diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 5f97798420..e235340075 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,14 +27,14 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
# Get full history for spotless ratchetFrom
with:
fetch-depth: 0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: security-extended, security-experimental, security-and-quality
@@ -43,10 +43,10 @@ jobs:
run: mvn -DskipTests=true install
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@v4
- name: Upload Output
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@v6
with:
name: ${{ matrix.language }} SARIF
path: ${{ runner.workspace }}/results/*.sarif
diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml
index 2997beeb28..29e50a43e2 100644
--- a/.github/workflows/maven.yaml
+++ b/.github/workflows/maven.yaml
@@ -8,14 +8,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
with:
fetch-depth: 0
- - name: Set up JDK 11
- uses: actions/setup-java@v4
+ - name: Set up JDK 17
+ uses: actions/setup-java@v5
with:
- java-version: '11'
- distribution: 'zulu'
+ java-version: 17
+ distribution: zulu
- name: Run Spotless check
run: mvn spotless:check
- name: Create WAR
diff --git a/README.md b/README.md
index 8df3d4ffa1..fd9787cd08 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,12 @@
-# OWASP Benchmark
-The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time.
+# OWASP Benchmark for Java
+The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool.
+
+The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP-Benchmark/BenchmarkUtils.
The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details.
-The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP-Benchmark/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+
+Running Benchmark Itself:
+* runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only)
+* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on.
diff --git a/VMs/Dockerfile b/VMs/Dockerfile
index a2faa9a6cd..aaa8d235a4 100644
--- a/VMs/Dockerfile
+++ b/VMs/Dockerfile
@@ -1,12 +1,12 @@
# This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava
FROM ubuntu:latest
-MAINTAINER "Dave Wichers dave.wichers@owasp.org"
+LABEL org.opencontainers.image.authors="Dave Wichers dave.wichers@owasp.org"
RUN apt-get update
RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata
RUN apt-get install -q -y \
- openjdk-11-jre-headless \
- openjdk-11-jdk \
+ openjdk-17-jre-headless \
+ openjdk-17-jdk \
git \
maven \
wget \
@@ -35,7 +35,7 @@ RUN useradd -d /home/bench -m -s /bin/bash bench
RUN echo bench:bench | chpasswd
RUN chown -R bench /owasp/
-ENV PATH /owasp/BenchmarkJava:$PATH
+ENV PATH=/owasp/BenchmarkJava:$PATH
# start up Benchmark once, for 60 seconds, then kill it, so the additional dependencies required to run it are downloaded/cached in the image as well.
# exit 0 is required to return a 'success' code, otherwise the timeout returns a failure code, causing the Docker build to fail.
diff --git a/VMs/buildDockerImage.sh b/VMs/buildDockerImage.sh
index 6c96f0a8c1..b0dd310374 100755
--- a/VMs/buildDockerImage.sh
+++ b/VMs/buildDockerImage.sh
@@ -11,3 +11,6 @@ fi
docker image rm benchmark:latest
docker build -t benchmark .
