Merge from upstream

.github/workflows/codeql-analysis.yml

@@ -27,14 +27,14 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       # Get full history for spotless ratchetFrom
       with:
         fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         queries: security-extended, security-experimental, security-and-quality
@@ -43,10 +43,10 @@ jobs:
       run: mvn -DskipTests=true install
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
 
     - name: Upload Output
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ matrix.language }} SARIF
         path: ${{ runner.workspace }}/results/*.sarif

.github/workflows/maven.yaml

@@ -8,14 +8,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - name: Set up JDK 11
-      uses: actions/setup-java@v4
+    - name: Set up JDK 17
+      uses: actions/setup-java@v5
       with:
-        java-version: '11'
-        distribution: 'zulu'
+        java-version: 17
+        distribution: zulu
     - name: Run Spotless check
       run: mvn spotless:check
     - name: Create WAR

README.md

@@ -1,6 +1,12 @@
-# OWASP Benchmark
-The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://www.zaproxy.org/">ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time.
+# OWASP Benchmark for Java
+The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://www.zaproxy.org/">ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool.
+
+The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP-Benchmark/BenchmarkUtils.
 
 The project documentation is all on the OWASP site at the <a href="https://owasp.org/www-project-benchmark">OWASP Benchmark</a> project pages. Please refer to that site for all the project details.
 
-The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP-Benchmark/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+
+Running Benchmark Itself:
+* runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only)
+* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on.

VMs/Dockerfile

@@ -1,12 +1,12 @@
 # This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava
 FROM ubuntu:latest
-MAINTAINER "Dave Wichers dave.wichers@owasp.org"
+LABEL org.opencontainers.image.authors="Dave Wichers dave.wichers@owasp.org"
 
 RUN apt-get update
 RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata
 RUN apt-get install -q -y \
-     openjdk-11-jre-headless \
-     openjdk-11-jdk \
+     openjdk-17-jre-headless \
+     openjdk-17-jdk \
      git \
      maven \
      wget \
@@ -35,7 +35,7 @@ RUN useradd -d /home/bench -m -s /bin/bash bench
 RUN echo bench:bench | chpasswd
 
 RUN chown -R bench /owasp/
-ENV PATH /owasp/BenchmarkJava:$PATH
+ENV PATH=/owasp/BenchmarkJava:$PATH
 
 # start up Benchmark once, for 60 seconds, then kill it, so the additional dependencies required to run it are downloaded/cached in the image as well.
 # exit 0 is required to return a 'success' code, otherwise the timeout returns a failure code, causing the Docker build to fail.

VMs/buildDockerImage.sh

@@ -11,3 +11,6 @@ fi
 docker image rm benchmark:latest
 docker build -t benchmark .
 
+# Once verified/tested, to publish an update to the OWASP Benchmark Docker image, run the following:
+# docker push owasp/benchmark:latest
+

pom.xml

@@ -624,7 +624,7 @@
         <dependency>
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
-            <version>1.18.0</version>
+            <version>1.20.0</version>
         </dependency>
 
         <!-- mvn dependency:analyze says this is an unused declared dependency, but its wrong. Get this runtime error if it's not included: Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.apache.commons.dbcp.BasicDataSource] for bean with name 'dataSource' defined in class path resource [context.xml]; nested exception is java.lang.ClassNotFoundException: org.apache.commons.dbcp.BasicDataSource -->
@@ -637,7 +637,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.19.0</version>
+            <version>2.21.0</version>
         </dependency>
 
         <dependency>
@@ -765,13 +765,13 @@
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
-            <version>5.5</version>
+            <version>5.6</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.3.4</version>
+            <version>5.4</version>
         </dependency>
 
         <dependency>
@@ -810,7 +810,7 @@
         <dependency>
             <groupId>org.owasp.esapi</groupId>
             <artifactId>esapi</artifactId>
-            <version>2.6.2.0</version>
+            <version>2.7.0.0</version>
         </dependency>
 
         <dependency>
@@ -854,7 +854,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.19.1</version>
+            <version>2.20.1</version>
         </dependency>
     </dependencies>
 
@@ -880,17 +880,17 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-antrun-plugin</artifactId>
-                    <version>3.1.0</version>
+                    <version>3.2.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-assembly-plugin</artifactId>
-                    <version>3.7.1</version>
+                    <version>3.8.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-dependency-plugin</artifactId>
-                    <version>3.8.1</version>
+                    <version>3.9.0</version>
                     <configuration>
                         <usedDependencies>
                             <dependency>com.sun.jersey:jersey-servlet</dependency>
@@ -904,7 +904,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-release-plugin</artifactId>
-                    <version>3.1.1</version>
+                    <version>3.3.1</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -924,7 +924,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.14.0</version>
+                <version>3.14.1</version>
                 <configuration>
                     <fork>true</fork>
                     <meminitial>1000m</meminitial>
@@ -942,12 +942,12 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-enforcer-plugin</artifactId>
-                <version>3.5.0</version>
+                <version>3.6.2</version>
                 <dependencies>
                     <dependency>
                         <groupId>org.codehaus.mojo</groupId>
                         <artifactId>extra-enforcer-rules</artifactId>
-                        <version>1.10.0</version>
+                        <version>1.11.0</version>
                     </dependency>
                 </dependencies>
                 <executions>
@@ -1005,7 +1005,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.27.0</version>
+                <version>3.28.0</version>
             </plugin>
 
             <plugin>
@@ -1017,7 +1017,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-resources-plugin</artifactId>
-                <version>3.3.1</version>
+                <version>3.4.0</version>
             </plugin>
 
             <plugin>
@@ -1038,13 +1038,13 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.5.3</version>
+                <version>3.5.4</version>
             </plugin>
 
