Merge pull request diffblue#425 from diffblue/webgoat_another_update_of_install_guide

SEC-416: WebGoat: Further updated of the install guide.

Author: marek-trtik

benchmarks/GENUINE/README.txt

@@ -37,10 +37,11 @@ Install guide for Ubuntu:
   3. git checkout develop
   4. mvn clean install -DskipTests
   5. Create the following two files representing the entry point to WebGoat:
-        ./WebGoat/__MAIN__/src/main/java/Main.java:
+        ./__MAIN__/src/main/java/Main.java:
             import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
             import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5b;
             import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson6a;
+            import org.cprover.CProver;
 
             public class Main {
 
@@ -53,7 +54,7 @@ Install guide for Ubuntu:
                     /*
                     {
                         String test = makeTainted("dave");
-                        SqlInjectionLesson5a obj = new SqlInjectionLesson5a();
+                        SqlInjectionLesson5a obj = CProver.nondetWithNull();
                         obj.completed(test);
                     }
                     */
@@ -62,7 +63,7 @@ Install guide for Ubuntu:
                     /*
                     {
                         String test = makeTainted("dave");
-                        SqlInjectionLesson5b obj = new SqlInjectionLesson5b();
+                        SqlInjectionLesson5b obj = CProver.nondetWithNull();
                         try {
                             obj.completed(test, null);
                         }
@@ -75,7 +76,7 @@ Install guide for Ubuntu:
                     /*
                     {
                         String test = makeTainted(args[0]);
-                        SqlInjectionLesson6a obj = new SqlInjectionLesson6a();
+                        SqlInjectionLesson6a obj = CProver.nondetWithNull();
                         try {
                             obj.completed(test);
                         }
@@ -87,7 +88,7 @@ Install guide for Ubuntu:
             }
         Uncomment one of the blocks (depending on what lesson you want to analyse).
 
-        ./WebGoat/__MAIN__/pom.xml:
+        ./__MAIN__/pom.xml:
             <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                      xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
                 <modelVersion>4.0.0</modelVersion>
@@ -118,12 +119,18 @@ Install guide for Ubuntu:
                     </dependency>
                 </dependencies>
             </project>
+
+        And copy CProver's utilities to the build directory:
+            mkdir -p ./__MAIN__/src/main/java/org/cprover
+            cp -a <security-scanner-root>/benchmarks/LIBRARIES/models/model/src/main/java/org/cprover ./__MAIN__/src/main/java/org
   6. cd __MAIN__
   7. mvn package
-  8. cd ..
-  9. cd ..
- 10. rm -rf ./webgoat-container
-  
+  8. rm -rf ./target/classes/org/
+  9. Remove directory 'org' inside JAR file: ./target/__MAIN__-8.0.0.M3.jar
+ 10. cd ..
+ 11. cd ..
+ 12. rm -rf ./webgoat-container
+ 
 The WebGoat does not seem to have a deployment step. Fortunately, the whole
 app is relatively small, so we can load everything for each lesson. It means
 that we can pass to the Python driver script these options: