This is a MAJOR change. This commit rips out all the utilities included with Benchmark to score it, run crawlers on it, etc. Those utilities are now in a seperate project called BenchmarkUtils. BenchmarkUtils produces a maven plugin that is now used by all the scoring and crawling scripts updated in this commit. You have to clone BenchmarkUtils, then run: mvn install, to get the plugin (which is built and installed locally).

Author: davewichers

.gitignore

@@ -3,14 +3,15 @@
 .classpath
 .project
 .settings/
+.idea/
+*.iml
+
+data/out.csv
 reports/
+scripts/SonarQubeCredentials.sh
 target/
 testfiles/
 tools/Contrast/contrast.jar
 tools/Contrast/contrast.yaml
 tools/Contrast/working/
 
-.idea/
-*.iml
-
-scripts/SonarQubeCredentials.sh

createAnonScorecards.sh

@@ -1,2 +1,3 @@
-mvn validate -Pscorecard -Dexec.args="-cr anonymousScoringConfig.yaml"
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=data/anonymousScoringConfig.yaml
 

createScorecards.bat

@@ -1,2 +1,4 @@
-call mvn validate -Pscorecard
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
+call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 

createScorecards.sh

@@ -1,2 +1,4 @@
-mvn validate -Pscorecard
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
+mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 

data/anonymousScoringConfig.yaml

@@ -0,0 +1,4 @@
+# This configuration simply enables anonymous scoring mode
+
+anonymousmode: true # If true, anonymize names of commercial tools
+

data/benchmark-crawler-http.xml

@@ -25,63 +25,6 @@
     </licenses>
 
     <profiles>
-        <profile>
-            <id>crawler</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.tools.BenchmarkCrawler</mainClass>
-                                    <arguments>
-                                        <argument>${addlArg1}</argument> <!-- -f here -->
-                                        <argument>${addlArg2}</argument> <!-- filename here -->
-                                    </arguments>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-        <profile>
-            <id>scorecard</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.score.BenchmarkScore</mainClass>
-                                    <systemProperties>
-                                        <systemProperty>
-                                            <key>java.awt.headless</key>
-                                            <value>true</value>
-                                        </systemProperty>
-                                    </systemProperties>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
 
         <profile>
             <id>findsecbugs</id>
@@ -655,30 +598,6 @@
             </build>
         </profile>
 
-        <profile>
-            <id>time</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmark.score.WriteTime</mainClass>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
     </profiles>
 
     <dependencies>
@@ -709,13 +628,6 @@
             <version>1.4</version>
         </dependency>
 
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <!-- latest is: <version>2.7</version>, but 2.7+ requires Java 8 -->
-            <version>2.6</version>
-        </dependency>
-
         <dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
@@ -730,20 +642,6 @@
             <version>1.7.32</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-csv</artifactId>
-            <!-- Latest is: <version>1.8</version>, but 1.7+ requires Java 8 -->
-            <version>1.6</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <!-- <version>3.10</version> is latest, but 3.9+ requires Java 8 -->
-            <version>3.8.1</version>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-core</artifactId>
@@ -902,25 +800,6 @@
             <version>2.3.6</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.jfree</groupId>
-            <artifactId>jcommon</artifactId>
-            <version>1.0.24</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.jfree</groupId>
-            <artifactId>jfreechart</artifactId>
-            <!-- <version>1.5.1</version> This is latest version, but requires Java 8. 1.5.0 is last version to support Java 7. -->
-            <version>1.5.0</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.json</groupId>
-            <artifactId>json</artifactId>
-            <version>20201115</version>
-        </dependency>
-
         <dependency>
             <groupId>org.owasp.esapi</groupId>
             <artifactId>esapi</artifactId>
@@ -958,12 +837,6 @@
             <version>${version.springframework}</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.yaml</groupId>
-            <artifactId>snakeyaml</artifactId>
-            <version>1.29</version>
-        </dependency>
-
         <dependency>
             <groupId>xml-apis</groupId>
             <artifactId>xml-apis</artifactId>

pom.xml

@@ -1,2 +1,3 @@
-CALL mvn validate -Pcrawler
+# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+CALL mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/benchmark-crawler-http.xml
 

runCrawler.bat

@@ -1,3 +1,3 @@
-#!/bin/sh
-mvn validate -Pcrawler
+source "scripts/verifyBenchmarkPluginAvailable.sh"
+mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/benchmark-crawler-http.xml
 

runCrawler.sh

@@ -0,0 +1,4 @@
+# This script assumes the owasp-benchmark database has already been initialized by running this first:
+# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
+../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif
+