Enhance scorecard generator to move chart key to the right, providing more room on the chart itself.

Add new scorecard parsers for Acunetix, Rapid7, WebInspect, and Contrast.
Add crawler application that will crawl every page in the Benchmark to support IAST tools.
Enhance SonarQube scripts to better tell if sonarqube web app is running when we want to send it results.
Add support for running the Benchmark with monitoring by Contrast (requires separate contrast.jar which isn't provided)
Add scripts for producing the Contrast results file after the Benchmark is crawled by the crawler while being monitored by Contrast.

Author: davewichers

SonarQubeRequest.exe

@@ -0,0 +1 @@
+mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2beta.csv results none anonymous"

createAnonScorecards.sh

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<contrast>
+    <id>default</id>
+    <url>http://example.com/Contrast/s/</url>
+    <local-results mode="always">../../../../forcontrast/findings</local-results>
+    <plugins>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.security.SecurityPlugin</plugin>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.architecture.ArchitecturePlugin</plugin>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.appupdater.ApplicationUpdatePlugin</plugin>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.sitemap.SitemapPlugin</plugin>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.frameworks.FrameworkSupportPlugin</plugin>
+        <plugin>com.aspectsecurity.contrast.runtime.agent.plugins.http.HttpPlugin</plugin>
+    </plugins>
+    <capture-stacktraces>NONE</capture-stacktraces>
+    <hotpatches />
+    <sampling>
+        <enabled>false</enabled>
+        <baseline>5</baseline>
+        <request-frequency>10</request-frequency>
+        <response-frequency>50</response-frequency>
+        <window>180</window>
+    </sampling>
+</contrast>

forcontrast/contrast.config

@@ -0,0 +1,13 @@
+#!/bin/sh
+# This script removes ALL the filenames passed to it. It is intended to be used by the prepareContrastResults.sh script to remove all the unnecessary event files in the forcontrast/findings folder.  A script had to be written because simply calling rm APP* didn’t work because the # of parameters to rm was too many.
+# The shift function in this loop drops the first parameter and moves all the remaining parameters down one, allowing you to delete one file at a time.
+#BE CAREFUL if you use it somewhere else.
+
+while (( "$#" )); do
+
+rm $1
+
+shift
+
+done
+

forcontrast/removeUnneededEvents.sh

@@ -8,6 +8,65 @@
 	<name>OWASP Benchmark Project</name>
 	<url>https://www.owasp.org/index.php/Benchmark</url>
 	<profiles>
+		<profile>
+			<id>permute</id>
+			<properties>
+				<skipTests>true</skipTests>
+			</properties>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-clean-plugin</artifactId>
+						<version>2.6.1</version>
+						<configuration>
+							<filesets>
+								<fileset>
+									<directory>src/main/java/org/owasp/benchmark/testcode</directory>
+									<includes>
+										<include>**/BenchmarkTest*</include>
+									</includes>
+									<followSymlinks>false</followSymlinks>
+								</fileset>
+								<fileset>
+									<directory>src/main/webapp</directory>
+									<includes>
+										<include>**/BenchmarkTest*</include>
+										<include>**/*Index*</include>
+									</includes>
+									<followSymlinks>false</followSymlinks>
+								</fileset>
+							</filesets>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
+		<profile>
+			<id>crawler</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.codehaus.mojo</groupId>
+						<artifactId>exec-maven-plugin</artifactId>
+						<version>1.4.0</version>
+						<executions>
+							<execution>
+								<phase>validate</phase>
+								<goals>
+									<goal>java</goal>
+								</goals>
+								<configuration>
+									<mainClass>org.owasp.benchmark.tools.BenchmarkRunner</mainClass>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
+
 		<profile>
 			<id>benchmarkscore</id>
 			<build>
@@ -130,6 +189,74 @@
 			</build>
 		</profile>
 
+		<profile>
+			<id>deploywcontrast</id>
+			<properties>
+				<skipTests>true</skipTests>
+			</properties>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<version>1.7</version>
+						<executions>
+							<execution>
+								<id>ldap-server</id>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<ant target="run" antfile="${basedir}/src/config/build.xml">
+											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
+										</ant>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.codehaus.cargo</groupId>
+						<artifactId>cargo-maven2-plugin</artifactId>
+						<version>1.4.9</version>
+						<configuration>
+							<container>
+								<timeout>300000</timeout>
+								<containerId>tomcat8x</containerId>
+								<zipUrlInstaller>
+									<url>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.zip</url>
+								</zipUrlInstaller>
+							</container>
+							<properties>
+									<cargo.jvmargs>-XX:MaxPermSize=6G -Xms1G –Xmx8G</cargo.jvmargs>
+								</properties>
+							<configuration>
+								<properties>
+                                    <cargo.jvmargs>
+                                            -Xmx4G
+                                            -javaagent:${basedir}/forcontrast/contrast.jar=${basedir}/forcontrast/contrast.config
+                                            -Dcontrast.dir=${basedir}/forcontrast/working
+                                            -Dcontrast.saveresults=always
+                                            -Dcontrast.noteamserver.enable=true
+                                            -Dcontrast.teamserver.suppress=true
+                                    </cargo.jvmargs>
+                                    <cargo.servlet.port>8443</cargo.servlet.port>	
+									<cargo.protocol>https</cargo.protocol>
+									<cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
+									<cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
+									<cargo.tomcat.connector.keystoreFile>../../../../.keystore</cargo.tomcat.connector.keystoreFile>
+									<cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
+									<cargo.tomcat.connector.keyAlias>tomcat</cargo.tomcat.connector.keyAlias>
+									<cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>
+								</properties>
+							</configuration> 
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>time</id>
 			<build>
@@ -215,8 +342,21 @@
 		</profile>
 	</profiles>
 
