Update runCodeQL scripts and Dockerfile.

Author: davewichers

VMs/Dockerfile

@@ -1,4 +1,4 @@
-# This dockerfile builds a container that pulls down and runs the latest version of Benchmark
+# This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava
 FROM ubuntu:latest
 MAINTAINER "Dave Wichers [email protected]"
 

scripts/mvnFortifyTranslate.bat

@@ -1,3 +1,3 @@
 sourceanalyzer -b benchmark -clean
-sourceanalyzer -b benchmark mvn com.fortify.sca.plugins.maven:sca-maven-plugin:translate -Dfortify.sca.source.version=1.7
+sourceanalyzer -b benchmark mvn com.fortify.sca.plugins.maven:sca-maven-plugin:translate -Dfortify.sca.source.version=1.8
 

scripts/runCodeQL.sh

@@ -1,4 +1,15 @@
-# This script assumes the owasp-benchmark database has already been initialized by running this first:
-# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
-../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif
+# The following is based on the instructions at: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli. Follow the instructions at: Setting up the CodeQL CLI
+
+# Prerequisites:
+# 1) Install codeql in a tools/ directory that is a peer to the folder containing BenchmarkJava. For example, if you have a git/ folder, which contains BenchmarkJava, BenchmarkUtils, etc., then the tools/ folder would be at the same level as the git/ folder.  i.e., relative to BenchmarkJava, it is at ../../tools/code-ql-home.
+# 2) Then the owasp-benchmark database has to be initialized by running this:
+# ../../tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
+
+# Mac Users: "If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the Xcode command-line developer tools and Rosetta 2 are installed."
+## For Xcode command line, run: xcode-select -p 1>/dev/null;echo $?   - If this returns 0, its installed, if 2, its not installed.
+## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed.
+
+
+# This then runs the codeql scan:
+../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif
 

scripts/runCodeQLFull.sh

@@ -1,11 +1,9 @@
 # The full list of java CodeQL query sets is:
 #  tested: java-code-scanning.qls - Standard Code Scanning queries for Java  - This does NOT include Weak Random rule.
-#  tested: java-security-extended.qls - Security-extended queries for Java - Same score.
-##         this one builds on the previous one a litte
-#  tested: java-security-and-quality.qls - Security-and-quality queries for Java - This ONE adds Weak Random rule.
-##         this one builds on the previous one. But detects nothing additional - Also does NOT include Weak Random rule.
-#  tested: java-lgtm.qls - Standard LGTM queries for Java - scores lower than lgtm-full by 1 category (Random)
-#  tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default - This ONE adds Weak Random rule.
+#  tested: java-security-extended.qls - Adds a bunch of rules to previous ruleset.
+#  tested: java-security-and-quality.qls - Adds a bunch of other rules, but scores identical to security-extended ruleset.
+#  tested: java-lgtm.qls - Standard LGTM queries for Java - scores the same as standard java-code-scanning.qls
+#  tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default. Scores the same as security-extended ruleset.
 
 # This script assumes the owasp-benchmark database has already been initialized by running this first:
 # ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java