OWASP Benchmark is a test suite designed to verify the speed and accuracy of software vulnerability detection tools. A fully runnable web app written in Java, it supports analysis by Static (SAST), Dynamic (DAST), and Runtime (IAST) tools that support Java. The idea is that since it is fully runnable and all the vulnerabilities are actually expl…
Switch branches/tags
Clone or download
davewichers Merge pull request #56 from ShiftLeftSecurity/master
Add support for ShiftLeft static analyzer
Latest commit a379257 Sep 7, 2018
Permalink
Failed to load latest commit information.
.mvn Massive upgrade of every dependency I can upgrade and some cleanup/re… Jul 22, 2018
VMs Adjusted Dockerfile to newer version of Ubuntu Apr 25, 2018
data Numerous fixes and changes Apr 25, 2017
results Update open source and anonymous commercial SAST scorecards to match … Sep 20, 2016
scorecard Update open source and anonymous commercial SAST scorecards to match … Sep 20, 2016
scripts Numerous fixes and changes Apr 25, 2017
src Add support for ShiftLeft static analyzer. Sep 3, 2018
tools/Contrast Updated to support new log format in Contrast. Aug 13, 2018
.keystore Move Contrast config files into tools directory. Change configuration so Sep 29, 2015
.travis.yml Trying again to get the encrypted Coverity Scan Token to work with Aug 17, 2018
Dockerfile Replace with original VM/Dockerfile statements Oct 12, 2016
LICENSE Initial commit Apr 7, 2015
OWASP Benchmark.URL Numerous fixes and changes Apr 25, 2017
README.md Update README.md Oct 1, 2016
SonarQubeRequest.exe Enhance scorecard generator to move chart key to the right, providing… Sep 20, 2015
createAnonScorecards.sh Update to 1.2 release. This is a major release update. It introduces … Jun 5, 2016
createScorecards.bat Update to 1.2 release. This is a major release update. It introduces … Jun 5, 2016
createScorecards.sh Update to 1.2 release. This is a major release update. It introduces … Jun 5, 2016
expectedresults-1.2.csv Update to 1.2 release. This is a major release update. It introduces … Jun 5, 2016
pom.xml Update pom.xml to eliminate bouncy castle circular dependency issue f… Aug 15, 2018
runBenchmark.bat Fix a bunch of the error messages for the LDAP Server. Sep 10, 2015
runBenchmark.sh Fix a bunch of the error messages for the LDAP Server. Sep 10, 2015
runBenchmark_wContrast.bat Escaped the right parenthesis in the ECHO Jun 8, 2017
runBenchmark_wContrast.sh Improve some of the secure cookie tests to prevent generation of cook… Jul 17, 2016
runCrawler.bat Replace corrupt version of runCrawler.bat so it actually runs on Jul 9, 2018
runCrawler.sh Numerous fixes and changes Apr 25, 2017
runRemoteAccessibleBenchmark.bat Numerous fixes and changes Apr 25, 2017
runRemoteAccessibleBenchmark.sh Minor white space formatting change to some of the recently changed t… Jul 18, 2018
runSonarQube.bat Enhance scorecard generator to move chart key to the right, providing… Sep 20, 2015
runSonarQube.sh Numerous fixes and changes Apr 25, 2017

README.md

OWASP Benchmark

The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. The initial version is intended to support Static Analysis Security Testing Tools (SAST). A future release will support Dynamic Analysis Security Testing Tools (DAST), like OWASP ZAP, and Interactive Analysis Security Testing Tools (IAST). The goal is that this test application is fully runnable and all the vulnerabilities are actually exploitable so its a fair test for any kind of application vulnerability detection tool.

The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details.

The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).