Add dependency used by a script. Minor tweaks to a few scripts.

Author: davewichers

pom.xml

@@ -1095,6 +1095,13 @@
                 </executions>
             </plugin>
 
+            <!-- used by some of the scripts. This forces the plugin to be downloaded, so it doesn't need to when the script runs. -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-help-plugin</artifactId>
+                <version>3.2.0</version>
+            </plugin>
+
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-install-plugin</artifactId>

scripts/getBenchmarkVersion.sh

@@ -1,6 +1,4 @@
 #!/usr/bin/env sh
 
-# run and ignore output completely to prevent installation logs output on first run
-mvn org.apache.maven.plugins:maven-help-plugin:2.1.1:evaluate -Dexpression=project.version > /dev/null
+mvn org.apache.maven.plugins:maven-help-plugin:evaluate -Dexpression=project.version | grep -v '[INFO]'
 
-mvn org.apache.maven.plugins:maven-help-plugin:2.1.1:evaluate -Dexpression=project.version | grep -v '[INFO]'

scripts/requireCommand.sh

@@ -7,3 +7,4 @@ requireCommand() {
     exit 1
   fi
 }
+

src/main/java/org/owasp/benchmark/score/parsers/SonarQubeJsonReader.java

@@ -105,7 +105,8 @@ private TestCaseResult parseSonarQubeQualityIssue(JSONObject finding) {
             if (filename.contains(BenchmarkScore.TESTCASENAME)) {
                 String testNumber =
                         filename.substring(
-                                BenchmarkScore.TESTCASENAME.length() + 1, filename.length() - 5);
+                                BenchmarkScore.TESTCASENAME.length() + 1,
+                                filename.lastIndexOf('.'));
                 tcr.setNumber(Integer.parseInt(testNumber));
                 String rule = finding.getString("rule");
                 String squid = rule.substring(rule.indexOf(":") + 1);
@@ -153,7 +154,8 @@ private TestCaseResult parseSonarQubeHotSpotIssue(JSONObject finding) {
             if (filename.contains(BenchmarkScore.TESTCASENAME)) {
                 String testNumber =
                         filename.substring(
-                                BenchmarkScore.TESTCASENAME.length() + 1, filename.length() - 5);
+                                BenchmarkScore.TESTCASENAME.length() + 1,
+                                filename.lastIndexOf('.'));
                 tcr.setNumber(Integer.parseInt(testNumber));
                 String secCat = finding.getString("securityCategory");
                 if (secCat == null || secCat.equals("none")) {
@@ -185,12 +187,10 @@ private TestCaseResult parseSonarQubeHotSpotIssue(JSONObject finding) {
      */
     public static int securityCategoryCWELookup(String secCat, String message) {
         // Not sure where to look up all the possible security categories in SonarQube, but the
-        // mappings
-        // seem obvious enough.
+        // mappings seem obvious enough.
 
-        // Given their horrible mapping scheme, we check each message to detect whether their might
-        // be a new
-        // 'message' mapped to an existing CWE (that might be wrong).
+        // Given their horrible mapping scheme, we check each message to detect whether there might
+        // be a new 'message' mapped to an existing CWE (that might be wrong).
         if (!("Make sure that using this pseudorandom number generator is safe here."
                         .equals(message)
                 || "Ensure that string concatenation is required and safe for this SQL query."

tools/Contrast/runBenchmark_wContrast.sh

@@ -39,10 +39,13 @@ echo "==========================================================================
 cd ../..
 mvn clean package cargo:run -Pdeploywcontrast
 
+benchmark_version=$(scripts/getBenchmarkVersion.sh)
+
 echo
 echo "Copying Contrast report to results directory"
 cd tools/Contrast
-cp ./working/contrast.log ../../results/Benchmark_1.2-Contrast.log
+result_file="../../results/Benchmark_$benchmark_version-Contrast.log"
+cp ./working/contrast.log "$result_file"
 echo
 echo "  5. You can generate a scorecard by running createScorecards.sh in the Benchmark root directory."
 echo