Add new scorecard generators for Checkmarx and Zap. Prepare for update to 1.2beta release.

Author: davewichers

runBenchmark.bat

@@ -0,0 +1 @@
+call mvn compile verify cargo:run -Pdeploy

runBenchmark.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+chmod 755 src/main/resources/insecureCmd.sh
+mvn clean compile verify cargo:run -Pdeploy

src/config/note.xml

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body></note>

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -41,8 +41,8 @@
 import java.util.TreeMap;
 
 import org.apache.commons.io.FileUtils;
-
 import org.owasp.benchmark.score.parsers.AppscanReader;
+import org.owasp.benchmark.score.parsers.CheckmarxReader;
 import org.owasp.benchmark.score.parsers.Counter;
 import org.owasp.benchmark.score.parsers.CoverityReader;
 import org.owasp.benchmark.score.parsers.FindbugsReader;
@@ -54,6 +54,7 @@
 import org.owasp.benchmark.score.parsers.TestCaseResult;
 import org.owasp.benchmark.score.parsers.TestResults;
 import org.owasp.benchmark.score.parsers.VeracodeReader;
+import org.owasp.benchmark.score.parsers.ZapReader;
 import org.owasp.benchmark.score.report.Report;
 import org.owasp.benchmark.score.report.ScatterScores;
 import org.owasp.benchmark.score.report.ScatterVulns;
@@ -97,11 +98,12 @@ public static void main(String[] args) {
             } else {
                 System.out.println("Deleting previously generated scorecard files in: " + scoreCardDir.getAbsolutePath());
                 FileUtils.cleanDirectory(scoreCardDir);
-                
-                // now copy the entire /content directory, that was just deleted with everything else
-                File dest1 = new File(scoreCardDirName + File.separator + "content");
-                FileUtils.copyDirectory(new File(pathToScorecardResources + "content"), dest1);
             }
+            
+            // now copy the entire /content directory, that either didn't exist, or was just deleted with everything else
+            File dest1 = new File(scoreCardDirName + File.separator + "content");
+            FileUtils.copyDirectory(new File(pathToScorecardResources + "content"), dest1);
+            
         } catch (IOException e) {
             System.out.println("Error dealing with scorecard directory: '" + scoreCardDir.getAbsolutePath() + "' for some reason!");
             e.printStackTrace();
@@ -148,9 +150,12 @@ public static void main(String[] args) {
 			if ( f.isDirectory() ) {
     			for ( File actual : f.listFiles() ) {
     				// Don't confuse the expected results file as an actual results file if its in the same directory
+    				
+    				//actual
     				if (!actual.isDirectory() && !expected.getName().equals(actual.getName()))
-    					process( actual, expectedResults, toolResults );
+    					process( actual, expectedResults, toolResults);
     			}
+    			//expected
 			} else {
 			    process( f, expectedResults, toolResults );
 			}
@@ -210,8 +215,9 @@ private static void process(File f, TestResults expectedResults, List<Report> to
                 OverallResults results = calculateResults( scores );
                 results.setTime( actualResults.getTime() );
 
+                
                 // This generates the report on disk.
-                Report scoreCard = new Report( actualResults, scores, results, expectedResults.totalResults(), actualResultsFileName );
+                Report scoreCard = new Report( actualResults, scores, results, expectedResults.totalResults(), actualResultsFileName,actualResults.isCommercial,true);
 
                 // Add this report to the list of reports
                 toolreports.add(scoreCard);
@@ -353,8 +359,7 @@ private static TestResults readActualResults(File actual) throws Exception {
 
         if ( filename.endsWith(".ozasmt" ) ) {
             tr = new AppscanReader().parse( actual );
-        }
-        
+        }      
 
         else if ( filename.endsWith(".json" ) ) {
             tr = new CoverityReader().parse( actual );
@@ -387,6 +392,14 @@ else if ( line2.startsWith( "<detailedreport")) {
             else if ( line1.startsWith( "<total")) {
                 tr = new SonarReader().parse( actual );
             }
+            
+            else if ( line1.contains( "<OWASPZAPReport") || line2.contains( "<OWASPZAPReport")) {
+                tr = new ZapReader().parse( actual );
+            }
+            
+            else if ( line2.startsWith( "<CxXMLResults")) {
+                tr = new CheckmarxReader().parse( actual );
+            }
 		}
 
 		else if ( filename.endsWith( ".fpr" ) ) {
@@ -505,7 +518,7 @@ private static boolean compare( TestCaseResult exp, List<TestCaseResult> actList
 
 
 	private static TestResults readExpectedResults(File f1) throws Exception {
-		TestResults tr = new TestResults( "Expected" );
+		TestResults tr = new TestResults( "Expected" ,true,null);
 		BufferedReader fr = new BufferedReader( new FileReader( f1 ) );
 		boolean reading = true;
 		while ( reading ) {

src/main/java/org/owasp/benchmark/score/WriteTime.java

@@ -7,8 +7,10 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.List;
+import java.util.Properties;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -278,17 +280,24 @@ public String getToolTime(String toolName) {
 		return "";
 	}
 