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-war-plugin</artifactId>
-                <version>3.4.0</version>
+                <version>3.5.1</version>
                 <configuration>
                     <webXml>${maven.war.webxml}</webXml>
                 </configuration>
@@ -1053,13 +1053,13 @@
             <plugin>
                 <groupId>org.codehaus.cargo</groupId>
                 <artifactId>cargo-maven3-plugin</artifactId>
-                <version>1.10.20</version>
+                <version>1.10.26</version>
             </plugin>
 
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.18.0</version>
+                <version>2.20.1</version>
             </plugin>
 
             <!-- SpotBugs Static Analysis - the successor to FindBugs -->
@@ -1104,7 +1104,7 @@
             <plugin>
                 <groupId>com.diffplug.spotless</groupId>
                 <artifactId>spotless-maven-plugin</artifactId>
-                <version>2.44.5</version>
+                <version>3.1.0</version>
                 <configuration>
                     <!-- optional: limit format enforcement to just the files changed by this feature branch -->
                     <ratchetFrom>origin/master</ratchetFrom>
@@ -1249,13 +1249,13 @@
         <version.fluido>2.1.0</version.fluido>
         <!-- hibernate is up to rev 6+. But 4.0.0. causes this error: symbol: org.hibernate.classic.Session not found -->
         <version.hibernate>3.6.10.Final</version.hibernate>
-        <version.spotbugs.maven>4.9.3.1</version.spotbugs.maven>
-        <version.spotbugs>4.9.3</version.spotbugs>
+        <version.spotbugs.maven>4.9.8.2</version.spotbugs.maven>
+        <version.spotbugs>4.9.8</version.spotbugs>
         <!-- Spring 6.x requires Java 17 -->
         <version.springframework>5.3.39</version.springframework>
         <!-- Tomcat 10 moves from Java EE to Jakarta EE, moving packages javax.* to jakarta.* - code changes likely required to address this change. -->
         <tomcat.major.version>9</tomcat.major.version>
-        <version.tomcat>9.0.97</version.tomcat>
+        <version.tomcat>9.0.113</version.tomcat>
         <tomcat.url>https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip</tomcat.url>
     </properties>
 

scripts/runBearer.sh

@@ -2,6 +2,9 @@
 
 # Check for install/updates at https://github.com/bearer/bearer
 
+# For this script to work, you need to change the permissions on the results/ directory to 777
+# so docker can write the results file into the results/ folder
+
 source scripts/requireCommand.sh
 
 requireCommand docker
@@ -10,6 +13,17 @@ docker pull bearer/bearer --platform linux/amd64
 
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 bearer_version=$(docker run --platform linux/amd64 bearer/bearer bearer --version | grep -o '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+')
-result_file="/src/results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json"
+result_file="results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json"
+temp_result_file="$result_file.tmp"
+docker_result_file="/benchmark/$temp_result_file"
+
+# if you set the Docker userid to match the current user id with: --user $(id -u):$(id -g) you get a suspicious git repository error
+docker run --platform linux/amd64 --rm -v "${PWD}:/benchmark" bearer/bearer scan /benchmark/src/main/ --format jsonv2 --output "$docker_result_file" > /dev/null
+
+# Because the docker userid and current user ID might be different, we write the Bearer result to a temp file.
+# Then copy it to the desired file name, and then delete the temp file.
+#
+# We can't just chown the file to the right user ID as Unix won't allow that.
+cp $temp_result_file $result_file
+rm -f $temp_result_file
 
-docker run --platform linux/amd64 --rm -v "${PWD}:/src" bearer/bearer scan /src/src/main/ --format jsonv2 --output "$result_file" > /dev/null

scripts/runCodeQL.sh

@@ -9,7 +9,7 @@
 ## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed.
 
 # This then runs the CodeQL scan:
-## The following CodeQL query is a big complex. I had to raise an issue with the CodeQL team to figure out how to do this.
+## The following CodeQL query is a bit complex. I had to raise an issue with the CodeQL team to figure out how to do this.
 ## The issue raised and the answer that documents this query is here: https://github.com/github/codeql/issues/18518#issuecomment-2730684184
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 ../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark codeql/java-queries:codeql-suites/java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif -j0 --download

scripts/runFindBugs.bat

@@ -1,6 +1,7 @@
 # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
+
 # FindBugs is dead, so this specifies the specific (last) version of findbugs. Its version is not defined in the pom.xml file.
 # The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
+call mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs
 

scripts/runFindSecBugs.bat

@@ -1,5 +1,7 @@
 # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
+
+# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the
+# buildtime extension specified in: .mvn/extensions.xml
+call mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
 

scripts/runFindSecBugs.sh

@@ -1,5 +1,6 @@
 source "scripts/verifyBenchmarkPluginAvailable.sh"
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the
+# buildtime extension specified in: .mvn/extensions.xml
 mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
 mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs
 

scripts/runPMD.bat

@@ -1,5 +1,5 @@
 # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet)
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
-CALL mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
-CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
+# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+call mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
+call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
 

scripts/runPMD.sh

@@ -1,5 +1,5 @@
 source "scripts/verifyBenchmarkPluginAvailable.sh"
-# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml
+# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml
 mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv
 mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd
 

scripts/runSnykSAST.sh

@@ -1,6 +1,8 @@
 # Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
+# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run.
+
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 Snyk_version=$(snyk -v)
 
-snyk code --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif
+snyk code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif
 

scripts/runSnykSAST_OnWindows.sh

@@ -1,6 +1,8 @@
 # Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
+# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run.
+
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 Snyk_version=$(snyk-win -v)
 
-snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif
+snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif