0</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.json</groupId>
-            <artifactId>json</artifactId>
-            <version>20201115</version>
-        </dependency>
-
         <dependency>
             <groupId>org.owasp.esapi</groupId>
             <artifactId>esapi</artifactId>
@@ -958,12 +837,6 @@
             <version>${version.springframework}</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.yaml</groupId>
-            <artifactId>snakeyaml</artifactId>
-            <version>1.29</version>
-        </dependency>
-
         <dependency>
             <groupId>xml-apis</groupId>
             <artifactId>xml-apis</artifactId>

pom.xml

@@ -1,2 +1,3 @@
-CALL mvn validate -Pcrawler
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+CALL mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/benchmark-crawler-http.xml
 

runCrawler.bat

@@ -1,3 +1,3 @@
-#!/bin/sh
-mvn validate -Pcrawler
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/benchmark-crawler-http.xml
 

runCrawler.sh

@@ -0,0 +1,4 @@
+# This script assumes the owasp-benchmark database has already been initialized by running this first:
+# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
+../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif
+

scripts/runCodeQL.sh

@@ -0,0 +1,14 @@
+# The full list of java CodeQL query sets is:
+#  tested: java-code-scanning.qls - Standard Code Scanning queries for Java  - This does NOT include Weak Random rule.
+#  tested: java-security-extended.qls - Security-extended queries for Java - Same score.
+##         this one builds on the previous one a litte
+#  tested: java-security-and-quality.qls - Security-and-quality queries for Java - This ONE adds Weak Random rule.
+##         this one builds on the previous one. But detects nothing additional - Also does NOT include Weak Random rule.
+#  tested: java-lgtm.qls - Standard LGTM queries for Java - scores lower than lgtm-full by 1 category (Random)
+#  tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default - This ONE adds Weak Random rule.
+
+# This script assumes the owasp-benchmark database has already been initialized by running this first:
+# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
+#../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif
+../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-security-and-quality.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-and-quality.sarif
+

scripts/runCodeQLFull.sh

@@ -1,3 +1,6 @@
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
 # FindBugs is dead, so this specifies the specific (last) version of findbugs. Its version is not defined in the pom.xml file.
-call mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes/out.csv
-call mvn validate -Ptime -Dexec.args="findbugs"
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+CALL mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
+

scripts/runFindBugs.bat

@@ -1,3 +1,6 @@
 # FindBugs is dead, so this specifies the specific (last) version of findbugs. Its version is not defined in the pom.xml file.
-mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes/out.csv
-mvn validate -Ptime -Dexec.args="findbugs"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
+

scripts/runFindBugs.sh

@@ -1,2 +1,5 @@
-call mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes\out.csv
-call mvn validate -Ptime -Dexec.args="findsecbugs"
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+CALL mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
+

scripts/runFindSecBugs.bat

@@ -1,2 +1,5 @@
-mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes/out.csv
-mvn validate -Ptime -Dexec.args="findsecbugs"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
+

scripts/runFindSecBugs.sh

@@ -1,2 +1,5 @@
-call mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes\out.csv
-call mvn validate -Ptime -Dexec.args="pmd"
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+CALL mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
+

scripts/runPMD.bat

@@ -1,2 +1,5 @@
-mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes/out.csv
-mvn validate -Ptime -Dexec.args="pmd"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
+

scripts/runPMD.sh

@@ -1,2 +1,5 @@
-call mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes\out.csv
-call mvn validate -Ptime -Dexec.args="spotbugs"
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+CALL mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs
+

scripts/runSpotBugs.bat

@@ -1,2 +1,5 @@
-mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes/out.csv
-mvn validate -Ptime -Dexec.args="spotbugs"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs
+

scripts/runSpotBugs.sh

@@ -0,0 +1,3 @@
+#a This translates the current app, and builds up the rules databases. This only has to be run once after each code change.
+../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java --overwrite
+

scripts/translateCodeQL.sh

@@ -0,0 +1,17 @@
+# Verify the benchmarkutils plugin is installed. And if not, explain how to install it
+mvn -Djava.awt.headless=true -Dplugin=org.owasp:benchmarkutils-maven-plugin help:describe 2>&1 >/dev/null
+
+if [ $? -ne 0 ]
+then
+  echo ""
+  echo "!!!WARNING: Required plugin: org.owasp:benchmarkutils-maven-plugin not available."
+  echo "To get and install it, do the following:"
+  echo "  git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git"
+  echo "  cd BenchmarkUtils"
+  echo "  mvn install"
+  echo ""
+  echo "This installs the plugin in your local Maven repo, and it can then be used from anywhere."
+  echo ""
+  exit -1
+fi
+