-	public String getbenchmarkVersion() throws Exception {
-		String[] results = new String[2];
-		List<String> lines = Utils.getLinesFromFile(Utils.getFileFromClasspath(
-				VERSION_FILE, this.getClass().getClassLoader()));
-		for (String i : lines) {
-			results = i.split("=");
-			// System.out.println(results[1]);
-			return results[1];
+	/**
+	 * Gets the current version of the Benchmark from the benchmark.properties file.
+	 * @return The version # (as a String). An empty string if its not defined in that file.
+	 * @throws Exception
+	 */
+	public String getbenchmarkVersion() { // throws Exception {
+		Properties benchMprops = new Properties();
+		try {
+			File propsFile = new File(this.getClass().getClassLoader().getResource(VERSION_FILE).toURI().getPath());
+			benchMprops.load(new FileInputStream(propsFile));
+			String v = benchMprops.getProperty("version");
+			if (v == null) return "";
+			return v;
+		} catch (IOException | URISyntaxException e) {
+			System.out.println("Can't load version # from properties file.");
+			e.printStackTrace();
+			return "";
 		}
-		return "";
-
 	}
 
 }

src/main/java/org/owasp/benchmark/score/parsers/AppscanReader.java

@@ -50,7 +50,7 @@ public TestResults parse( File f ) throws Exception {
         Map<Integer,String> conf = parsePool( root, "FindingDataPool", "id", "conf", "" );
 		Map<Integer,Set<Integer>> assess = parseAssessments( root );
 
-		TestResults tr = new TestResults( "IBM AppScan Source");
+		TestResults tr = new TestResults( "IBM AppScan Source",true,TestResults.ToolType.SAST);
 
 	    // <AssessmentRun name="webgoat-benchmark_3 - 5/18/15 12:01AM" version="9.0.1.0">
 		String version = getAttributeValue( "version", root );
@@ -85,7 +85,8 @@ public TestResults parse( File f ) throws Exception {
 				TestCaseResult tcr = new TestCaseResult();
 				tcr.setNumber( tn );
 				int vid = Integer.parseInt( finding.get( findingid ) );
-				int confidence = Integer.parseInt( conf.get( findingid ));
+				String confString = conf.get( findingid );
+				int confidence = Integer.parseInt( confString );
 
 				String vtype = vulns.get( vid );
 				tcr.setCategory( vtype );
@@ -94,10 +95,10 @@ public TestResults parse( File f ) throws Exception {
 				tcr.setEvidence( vtype );
 				tcr.setConfidence( confidence );
 
-				// FIXME - include 3's??
-				// if ( confidence != 3 ) {
+				// Exclude 3 and above - apparently these are "scan coverage"
+				if ( confidence < 3 ) {
 				    tr.put(tcr);
-				// }
+				}
 			}
 		}
 		return tr;

src/main/java/org/owasp/benchmark/score/parsers/CheckmarxReader.java

@@ -0,0 +1,124 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Benchmark Project For details, please see
+ * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+ *
+ * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details
+ *
+ * @author Dave Wichers <a href="https://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2015
+ */
+
+package org.owasp.benchmark.score.parsers;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.text.SimpleDateFormat;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+
+public class CheckmarxReader extends Reader {
+
+    public TestResults parse(File f) throws Exception {
+        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+        InputSource is = new InputSource(new FileInputStream(f));
+        Document doc = docBuilder.parse(is);
+
+        TestResults tr = new TestResults( "Checkmarx CxSAST",true, TestResults.ToolType.SAST );
+       
+        // <CxXMLResults DeepLink="http://CHECKMARX2/CxWebClient/ViewerMain.aspx?scanid=52869&amp;projectid=30265"
+        // ScanStart="Monday, July 27, 2015 4:50:08 PM" Preset="Default 2014" ScanTime="13h:54m:20s"
+        // LinesOfCodeScanned="1507279" FilesScanned="21075" ReportCreationTime="Tuesday, July 28, 2015 8:38:30 AM"
+        // Team="CxServer" CheckmarxVersion="7.1.8 HF2" ScanComments="" ScanType="Full" SourceOrigin="LocalPath">
+
+        Node root = doc.getDocumentElement();
+        String version = getAttributeValue( "CheckmarxVersion", root );
+        tr.setToolVersion( version );
+        
+        String time = getAttributeValue("ScanTime", root);
+        tr.setTime( time );
+        
+        List<Node> queryList = getNamedChildren( "Query", root );
+
+        for ( Node query : queryList ) {            
+            List<Node> resultList = getNamedChildren( "Result", query );
+            for ( Node result : resultList ) {
+                TestCaseResult tcr = parseCheckmarxVulnerability(query, result);
+                if (tcr != null ) {
+                    tr.put(tcr);
+                }
+            }
+        }
+        return tr;
+    }
+    
+    private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
+        TestCaseResult tcr = new TestCaseResult();
+        // <Query id="594" cweId="89" name="SQL_Injection" group="Java_High_Risk" Severity="High"
+        // Language="Java" LanguageHash="0188428345217368" LanguageChangeDate="2015-07-14T00:00:00.0000000"
+        // SeverityIndex="3">
+
+        // <Result NodeId="528692318" FileName="/org/owasp/benchmark/testcode/BenchmarkTest00026.java"
+        // Status="New" Line="50" Column="29" FalsePositive="False" Severity="High" AssignToUser="" 
+        // state="0" Remark=""
+        // DeepLink="http://CHECKMARX2/CxWebClient/ViewerMain.aspx?scanid=52869&amp;projectid=30265&amp;pathid=2318"
+        // SeverityIndex="3">
+        
+        String cwe = getAttributeValue("cweId", query);
+        if ( cwe != null ) {
+            tcr.setCWE( translate( Integer.parseInt(cwe ) ) );
+        } else {
+            System.out.println( "flaw: " + query );
+        }
+        
+        String name = getAttributeValue("name", query);
+        tcr.setCategory( name );
+        // filter out dynamic SQL queries because they report SQL injection separately - these are just dynamic SQL
+        if ( name.equals( "Dynamic_SQL_Queries" ) ) {
+            return null;
+        }
+
+        tcr.setConfidence( Integer.parseInt( getAttributeValue( "SeverityIndex", result) ) );
+        
+        tcr.setEvidence( getAttributeValue( "name", query ) );
+ 
+        String testcase = getAttributeValue( "FileName", result );
+        testcase = testcase.substring( testcase.lastIndexOf('/') +1);
+        if ( testcase.startsWith( "BenchmarkTest" ) ) {
+            String testno = testcase.substring( "BenchmarkTest".length(), testcase.length() -5 );
+            try {
+                tcr.setNumber( Integer.parseInt( testno ) );
+            } catch ( NumberFormatException e ) {
+                e.printStackTrace();
+            }
+            return tcr;
+        }
+        
+        return null;
+    }
+
+    private int translate(int cwe) {
+        switch( cwe ) {
+            case 77 :   return 78;   // command injection
+            case 36 :   return 22;   // path traversal
+            case 23 :   return 22;   // path traversal
+            case 338:   return 330;  // weak random
+        }
+        return cwe;
+    }
+}

