Address review comments

Author: Owen Jones

benchmarks/GENUINE/Alfresco.sh

@@ -5,7 +5,18 @@ if [ -z "$SECURITY_SCANNER_HOME" ]; then
     exit 1
 fi
 
-if [[ ! -d "Alfresco" ]]; then
+# Stop script if a command does not succeed
+set -e
+
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
+REPO_DIR=$SCRIPT_WORKING_DIR/Alfresco
+DEPLOY_DIR=$REPO_DIR/__dist__
+if [ -z "$OUTPUT_DIR" ]; then
+    OUTPUT_DIR=$SECURITY_SCANNER_HOME/GENUINE
+fi
+
+if [[ ! -d $REPO_DIR ]]; then
+    # First switch to Java 7
     java_version=$(java -version 2>&1 | awk -F '"' '/version/ {print $2}')
     if [[ ! "$java_version" < "1.8" ]]; then
         echo "WRONG JAVA VERSION: $java_version"
@@ -34,35 +45,25 @@ if [[ ! -d "Alfresco" ]]; then
         PATH=/usr/lib/jvm/java-7-openjdk-amd64/bin:$PATH
         JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/bin
     fi
-fi
 
-# Stop script if a command does not succeed
-set -e
-
-SCRIPT_WORKING_DIR=$(pwd)
-REPO_DIR=$SCRIPT_WORKING_DIR/Alfresco
-DEPLOY_DIR=$REPO_DIR/__dist__
-if [ -z "$OUTPUT_DIR" ]; then
-    OUTPUT_DIR=$SECURITY_SCANNER_HOME/GENUINE
-fi
-
-if [[ ! -d $REPO_DIR ]]; then
-    # The next two statements are commented out, because they access the old
-    # repo which was deleted. It was actually a mirror of the SVN repo used
-    # below.
-    #   git clone [email protected]:Alfresco/community-edition .
-    #   git checkout 5fcc93f009c6fb8578e87e79dc19a44309210602
-
-    # We are checking out the revision in which we know about the issue.
+    # Clone the repository and check out a commit which has the issue.
+    # Originally we looked at commit 5fcc93f009c6fb8578e87e79dc19a44309210602 in
+    # the git repository [email protected]:Alfresco/community-edition . It has
+    # since been deleted, but fortunately it was just a clone of the svn
+    # repository below.
     mkdir -p $REPO_DIR
     cd $REPO_DIR
     svn checkout -r 74720 https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root .
 
+    # Build and install
     mvn install -DskipTests
 
+    # Deploy web apps
     mkdir -p $DEPLOY_DIR/webapps
     cp projects/web-client/target/alfresco-4.3.0-SNAPSHOT.war $DEPLOY_DIR/webapps
     cp projects/slingshot/target/share-4.3.0-SNAPSHOT.war  $DEPLOY_DIR/webapps
+
+    # Deploy libraries
     mkdir $DEPLOY_DIR/lib
     cp projects/3rd-party/lib/devenv/mysql-connector-java-5.1.13-bin.jar $DEPLOY_DIR/lib
     cp projects/3rd-party/lib/devenv/postgresql-9.3-1101-jdbc41.jar $DEPLOY_DIR/lib
@@ -73,6 +74,7 @@ if [[ ! -d $REPO_DIR ]]; then
     cd ..
 fi
 
+# Run security-analyser
 cd $SECURITY_SCANNER_HOME
 
 python3 $SCRIPT_WORKING_DIR/../../driver/run.py \

benchmarks/GENUINE/CiteSeerX.sh

@@ -8,7 +8,7 @@ fi
 # Stop script if a command does not succeed
 set -e
 
-SCRIPT_WORKING_DIR=$(pwd)
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
 REPO_DIR=$SCRIPT_WORKING_DIR/CiteSeerX
 DEPLOY_DIR=$REPO_DIR
 FILES_DIR=$SCRIPT_WORKING_DIR/CiteSeerX_files
@@ -23,12 +23,12 @@ if [[ ! -d $REPO_DIR ]]; then
     git clone https://github.com/SeerLabs/CiteSeerX.git .
     git checkout 8a62545ffc904f2b41b4ecd30ce91900dc7790f4
 
-    # There are some example 'template' files that we need to rename to build correctly
-    rename 's/\.template//' conf/*.template
-
     # Apply the git patch to remove sanitization of query
     patch -p1 -f < $FILES_DIR/introduce_XXS_vulnerability.patch
 