+# Once verified/tested, to publish an update to the OWASP Benchmark Docker image, run the following:
+# docker push owasp/benchmark:latest
+
diff --git a/pom.xml b/pom.xml
index df06267aea..2d82960bd9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -624,7 +624,7 @@
commons-codec
commons-codec
- 1.18.0
+ 1.20.0
@@ -637,7 +637,7 @@
commons-io
commons-io
- 2.19.0
+ 2.21.0
@@ -765,13 +765,13 @@
org.apache.httpcomponents.client5
httpclient5
- 5.5
+ 5.6
org.apache.httpcomponents.core5
httpcore5
- 5.3.4
+ 5.4
@@ -810,7 +810,7 @@
org.owasp.esapi
esapi
- 2.6.2.0
+ 2.7.0.0
@@ -854,7 +854,7 @@
com.fasterxml.jackson.core
jackson-databind
- 2.19.1
+ 2.20.1
@@ -880,17 +880,17 @@
org.apache.maven.plugins
maven-antrun-plugin
- 3.1.0
+ 3.2.0
org.apache.maven.plugins
maven-assembly-plugin
- 3.7.1
+ 3.8.0
org.apache.maven.plugins
maven-dependency-plugin
- 3.8.1
+ 3.9.0
com.sun.jersey:jersey-servlet
@@ -904,7 +904,7 @@
org.apache.maven.plugins
maven-release-plugin
- 3.1.1
+ 3.3.1
@@ -924,7 +924,7 @@
org.apache.maven.plugins
maven-compiler-plugin
- 3.14.0
+ 3.14.1
true
1000m
@@ -942,12 +942,12 @@
org.apache.maven.plugins
maven-enforcer-plugin
- 3.5.0
+ 3.6.2
org.codehaus.mojo
extra-enforcer-rules
- 1.10.0
+ 1.11.0
@@ -1005,7 +1005,7 @@
org.apache.maven.plugins
maven-pmd-plugin
- 3.27.0
+ 3.28.0
@@ -1017,7 +1017,7 @@
org.apache.maven.plugins
maven-resources-plugin
- 3.3.1
+ 3.4.0
@@ -1038,13 +1038,13 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.3
+ 3.5.4
org.apache.maven.plugins
maven-war-plugin
- 3.4.0
+ 3.5.1
${maven.war.webxml}
@@ -1053,13 +1053,13 @@
org.codehaus.cargo
cargo-maven3-plugin
- 1.10.20
+ 1.10.26
org.codehaus.mojo
versions-maven-plugin
- 2.18.0
+ 2.20.1
@@ -1104,7 +1104,7 @@
com.diffplug.spotless
spotless-maven-plugin
- 2.44.5
+ 3.1.0
origin/master
@@ -1249,13 +1249,13 @@
2.1.0
3.6.10.Final
- 4.9.3.1
- 4.9.3
+ 4.9.8.2
+ 4.9.8
5.3.39
9
- 9.0.97
+ 9.0.113
https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip
diff --git a/scripts/runBearer.sh b/scripts/runBearer.sh
index 950b1a192a..3a9ccd560f 100755
--- a/scripts/runBearer.sh
+++ b/scripts/runBearer.sh
@@ -2,6 +2,9 @@
# Check for install/updates at https://github.com/bearer/bearer
+# For this script to work, you need to change the permissions on the results/ directory to 777
+# so docker can write the results file into the results/ folder
+
source scripts/requireCommand.sh
requireCommand docker
@@ -10,6 +13,17 @@ docker pull bearer/bearer --platform linux/amd64
benchmark_version=$(scripts/getBenchmarkVersion.sh)
bearer_version=$(docker run --platform linux/amd64 bearer/bearer bearer --version | grep -o '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+')
-result_file="/src/results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json"
+result_file="results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json"
+temp_result_file="$result_file.tmp"
+docker_result_file="/benchmark/$temp_result_file"
+
+# if you set the Docker userid to match the current user id with: --user $(id -u):$(id -g) you get a suspicious git repository error
+docker run --platform linux/amd64 --rm -v "${PWD}:/benchmark" bearer/bearer scan /benchmark/src/main/ --format jsonv2 --output "$docker_result_file" > /dev/null
+
+# Because the docker userid and current user ID might be different, we write the Bearer result to a temp file.
+# Then copy it to the desired file name, and then delete the temp file.
+#
+# We can't just chown the file to the right user ID as Unix won't allow that.
+cp $temp_result_file $result_file
+rm -f $temp_result_file
-docker run --platform linux/amd64 --rm -v "${PWD}:/src" bearer/bearer scan /src/src/main/ --format jsonv2 --output "$result_file" > /dev/null
diff --git a/scripts/runCodeQL.sh b/scripts/runCodeQL.sh
index e85b1b0966..925040919f 100755
--- a/scripts/runCodeQL.sh
+++ b/scripts/runCodeQL.sh
@@ -9,7 +9,7 @@
## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed.
# This then runs the CodeQL scan:
-## The following CodeQL query is a big complex. I had to raise an issue with the CodeQL team to figure out how to do this.
+## The following CodeQL query is a bit complex. I had to raise an issue with the CodeQL team to figure out how to do this.