src/main/java/org/owasp/benchmark/score/parsers/CoverityReader.java

@@ -34,7 +34,7 @@ public TestResults parse( File f ) throws Exception {
 
 	    JSONArray arr = obj.getJSONArray("mergedIssues");
 
-	    TestResults tr = new TestResults( "Coverity Code Advisor" ); // Coverity's tool is called Code Advisor or Code Advisor On Demand
+	    TestResults tr = new TestResults( "Coverity Code Advisor" ,true,TestResults.ToolType.SAST); // Coverity's tool is called Code Advisor or Code Advisor On Demand
 	    // Fixme: See if we can figure this out from some of the files they provide
 	    tr.setTime(f);
 

src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java

@@ -38,13 +38,12 @@ public TestResults parse( File f ) throws Exception {
 		InputSource is = new InputSource( new FileInputStream(f) );
 		Document doc = docBuilder.parse(is);
 
-		// FIXME: need a way to figure out if this is SecFindBugs
-		TestResults tr = new TestResults( "FindBugs" );
+		TestResults tr = new TestResults( "FindBugs" ,false,TestResults.ToolType.SAST);
 
 		// If the filename includes an elapsed time in seconds (e.g., TOOLNAME-seconds.xml), set the compute time on the scorecard.
 		tr.setTime(f);
 
-//		<BugCollection timestamp='1434663265000' analysisTimestamp='1434663273732' sequence='0' release='' version='3.0.1���>
+//		<BugCollection timestamp='1434663265000' analysisTimestamp='1434663273732' sequence='0' release='' version='3.0.1>
         Node root = doc.getDocumentElement();
         String version = getAttributeValue( "version", root );
         tr.setToolVersion( version );
@@ -127,10 +126,12 @@ private static int figureCWE( TestCaseResult tcr, Node cwenode, Node catnode) {
 		case "SECXXEDOC" :  return 611;  // XXE - Probably DOM Parser
 		case "SECSQLIHIB" : return 564;  // Hibernate Injection, child of SQL Injection
 		case "SECXXESAX" :  return 611;  // XXE - SAX Parser
+		case "STAIV" : 		return 329;  // static initialization vector for crypto
 
 		case "SECSP" : 		return 00;	 // servlet parameter - not a vuln
 		case "SECSH" : 		return 00;   // servlet header -- not a vuln
 		case "SECSSQ" : 	return 00;   // servlet query - not a vuln
+		
 
 		default : System.out.println( "Unknown category: " + cat );
 		}

src/main/java/org/owasp/benchmark/score/parsers/FortifyReader.java

@@ -38,7 +38,7 @@ public TestResults parse( File f ) throws Exception {
 		InputSource is = new InputSource( new FileInputStream(f) );
 		Document doc = docBuilder.parse(is);
 
-		TestResults tr = new TestResults( "HP Fortify" );
+		TestResults tr = new TestResults( "HP Fortify" ,true,TestResults.ToolType.SAST);
 		// FIXME - parse real number
 		tr.setTime("3:38:40");