Refactoring of scorecard generation code and add some scorecard generation enhancements. Upgrade a few libraries.

Author: davewichers

createAnonScorecards.sh

@@ -1,2 +1,2 @@
-mvn validate -Pscorecard -Dexec.args="expectedresults-1.2.csv results none anonymous"
+mvn validate -Pscorecard -Dexec.args="-cr anonymousScoringConfig.yaml"
 

createScorecards.bat

@@ -1 +1,2 @@
-call mvn validate -Pscorecard -Dexec.args="expectedresults-1.2.csv results"
+call mvn validate -Pscorecard
+

createScorecards.sh

@@ -1,2 +1,2 @@
-mvn validate -Pscorecard -Dexec.args="expectedresults-1.2.csv results"
+mvn validate -Pscorecard
 

pom.xml

@@ -884,7 +884,7 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.68</version>
+            <version>1.69</version>
         </dependency>
 
         <!-- Kevin's fix for jar version conflicts. For future Benchmark 1.3 -->
@@ -1010,6 +1010,12 @@
             <version>${version.springframework}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.29</version>
+        </dependency>
+
         <dependency>
             <groupId>xml-apis</groupId>
             <artifactId>xml-apis</artifactId>
@@ -1381,7 +1387,7 @@
         <version.exec.maven>1.6.0</version.exec.maven>
         <version.hibernate>3.6.10.Final</version.hibernate>
         <version.jersey>1.19.4</version.jersey>
-        <version.slf4j>1.7.30</version.slf4j>
+        <version.slf4j>1.7.31</version.slf4j>
         <version.spotbugs.maven>4.2.3</version.spotbugs.maven>
         <version.spotbugs>4.2.3</version.spotbugs>
         <version.spotless>2.10.1</version.spotless>

runBenchmark.bat

@@ -1 +1,3 @@
-call mvn clean package cargo:run -Pdeploy
+call mvn initialize
+call mvn clean package cargo:run -Pdeploy
+

runBenchmark.sh

@@ -1,9 +1,8 @@
 #!/bin/sh
 
-chmod 755 src/main/resources/insecureCmd.sh
-
 case "$1" in
 -q|--quiet) quiet="-D-Dorg.owasp.esapi.logSpecial.discard=true"; shift  ;;
 *)          quiet=""    ;;
 esac
+mvn ${quiet} initialize
 mvn ${quiet} clean package cargo:run -Pdeploy

runCrawler.sh

@@ -1,2 +1,3 @@
 #!/bin/sh
 mvn compile -Pcrawler
+

runRemoteAccessibleBenchmark.sh

@@ -1,4 +1,9 @@
 #!/bin/sh
 
-chmod 755 src/main/resources/insecureCmd.sh
-mvn clean package cargo:run -Pdeploy -Drunenv=remote
+case "$1" in
+-q|--quiet) quiet="-D-Dorg.owasp.esapi.logSpecial.discard=true"; shift  ;;
+*)          quiet=""    ;;
+esac
+mvn ${quiet} initialize
+mvn ${quiet} clean package cargo:run -Pdeploy -Drunenv=remote
+

src/main/java/org/owasp/benchmark/helpers/Categories.java

@@ -89,7 +89,9 @@ private void load(File file) throws ParserConfigurationException, SAXException,
                     isInjection =
                             Boolean.parseBoolean(isInjectionNodeList.item(0).getTextContent());
                 }
-                Category category = new Category(id, name, cwe, isInjection);
+                String shortname =
+                        eElement.getElementsByTagName("shortname").item(0).getTextContent();
+                Category category = new Category(id, name, cwe, isInjection, shortname);
                 idToCategoryMap.put(id, category);
                 nameToCategoryMap.put(name, category);
             }

src/main/java/org/owasp/benchmark/helpers/Category.java

@@ -19,13 +19,12 @@
 
 /** This class contains a single vulnerability category. */
 public class Category {
-    private String id;
 
-    private String name;
-
-    private int cwe;
-
-    private boolean isInjection;
+    private final String id; // e.g., pathtraver
+    private final String name; // e.g., Path Traversal
+    private final int CWE;
+    private final boolean isInjection;
+    private final String shortName; // PATH
 
     /**
      * Create a vuln category.
@@ -35,43 +34,32 @@ public class Category {
      * @param cwe The associated CWE number.
      * @param isInjection Whether this vuln category is a type of injection attack.
      */
-    public Category(String id, String name, int cwe, boolean isInjection) {
+    public Category(String id, String name, int cwe, boolean isInjection, String shortname) {
         this.id = id;
         this.name = name;
-        this.cwe = cwe;
+        this.CWE = cwe;
         this.isInjection = isInjection;
+        this.shortName = shortname;
     }
 
     public String getId() {
-        return id;
-    }
-
-    public void setId(String id) {
-        this.id = id;
+        return this.id;
     }
 
     public String getName() {
-        return name;
+        return this.name;
     }
 
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    public int getCwe() {
-        return cwe;
-    }
-
-    public void setCwe(int cwe) {
-        this.cwe = cwe;
+    public int getCWE() {
+        return this.CWE;
     }
 
     public boolean isInjection() {
-        return isInjection;
+        return this.isInjection;
     }
 
-    public void setInjection(boolean isInjection) {
-        this.isInjection = isInjection;
+    public String getShortName() {
+        return this.shortName;
     }
 
     @Override

src/main/java/org/owasp/benchmark/helpers/Utils.java

@@ -161,6 +161,9 @@ public class Utils {
                 e.printStackTrace();
             }
         }
+
+        // The target script is exploded out of the WAR file. When this occurs, the file
+        // loses its execute permissions. So this hack adds the required execute permissions back.
         if (!System.getProperty("os.name").contains("Windows")) {
             File script = getFileFromClasspath("insecureCmd.sh", Utils.class.getClassLoader());
             Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();