## The issue raised and the answer that documents this query is here: https://github.com/github/codeql/issues/18518#issuecomment-2730684184
benchmark_version=$(scripts/getBenchmarkVersion.sh)
../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark codeql/java-queries:codeql-suites/java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif -j0 --download
diff --git a/scripts/runFindBugs.bat b/scripts/runFindBugs.bat
index 52dfa7961f..d3c68beb65 100644
--- a/scripts/runFindBugs.bat
+++ b/scripts/runFindBugs.bat
@@ -1,6 +1,7 @@
# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+
# FindBugs is dead, so this specifies the specific (last) version of findbugs. Its version is not defined in the pom.xml file.
# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
+call mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
diff --git a/scripts/runFindSecBugs.bat b/scripts/runFindSecBugs.bat
index 2033a71843..5e5d660ec8 100644
--- a/scripts/runFindSecBugs.bat
+++ b/scripts/runFindSecBugs.bat
@@ -1,5 +1,7 @@
# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
+
+# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the
+# buildtime extension specified in: .mvn/extensions.xml
+call mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
diff --git a/scripts/runFindSecBugs.sh b/scripts/runFindSecBugs.sh
index 2ad9731138..dcf442a37c 100755
--- a/scripts/runFindSecBugs.sh
+++ b/scripts/runFindSecBugs.sh
@@ -1,5 +1,6 @@
source "scripts/verifyBenchmarkPluginAvailable.sh"
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the
+# buildtime extension specified in: .mvn/extensions.xml
mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
diff --git a/scripts/runPMD.bat b/scripts/runPMD.bat
index c40598c7f5..378d26381a 100644
--- a/scripts/runPMD.bat
+++ b/scripts/runPMD.bat
@@ -1,5 +1,5 @@
# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
+# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+call mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
diff --git a/scripts/runPMD.sh b/scripts/runPMD.sh
index 202e2744fd..1d3538771c 100755
--- a/scripts/runPMD.sh
+++ b/scripts/runPMD.sh
@@ -1,5 +1,5 @@
source "scripts/verifyBenchmarkPluginAvailable.sh"
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml
mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
diff --git a/scripts/runSnykSAST.sh b/scripts/runSnykSAST.sh
index af618f59c1..09904bb508 100755
--- a/scripts/runSnykSAST.sh
+++ b/scripts/runSnykSAST.sh
@@ -1,6 +1,8 @@
# Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
+# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run.
+
benchmark_version=$(scripts/getBenchmarkVersion.sh)
Snyk_version=$(snyk -v)
-snyk code --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif
+snyk code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif
diff --git a/scripts/runSnykSAST_OnWindows.sh b/scripts/runSnykSAST_OnWindows.sh
index bdc0498436..97e7f0f96d 100644
--- a/scripts/runSnykSAST_OnWindows.sh
+++ b/scripts/runSnykSAST_OnWindows.sh
@@ -1,6 +1,8 @@
# Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
+# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run.
+
benchmark_version=$(scripts/getBenchmarkVersion.sh)
Snyk_version=$(snyk-win -v)
-snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif
+snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif
diff --git a/scripts/runSpotBugs.bat b/scripts/runSpotBugs.bat
index 428125a6ad..68fefaed0c 100755
--- a/scripts/runSpotBugs.bat
+++ b/scripts/runSpotBugs.bat
@@ -1,5 +1,5 @@
# source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs
+# The buildtime elements when invoking the Spotbugs plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+call mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs
diff --git a/scripts/runSpotBugs.sh b/scripts/runSpotBugs.sh
index b3c37eca9d..54719e2880 100755
--- a/scripts/runSpotBugs.sh
+++ b/scripts/runSpotBugs.sh
@@ -1,5 +1,5 @@
source "scripts/verifyBenchmarkPluginAvailable.sh"
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+# The buildtime elements when invoking the Spotbugs plugin leverage the buildtime extension specified in: .mvn/extensions.xml
mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs
diff --git a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java
index 5498447d0f..c9fb1459f9 100644
--- a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java
+++ b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java
@@ -24,7 +24,7 @@ public class SonarReport {
private static final String SONAR_USER = "admin";
private static final String SONAR_PASSWORD = "P4ssword!!!!";
private static final String SONAR_PROJECT = "benchmark";
- public static final String SONAR_HOST = "ubuntu-server";
+ public static final String SONAR_HOST = "localhost";
public static final String SONAR_PORT = "9876";
private static final int PAGE_SIZE = 500;