Clean up a few scripts.

davewichers · davewichers · commit 2d37d5ae40fa · 2024-04-12T21:23:04.000-04:00
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 .DS_Store
+.dccache
 .java-version
 .classpath
 .project
@@ -7,11 +8,13 @@
 *.iml
 
 data/out.csv
+owasp-benchmark/
 reports/
+.scannerwork/
 scripts/SonarQubeCredentials.sh
+src/main/resources/benchmark.properties
 target/
 testfiles/
 tools/Contrast/contrast.jar
 tools/Contrast/contrast.yaml
 tools/Contrast/working/
-
diff --git a/createScorecards.bat b/createScorecards.bat
@@ -1,4 +1,3 @@
 # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
 call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 
diff --git a/createScorecards.sh b/createScorecards.sh
@@ -1,4 +1,3 @@
 source "scripts/verifyBenchmarkPluginAvailable.sh"
-#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml
-mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
+MAVEN_OPTS="-Xmx8G" mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard
 
diff --git a/scripts/runCodeQL.sh b/scripts/runCodeQL.sh
@@ -9,7 +9,6 @@
 ## For Xcode command line, run: xcode-select -p 1>/dev/null;echo $?   - If this returns 0, its installed, if 2, its not installed.
 ## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed.
 
-
 # This then runs the codeql scan:
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 ../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_$benchmark_version-codeql_java-code-scanning_qls.sarif
diff --git a/scripts/runCodeQLFull.sh b/scripts/runCodeQLFull.sh
@@ -5,9 +5,8 @@
 #  tested: java-lgtm.qls - Standard LGTM queries for Java - scores the same as standard java-code-scanning.qls
 #  tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default. Scores the same as security-extended ruleset.
 
-# This script assumes the owasp-benchmark database has already been initialized by running this first:
-# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java
-#../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif
+# This script assumes CodeQL has been installed and the owasp-benchmark database has already been initialized per the instructions in runCodeQL.sh
+
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
-../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-security-and-quality.qls --format=sarifv2.1.0 --output=results/Benchmark_$benchmark_version-codeql_java-security-and-quality.sarif
+../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-security-and-quality.qls --format=sarifv2.1.0 --output=results/Benchmark_$benchmark_version-codeql_java-security-and-quality.sarif
 
diff --git a/scripts/runSemgrep.sh b/scripts/runSemgrep.sh
@@ -1,15 +1,16 @@
 #!/usr/bin/env bash
 
-# Check for install/updates at https://github.com/returntocorp/semgrep
+# Check for install/updates at https://semgrep.dev/docs/update/
 
 source scripts/requireCommand.sh
 
 requireCommand docker
 
-docker pull returntocorp/semgrep
+docker pull docker.io/semgrep/semgrep
 
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
-semgrep_version=$(docker run --rm returntocorp/semgrep semgrep --version)
+semgrep_version=$(docker run --rm semgrep/semgrep semgrep --version)
 result_file="/src/results/Benchmark_$benchmark_version-Semgrep-v$semgrep_version.json"
 
-docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config p/security-audit -q --json -o "$result_file" . > /dev/null
+docker run --rm -v "${PWD}:/src" semgrep/semgrep semgrep --config p/security-audit -q --json -o "$result_file" . > /dev/null
+
diff --git a/scripts/runSonarQube.sh b/scripts/runSonarQube.sh
@@ -99,7 +99,7 @@ while (((page - 1) * elements_per_request < hotspot_count)); do
 done
 echo "Writing end results json content";
 cp resdump.json "${result_file}";
-echo "Done, please go ahead an generate the scorecard";
-## cleanup the two files generated to record results, if want them for debug, you can comment the following line
+echo "Done, please go ahead and generate the scorecard";
+## cleanup the two files generated to record results, if you want them for debug purposes, comment out the following line
 rm resdump.json buffdump.json;
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)`
`2`		`-#mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml`
`3`	`2`	`call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard`
`4`	`3`