Skip to content

Add SiteShadow v1.0.0 results (100% TPR, 0% FPR on taint CWEs)#440

Closed
hisopo wants to merge 1 commit intoOWASP-Benchmark:masterfrom
hisopo:add-siteshadow-results
Closed

Add SiteShadow v1.0.0 results (100% TPR, 0% FPR on taint CWEs)#440
hisopo wants to merge 1 commit intoOWASP-Benchmark:masterfrom
hisopo:add-siteshadow-results

Conversation

@hisopo
Copy link
Copy Markdown

@hisopo hisopo commented Mar 29, 2026

Summary

  • Adds SiteShadow v1.0.0 SARIF results file and generated scorecard
  • SiteShadow is an open-source SAST tool performing graph-based intraprocedural and interprocedural taint analysis using tree-sitter WASM parsing

Results

CWE Category TP FN TN FP TPR FPR Score
22 Path Traversal 133 0 135 0 100% 0% 100%
78 Command Injection 126 0 125 0 100% 0% 100%
79 XSS 246 0 209 0 100% 0% 100%
89 SQL Injection 272 0 232 0 100% 0% 100%
90 LDAP Injection 27 0 32 0 100% 0% 100%
501 Trust Boundary 83 0 43 0 100% 0% 100%
643 XPath Injection 15 0 20 0 100% 0% 100%

902 true positives, 0 false positives across 1,698 taint-relevant test cases.

SiteShadow does not currently cover: Insecure Cookie (CWE-614), Weak Encryption (CWE-327), Weak Hashing (CWE-328), Weak Randomness (CWE-330). Overall average including unscored categories: 63.64%.

Files added

  • results/Benchmark_1.2-SiteShadow-v1.0.0-902.sarif — SARIF 2.1.0 results
  • scorecard/Benchmark_v1.2_Scorecard_for_SiteShadow_v1.0.0.csv — detailed results CSV
  • scorecard/Benchmark_v1.2_Scorecard_for_SiteShadow_v1.0.0.html — HTML scorecard
  • scorecard/Benchmark_v1.2_Scorecard_for_SiteShadow_v1.0.0.png — scorecard chart

Dependencies

Test plan

  • SARIF file validated — valid SARIF 2.1.0 with 902 findings
  • Scorecard generated locally using mvn org.owasp:benchmarkutils-maven-plugin:create-scorecard
  • Results match independent benchmark runner output

🤖 Generated with Claude Code

@claude
Add SiteShadow v1.0.0 benchmark results and scorecard
22a2cf8 
SiteShadow is an open-source SAST tool performing graph-based taint
analysis using tree-sitter WASM. Results: 100% TPR, 0% FPR on all 7
taint-relevant CWEs (22, 78, 79, 89, 90, 501, 643). 902 TPs, 0 FPs.

Does not cover: hash, crypto, weakrand, securecookie categories.
Overall average including unscored categories: 63.64%.

Companion BenchmarkUtils PR: OWASP-Benchmark/BenchmarkUtils#283

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@hisopo
Copy link
Copy Markdown
Author

hisopo commented Mar 30, 2026

Closing — these results only covered 7 of 11 CWEs. Resubmitting with complete results across all 11 categories.

@hisopo hisopo closed this Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hisopo