+	<repositories>
+		<repository>
+			<id>jenkins-releases</id>
+			<url>http://repo.jenkins-ci.org/releases/</url>
+		</repository>
+	</repositories>
+
 	<dependencies>
 
+		<dependency>
+			<groupId>org.seleniumhq.selenium</groupId>
+			<artifactId>selenium-server-standalone</artifactId>
+			<version>2.46.0</version>
+		</dependency>
+
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
@@ -523,31 +663,6 @@
 					</compilerArgs>
 				</configuration>
 			</plugin>
-			<plugin>
-				<groupId>com.internetitem</groupId>
-				<artifactId>write-properties-file-maven-plugin</artifactId>
-				<version>1.0.1</version>
-				<executions>
-					<execution>
-						<id>benchmarkVersion</id>
-						<phase>validate</phase>
-						<goals>
-							<goal>write-properties-file</goal>
-						</goals>
-						<configuration>
-							<filename>build.properties</filename>
-							<outputDirectory>${basedir}/src/main/resources/</outputDirectory>
-							<properties>
-								<property>
-									<name>version</name>
-									<value>${project.version}</value>
-								</property>
-							</properties>
-						</configuration>
-					</execution>
-				</executions>
-			</plugin>
-
 			<!-- FindBugs Static Analysis -->
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>

pom.xml

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# TODO - Get the Benchmark version and put that in the file name
+
+if [ -d forcontrast/findings ]; then
+
+  # clean out any APPCREATE, APPUPDATE, and SERVER events out of the Contrast findings directory before zipping everything up
+
+   forcontrast/removeUnneededEvents.sh forcontrast/findings/APP*.xml
+   forcontrast/removeUnneededEvents.sh forcontrast/findings/SERVER*.xml
+
+   echo
+   echo "All unneeded Contrast events removed from forcontrast/findings before zipping them up"
+
+   zip -q -r results/Benchmark_1.2beta-Contrast.zip forcontrast/findings && echo "Contrast findings ZIP file successfully created" || echo "Error creating Contrast findings ZIP file"
+
+   echo "Contrast findings all put into /results folder"
+   echo
+
+else
+
+   echo ""
+   echo "ERROR: The forcontrast/findings directory doesn’t exist. You need to run the runBenchmark_wContrast script first, and then crawl the Benchmark app with runCrawler to generate the Contrast results required by this script."
+   echo ""
+
+fi
+

prepareContrastResults.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ -f forcontrast/contrast.jar ]; then
+
+  if [ -d forcontrast/findings ]; then
+
+    rm -r forcontrast/findings
+    rm -r forcontrast/working
+    echo ""
+    echo "Previous Contrast results in forcontrast/findings removed"
+    echo ""
+
+  fi
+
+  chmod 755 src/main/resources/insecureCmd.sh
+  mvn clean package cargo:run -Pdeploywcontrast
+
+else 
+
+  echo "Given that Contrast is a commercial product, you have to have a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Java 1.5 version of contrast.jar from the Team Server and put it into the /forcontrast folder, and then rerun this script."
+
+fi

runBenchmark_wContrast.sh

@@ -0,0 +1,6 @@
+echo
+echo "NOTE: This crawler requires Firefox. Please install it if you don’t have it already."
+echo "ALSO: This crawler will sometimes stop if Firefox is not the window in focus. Be sure to keep Firefox in the foreground during the entire crawl in order to get the best results."
+echo
+
+call mvn install -Pcrawler

runCrawler.bat

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+echo
+echo "NOTE: This crawler requires Firefox. Please install it if you don’t have it already."
+echo "ALSO: This crawler will sometimes stop if Firefox is not the window in focus. Be sure to keep Firefox in the foreground during the entire crawl in order to get the best results."
+echo
+
+mvn install -Pcrawler

runCrawler.sh

@@ -1,2 +1,7 @@
-call mvn compile sonar:sonar -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes\out.csv -Dsonar.scm.disabled=true -Dsonar.skipDesign=true -Dsonar.cpd.exclusions=**/*.java -Dsonar.importSources=false -Dsonar.exclusions=**/*.xml
-call mvn validate -Ptime -Dexec.args="sonar"
+call mvn compile sonar:sonar -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=classes\out.csv -Dsonar.scm.disabled=true -Dsonar.skipDesign=true -Dsonar.cpd.exclusions=**/*.java -Dsonar.importSources=false -Dsonar.exclusions=**/*.xml
+@Echo off
+:DoUntil
+for /f %%i in ('SonarQubeRequest.exe') do set done=%%i
+IF NOT %done%==true GOTO DoUntil
+:EndDoUntil
+call mvn validate -Ptime -Dexec.args="sonar"