Add capability to generate anonymous commercial averages as part of scorecard generation.

And include such results for 6 commercial SAST tools against v1.1 of the Benchmark.

Author: davewichers

scorecard/Benchmark_v1.2beta_Scorecard_for_Command_Injection.html renamed to scorecard/Benchmark_v1.1,1.2beta_Scorecard_for_Command_Injection.html

@@ -33,36 +33,37 @@
     <nav class="navbar navbar-inverse navbar-fixed-top">
       <div class="container-fluid">
         <div class="navbar-header">
-          <a class="navbar-brand" href="OWASP_Benchmark_Home.html">OWASP Benchmark v1.2beta</a>
+          <a class="navbar-brand" href="OWASP_Benchmark_Home.html">OWASP Benchmark v1.1,1.2beta</a>
         </div>
         <div id="navbar" class="navbar-collapse collapse">
           <ul class="nav navbar-nav navbar-right">
             <li><a href="OWASP_Benchmark_Home.html">Home</a></li>
 			<li class="dropdown">
 	          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Tools<span class="caret"></span></a>
 	          <ul class="dropdown-menu">
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_FBwFindSecBugs.html">FBwFindSecBugs</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_FindBugs.html">FindBugs</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_OWASP_ZAP.html">OWASP ZAP</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_PMD.html">PMD</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_SonarQube.html">SonarQube</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_FBwFindSecBugs.html">FBwFindSecBugs</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_FindBugs.html">FindBugs</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_OWASP_ZAP.html">OWASP ZAP</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_PMD.html">PMD</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_SonarQube.html">SonarQube</a></li>
+<li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Commercial_Tools.html">Commercial Average</a></li>
 
 	          </ul>
 	        </li>
 			<li class="dropdown">
 	          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Vulnerabilities<span class="caret"></span></a>
 	          <ul class="dropdown-menu">
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Command_Injection.html">Command Injection</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Cross-Site_Scripting.html">Cross-Site Scripting</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Insecure_Cookie.html">Insecure Cookie</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_LDAP_Injection.html">LDAP Injection</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Path_Traversal.html">Path Traversal</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_SQL_Injection.html">SQL Injection</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Trust_Boundary_Violation.html">Trust Boundary Violation</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Weak_Encryption_Algorithm.html">Weak Encryption Algorithm</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Weak_Hash_Algorithm.html">Weak Hash Algorithm</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_Weak_Random_Number.html">Weak Random Number</a></li>
-            <li><a href="Benchmark_v1.2beta_Scorecard_for_XPath_Injection.html">XPath Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Command_Injection.html">Command Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Cross-Site_Scripting.html">Cross-Site Scripting</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Insecure_Cookie.html">Insecure Cookie</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_LDAP_Injection.html">LDAP Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Path_Traversal.html">Path Traversal</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_SQL_Injection.html">SQL Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Trust_Boundary_Violation.html">Trust Boundary Violation</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Encryption_Algorithm.html">Weak Encryption Algorithm</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Hash_Algorithm.html">Weak Hash Algorithm</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Random_Number.html">Weak Random Number</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_XPath_Injection.html">XPath Injection</a></li>
 
 	          </ul>
 	        </li>
@@ -82,13 +83,27 @@
 <h3>OWASP Benchmark Scorecard for Command Injection</h3>
 
 <p>The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, 
-it is difficult to understand their strengths and weaknesses, and compare them to each other. The Benchmark contains over 20,000 test cases that are fully runnable and exploitable. 
-The following is the scorecard showing how well all the tools perform against Command Injection in version 1.2beta of the Benchmark. It shows how well each tool finds true positives and 
+it is difficult to understand their strengths and weaknesses, and compare them to each other. The Benchmark contains thousands of test cases that are fully runnable and exploitable. 
+The following is the scorecard showing how well all the tools perform against Command Injection in version 1.1,1.2beta of the Benchmark. It shows how well each tool finds true positives and 
 avoids false positives for that type of vulnerability in the Benchmark test cases.</p>
 
 <p>For more information, please visit the <a href="https://www.owasp.org/index.php/Benchmark">OWASP Benchmark Project Site</a>.
 
-<img src='Benchmark_v1.2beta_Scorecard_for_Command_Injection.png' />
+<img src='Benchmark_v1.1,1.2beta_Scorecard_for_Command_Injection.png' />
+
+<p>
+<p>
+
+<h2>Detailed Results Per Tool for Command Injection</h2>
+<table class="table">
+<tr><th>Tool</th><th>Benchmark Version</th><th>TP</th><th>FN</th><th>TN</th><th>FP</th><th>Total</th><th>TPR</th><th>FPR</th><th>Score</th></tr>
+<tr class="danger"><td>FBwFindSecBugs</td><td>1.2beta</td><td>93</td><td>33</td><td>30</td><td>95</td><td>251</td><td>73.81%</td><td>76.00%</td><td>-2.19%</td></tr>
+<tr class="danger"><td>FindBugs</td><td>1.2beta</td><td>0</td><td>126</td><td>125</td><td>0</td><td>251</td><td>0.00%</td><td>0.00%</td><td>0.00%</td></tr>
+<tr ><td>OWASP ZAP</td><td>1.2beta</td><td>44</td><td>82</td><td>125</td><td>0</td><td>251</td><td>34.92%</td><td>0.00%</td><td>34.92%</td></tr>
+<tr class="danger"><td>PMD</td><td>1.2beta</td><td>0</td><td>126</td><td>125</td><td>0</td><td>251</td><td>0.00%</td><td>0.00%</td><td>0.00%</td></tr>
+<tr class="danger"><td>SonarQube</td><td>1.2beta</td><td>107</td><td>19</td><td>16</td><td>109</td><td>251</td><td>84.92%</td><td>87.20%</td><td>-2.28%</td></tr>
+</tr>
+</table>
 
 <p>
 <p>
@@ -117,7 +132,7 @@ <h2>Key</h2>
 
 <tr>
 <th>True Positive Rate (TPR) = TP / ( TP + FN )</th>
-<td>The rate at which the tool correctly reports real vulnerabilities. Also referred to as Precision, as defined at 
+<td>The rate at which the tool correctly reports real vulnerabilities. Also referred to as Recall, as defined at 
 <a href="https://en.wikipedia.org/wiki/Precision_and_recall">Wikipedia</a>.</td>
 </tr>
 

scorecard/Benchmark_v1.1,1.2beta_Scorecard_for_Commercial_Tools.html

@@ -0,0 +1,173 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <link rel="icon" href="../../favicon.ico">
+
+    <title>Commercial Tools Scorecard</title>
+
+    <!-- Bootstrap core CSS -->
+    <link href="content/css/bootstrap.min.css" rel="stylesheet">
+
+    <!-- Custom styles for this template -->
+    <link href="content/dashboard.css" rel="stylesheet">
+
+    <!-- Just for debugging purposes. Don't actually copy these 2 lines! -->
+    <!--[if lt IE 9]><script src="../../assets/js/ie8-responsive-file-warning.js"></script><![endif]-->
+    <script src="content/js/ie-emulation-modes-warning.js"></script>
+
+    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
+    <!--[if lt IE 9]>
+      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
+      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <![endif]-->
+  </head>
+
+  <body>
+
+    <nav class="navbar navbar-inverse navbar-fixed-top">
+      <div class="container-fluid">
+        <div class="navbar-header">
+          <a class="navbar-brand" href="OWASP_Benchmark_Home.html">OWASP Benchmark v1.1,1.2beta</a>
+        </div>
+        <div id="navbar" class="navbar-collapse collapse">
+          <ul class="nav navbar-nav navbar-right">
+            <li><a href="OWASP_Benchmark_Home.html">Home</a></li>
+			<li class="dropdown">
+	          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Tools<span class="caret"></span></a>
+	          <ul class="dropdown-menu">
+<li><a href="Benchmark_v1.2beta_Scorecard_for_FBwFindSecBugs.html">FBwFindSecBugs</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_FindBugs.html">FindBugs</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_OWASP_ZAP.html">OWASP ZAP</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_PMD.html">PMD</a></li>
+<li><a href="Benchmark_v1.2beta_Scorecard_for_SonarQube.html">SonarQube</a></li>
+<li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Commercial_Tools.html">Commercial Average</a></li>
+
+	          </ul>
+	        </li>
+			<li class="dropdown">
+	          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Vulnerabilities<span class="caret"></span></a>
+	          <ul class="dropdown-menu">
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Command_Injection.html">Command Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Cross-Site_Scripting.html">Cross-Site Scripting</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Insecure_Cookie.html">Insecure Cookie</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_LDAP_Injection.html">LDAP Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Path_Traversal.html">Path Traversal</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_SQL_Injection.html">SQL Injection</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Trust_Boundary_Violation.html">Trust Boundary Violation</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Encryption_Algorithm.html">Weak Encryption Algorithm</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Hash_Algorithm.html">Weak Hash Algorithm</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_Weak_Random_Number.html">Weak Random Number</a></li>
+            <li><a href="Benchmark_v1.1,1.2beta_Scorecard_for_XPath_Injection.html">XPath Injection</a></li>
+
+	          </ul>
+	        </li>
+            <li><a href="OWASP_Benchmark_Guide.html">Guide</a></li>
+          </ul>
+        </div>
+      </div>
+    </nav>
+
+    <div class="container">
+
+      <div class="starter-template">
+
+<div>empty</div>
+<div>empty</div>
+
+<h3>OWASP Benchmark Scorecard for Commercial Tools</h3>
+ 
+<p>The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, 
+it is difficult to understand their strengths and weaknesses, and compare them to each other. The Benchmark contains thousands of test cases that are fully runnable and exploitable. 
+The following is the scorecard showing how well the commercial tools collectively performed against version 1.1,1.2beta of the Benchmark. For each vulnerability
+it shows the lowest, average, and highest scores across all the commercial tools included in this scorecard calculation.</p>
+
+<p>For more information, please visit the <a href="https://www.owasp.org/index.php/Benchmark">OWASP Benchmark Project Site</a>.
+
+<p>
+<p>
+
+<h2>Average Scores Per Vulnerability for Commercial Tools</h2>
+<table class="table">
+<tr><th>Vulnerability Category</th><th>Low Tool Type</th><th>Low Score</th><th>Ave Score</th><th>High Score</th><th>High Tool Type</th></tr>
+<tr><td>Command Injection</td><td>SAST</td><td class="danger">0</td><td>16</td><td class="danger">25</td><td>SAST</td></tr>
+<tr><td>Cross-Site Scripting</td><td>SAST</td><td class="danger">9</td><td>22</td><td class="danger">39</td><td>SAST</td></tr>
+<tr><td>Insecure Cookie</td><td>SAST</td><td class="danger">0</td><td>33</td><td class="success">100</td><td>SAST</td></tr>
+<tr><td>LDAP Injection</td><td>SAST</td><td class="danger">0</td><td>17</td><td class="success">54</td><td>SAST</td></tr>
+<tr><td>Path Traversal</td><td>SAST</td><td class="danger">1</td><td>18</td><td class="danger">30</td><td>SAST</td></tr>
+<tr><td>SQL Injection</td><td>SAST</td><td class="danger">9</td><td>24</td><td class="danger">34</td><td>SAST</td></tr>
+<tr><td>Trust Boundary Violation</td><td>SAST</td><td class="danger">0</td><td>8</td><td class="danger">16</td><td>SAST</td></tr>
+<tr><td>Weak Encryption Algorithm</td><td>SAST</td><td class="danger">0</td><td>39</td><td class="success">74</td><td>SAST</td></tr>
+<tr><td>Weak Hash Algorithm</td><td>SAST</td><td class="danger">0</td><td>42</td><td class="success">77</td><td>SAST</td></tr>
+<tr><td>Weak Random Number</td><td>SAST</td><td class="danger">0</td><td>36</td><td class="success">90</td><td>SAST</td></tr>
+<tr><td>XPath Injection</td><td>SAST</td><td class="danger">0</td><td>27</td><td class="success">59</td><td>SAST</td></tr>
+<tr><td>Average across all categories for 6 tools</td><td></td><td>1.7</td><td>25.6</td><td>54.4</td><td></td></tr>
+
+
+<p>
+<p>
+
+<h2>Key</h2>
+<table class="table">
+<tr>
+<th>Tool Type</th>
+<td>SAST - Static Application Security Testing.  DAST - Dynamic Application Security Testing.  
+IAST - Interactive Application Security Testing. These terms were coined by Gartner.</td>
+</tr>
+
+<tr>
+<th>True Positive (TP)</th>
+<td>Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.</td>
+</tr>
+
+<tr>
+<th>False Negative (FN)</th>
+<td>Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.</td>
+</tr>
+
+<tr>
+<th>True Negative (TN)</th>
+<td>Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.</td>
+</tr>
+
+<tr>
+<th>False Positive (FP)</th>
+<td>Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.</td>
+</tr>
+
+<tr>
+<th>True Positive Rate (TPR) = TP / ( TP + FN )</th>
+<td>The rate at which the tool correctly reports real vulnerabilities. Also referred to as Recall, as defined at 
+<a href="https://en.wikipedia.org/wiki/Precision_and_recall">Wikipedia</a>.</td>
+</tr>
+
+<tr>
+<th>False Positive Rate (FPR) = FP / ( FP + TN )</th>
+<td>The rate at which the tool incorrectly reports fake vulnerabilities as real.</td>
+</tr>
+
+<tr>
+<th>Score = TPR - FPR</th>
+<td>Normalized distance from the random guess line.</td>
+</tr>
+
+</table>
+
+      </div>
+
+    </div><!-- /.container -->
+
+	<!-- Bootstrap core JavaScript
+    ================================================== -->
+    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
+    <!-- Include all compiled plugins (below), or include individual files as needed -->
+    <script src="content/js/bootstrap.min.js"></script>
+  </body>
+</html>
+