Significantly enhance scorecard generator:

  1) Add commercial average score calculation
  2) Add ability to create anonymous scorecards for commercial tools
  3) Add ability to suppress commercial tool scorecards and only include the commercial average
  4) Add details table to Home and Vulnerability pages

Author: davewichers

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -20,9 +20,9 @@
 
 public class Counter {
 
-	public double tp = 0;
-	public double fn = 0;
-	public double tn = 0;
-	public double fp = 0;
+	public int tp = 0;
+	public int fn = 0;
+	public int tn = 0;
+	public int fp = 0;
 
 }

src/main/java/org/owasp/benchmark/score/parsers/Counter.java

@@ -19,33 +19,26 @@
 package org.owasp.benchmark.score.parsers;
 
 public class OverallResult {
-	public String category;
-	public double tpr;
-	public double fpr;
-	public int total;
-	public double score;
+	public final String category;
+	public final double truePositiveRate;
+	public final double falsePositiveRate;
+	public final int total;
+	public final double score;
 
+	/**
+	 * The overall results for a single vulnerability category for a single tool.
+	 * @param category - The vulnerability category.
+	 * @param tpr - The true positive rate
+	 * @param fpr - The false positive rate
+	 * @param total - The total number of TP, FP, TN, FN in this category 
+	 * @param score - The tool's score in this category
+	 */
 	public OverallResult( String category, double tpr, double fpr, int total, double score) {
 		this.category = category;
-		this.tpr = tpr;
-		this.fpr = fpr;
+		this.truePositiveRate = tpr;
+		this.falsePositiveRate = fpr;
 		this.total = total;
 		this.score = score;
 	}
-
-	public String getCategory() {
-	    return category;
-	}
 
-    public double getFalsePositiveRate() {
-        return fpr;
-    }
-
-    public double getTruePositiveRate() {
-        return tpr;
-    }
-
-    public double getScore() {
-        return score;
-    }
 }

src/main/java/org/owasp/benchmark/score/parsers/OverallResult.java

@@ -31,12 +31,15 @@
 public class OverallResults {
 
 	private Map<String,OverallResult> map = new TreeMap<String,OverallResult>();
-	private double score = 0;
+	private double score = 0;  // The overall score for this tool
+	private int total = 0; // The total number of TP, FP, FN, TN across all test cases for this tool.
 
 	// The overall True and False positive rates for this tool. These are values between 1 and 0.
 	private double TPRate = 0;
 	private double FPRate = 0;
 
+	private Counter findingCounts;
+	
     private String time = "Unknown";
 
 	public void add( String category, double tpr, double fpr, int total, double score ) {
@@ -110,6 +113,22 @@ public void setFalsePositiveRate(double rate) {
         this.FPRate = rate;
     }
 
+    /**
+     * Returns the total number of test cases processed with this tool.
+     * @return The total.
+     */
+    public int getTotal() {
+        return total;
+    }
+    
+    /**
+     * Set the total number of test cases processed with this tool.
+     * @param The total.
+     */
+    public void setTotal( int total ) {
+        this.total = total;
+    }
+
     /**
      * Returns the amount of time it took to run a scan of the Benchmark with this tool.
      * @return The Benchmark scan time.
@@ -126,4 +145,16 @@ public void setTime( String elapsed ) {
         this.time = elapsed;
     }
 
+    public void setFindingCounts(int tp, int fp, int fn, int tn) {
+    	this.findingCounts = new Counter();
+    	this.findingCounts.tp = tp;
+    	this.findingCounts.fp = fp;
+    	this.findingCounts.fn = fn;
+    	this.findingCounts.tn = tn;
+    }
+    
+    public Counter getFindingCounts() {
+    	return this.findingCounts;
+    }
+    
 }

src/main/java/org/owasp/benchmark/score/parsers/OverallResults.java

@@ -41,7 +41,7 @@ public TestResults parse( File f ) throws Exception {
 	    {
             TestCaseResult tcr = parseSonarQubeFinding( arr.getJSONObject(i) );
             if ( tcr != null ) {
-                // System.out.println( tcr.getNumber() + " " + tcr.getName() + " -> " + tcr.getCWE() + "\t" + tcr.getEvidence() );
+                // System.out.println( tcr.getNumber() + "\t" + tcr.getCWE() + "\t" + tcr.getEvidence() );
                 tr.put( tcr );
             }
 	    }

src/main/java/org/owasp/benchmark/score/parsers/SonarQubeReader.java

@@ -27,28 +27,45 @@
 import java.util.concurrent.TimeUnit;
 
 /*
- * This class contains the actual results for a single tool against the entire Benchmark.
+ * This class contains the actual results for a single tool against the entire Benchmark, or the 
+ * expected results, if its initialized with the expected results file.
  */
 
 public class TestResults {
-    private String tool = "Unknown Tool";
-    private String toolVersion = null;
-	private String time = "Unknown";
-	public boolean isCommercial;
-	public ToolType toolType;
-	private Map<Integer, List<TestCaseResult>> map = new TreeMap<Integer, List<TestCaseResult>>();
+
+	// The types of tools that can generate results
 	public static enum ToolType{
 		SAST,
 		DAST,
 		IAST
 	}
-	public TestResults( String toolname,boolean isCommercial,ToolType toolType) {
+	
+	// The version of the Benchmark these test results are for
+	private String benchmarkVersion = "notSet";
+	
+	private String tool = "Unknown Tool";
+    private String toolVersion = null;
+	private String time = "Unknown";
+	public final boolean isCommercial;
+	public final ToolType toolType;
+	private Map<Integer, List<TestCaseResult>> map = new TreeMap<Integer, List<TestCaseResult>>();
+	
+	public TestResults( String toolname, boolean isCommercial, ToolType toolType) {
 	    this.setTool( toolname );
 	    this.isCommercial = isCommercial;
 	    this.toolType = toolType;
 
 	}
 
+	// Set the Benchmark version number for this specific set of TestResults
+	public void setBenchmarkVersion( String version ) {
+		this.benchmarkVersion = version;
+	}
+	
+	public String getBenchmarkVersion() {
+		return this.benchmarkVersion;
+	}
+	
 	public void put( TestCaseResult tcr ) {
 		List<TestCaseResult> results = map.get( tcr.getNumber() );
 		if ( results == null ) {

src/main/java/org/owasp/benchmark/score/parsers/TestResults.java

@@ -39,7 +39,7 @@ public TestResults parse(File f) throws Exception {
         InputSource is = new InputSource( new FileInputStream(f) );
         Document doc = docBuilder.parse(is);
 
-        TestResults tr = new TestResults( "ZAP", false, TestResults.ToolType.DAST);
+        TestResults tr = new TestResults( "OWASP ZAP", false, TestResults.ToolType.DAST);
 
         // If the filename includes an elapsed time in seconds (e.g., TOOLNAME-seconds.xml), set the compute time on the score card.
         tr.setTime(f);