Add Fluid Attacks parser

[kamadorueda]

• This pull request is regarding issue:
  https://github.com/OWASP/Benchmark/issues/144
• Work done:
  • Add FluidAttacks.java parser for CSV results
  • Update BenchmarkScore to identify when a CSV should
    be parsed with it
  • It is a commercial-tool
• This is how mvn compile && ./createScorecards.sh renders:
  • 

[davewichers]

Are you able to provide a FluidAttacks results file so I can test this? You can email it to me directly at: dave.wichers@owasp.org.

[kamadorueda]

Please use any of these:

• Benchmark_1.2-Fluid-Attacks-v20210416.csv
• https://github.com/fluidattacks/Benchmark/blob/3d29bfeeb2334b39725eb3bcb752952e7225b593/results/Benchmark_1.2-Fluid-Attacks-v20210416.csv

source code:

• https://gitlab.com/fluidattacks/product/-/blob/master/skims/skims/core/entrypoint.py#L131

[davewichers]

We just checked in changes that add spotless to the pom, and have reformatted all the code in the entire project to adopt this format. Can you merge these changes into your branch, and then push out new updates to BenchmarkScore and your new tool parser with spotless applied? The pom is now set up to automatically run spotless:apply whenever you run mvn compile. So it should be pretty automatic.

[kamadorueda]

updated PR to comply new formatting and configure the spotless plugin for the CI

[kamadorueda]

@davewichers Is there anything else to do in order to get this PR accepted?

[davewichers]

Yes - The spare time to review it! I'm about to leave for vacation so was sprinting at work to wrap some things up. I should get to this next week sometime.

[davewichers]

I'm trying to follow the directions here: https://docs.fluidattacks.com/machine/scanner/reproducibility/ to produce my own copy of the full benchmark results.csv file you provided to me but this page doesn't describe how. Can you explain to me how I can do this? And I'd like to be able to run the scanner on a local copy of Benchmark, not have it pull the code from git, can you explain how I do that too?

[dsalaza4]

@davewichers Hi!

Are there any updates on this?

[davewichers]

@dsalaza4 - Dan - I'm actually working on a major refactor for managing CWE categories via configuration (and other things) that is basically done and I plan to check that in today. Then I'm going to tackle #150 first, as that one is more straightforward, then I'll work on this one. I was also out all last week so focusing on these issues now.

[darkspirit510]

@davewichers can this PR somehow be moved to BenchmarkUtils?

[davewichers]

@davewichers can this PR somehow be moved to BenchmarkUtils?

No. You can move issues to other projects, but not pull requests. So to deal with this, you'd have to grab the proposed code changes, and simply submit them in a new PR to BenchmarkUtils. As you can see, this is 6+ months old and I haven't had time to deal with it yet. If you can, that would be super awesome.