+    # There are some example 'template' files that we need to rename to build correctly
+    rename 's/\.template//' conf/*.template
+
     # Build
     ant
 fi

benchmarks/GENUINE/DSpace.sh

@@ -8,7 +8,7 @@ fi
 # Stop script if a command does not succeed
 set -e
 
-SCRIPT_WORKING_DIR=$(pwd)
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
 REPO_DIR=$SCRIPT_WORKING_DIR/DSpace
 DEPLOY_DIR=$REPO_DIR
 FILES_DIR=$SCRIPT_WORKING_DIR/DSpace_files
@@ -17,53 +17,33 @@ if [ -z "$OUTPUT_DIR" ]; then
 fi
 
 if [[ ! -d $REPO_DIR ]]; then
-    # 1. Open a terminal in the directory of this readme file and clone DSpace:
+    # Clone the repository and checkout a commit which builds
     mkdir -p $REPO_DIR
     cd $REPO_DIR
     git clone https://github.com/DSpace/DSpace .
-
-    # 2. (Optional) Checkout commit:
     git checkout ed7d2980e264901bb60c63da183d620d49772f3e
 
-    #   and in the file:
-    #        <this-dir>/DSpace/build.properties
-    #   update the variable 'dspace.install.dir' as follows:
-    #        dspace.install.dir=<this-dir>/DSpace/__dist__
-
-    echo dspace.install.dir=$DEPLOY_DIR >> build.properties
-
-    #   The checkout will give you a version with a fixed XSS issue. In order to
-    #   return the XSS issue back comment out lines 94-108 in file:
-    #        <this-dir>/DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/AbstractBrowserServlet.java
-    #   (NOTE: you can also check out the previous commit; but was not tested)
-
+    # Reintroduce the XSS issue
     patch -p1 < $FILES_DIR/introduce-xss-vulnerability.patch
 
-    #  3. Enter the directory '<this-dir>/DSpace' and type the following command:
+    # Update 'dspace.install.dir'
+    echo dspace.install.dir=$DEPLOY_DIR >> build.properties
 
+    # Build and package
     mvn clean package
 
-    #  4. Set the install directory (variable dspace.dir) in dspace/target/dspace-installer/config/dspace.cfg to
-    #     <this-dir>/DSpace/build.properties as above
-
+    # Set the install directory (variable 'dspace.dir')
     sed -i "[email protected] = /[email protected] = $DEPLOY_DIR@" dspace/target/dspace-installer/config/dspace.cfg
 
-    #  5. Enter the directory '<this-dir>/DSpace/dspace/target/dspace-installer'
-    #     and type the following commands:
-    #        ant init_installation
-    #        ant init_configs
-    #        ant install_code
-    #        ant copy_webapps
-
+    # install
     cd dspace/target/dspace-installer
     ant init_installation
     ant init_configs
     ant install_code
     ant copy_webapps
 fi
 
-### Finally, analyse it:
-
+# Run security-analyser
 cd $SECURITY_SCANNER_HOME
 
 python3 $SCRIPT_WORKING_DIR/../../driver/run.py \

benchmarks/GENUINE/Ginco.sh

@@ -8,7 +8,7 @@ fi
 # Stop script if a command does not succeed
 set -e
 
-SCRIPT_WORKING_DIR=$(pwd)
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
 REPO_DIR=$SCRIPT_WORKING_DIR/Ginco
 DEPLOY_DIR=$REPO_DIR/__dist__
 FILES_DIR=$SCRIPT_WORKING_DIR/Ginco_files
@@ -17,28 +17,29 @@ if [ -z "$OUTPUT_DIR" ]; then
 fi
 
 if [[ ! -d $REPO_DIR ]]; then
+    # Clone the repository and check out a commit which builds (master branch on
+    # 2017-11-17 10:18:50)
     mkdir -p $REPO_DIR
     cd $REPO_DIR
     git clone https://github.com/culturecommunication/ginco .
-
-    # This is the commit where the XSS issue was fixed: 2fb5a070034deda25b2d50a98e9e6b42754e6425
-    # This is the subsequent commit mentioned in the README.txt file: fb937f67a78a1f01017cee3a12f4d79d325ec82f
-    # Nevertheless, we do not checkout any of them. We actually checkout
-    # latest 'master' branch on 2017-11-17 10:18:50.
     git checkout e5b62450f61f76feccd2c2d5bf8ed33d1e258d87
 
+    # Reintroduce the XSS issue fixed in commit
+    # 2fb5a070034deda25b2d50a98e9e6b42754e6425
     patch -p1 -f < $FILES_DIR/0001-Reverting-XSS-issue-and-adding-generation-of-jar.patch
 
+    # install
     mvn install -DskipTests
-    
-    # Now we create an artificial entry-point project and build it
+
+    # Create an artificial entry-point project and build it
     cp -r $FILES_DIR/__MAIN__/ .
     mkdir -p __MAIN__/src/main/java/org/cprover
     cp ../../LIBRARIES/models/model/src/main/java/org/cprover/* __MAIN__/src/main/java/org/cprover
     (cd __MAIN__ && mvn package)
 
-    # Finally, we deploy built binaries to the deplyment directory
-    mkdir -p $DEPLOY_DIR/ginco-admin/{webapp,lib}
+    # Finally, we deploy built binaries to the deployment directory
+    mkdir -p $DEPLOY_DIR/ginco-admin/webapp
+    mkdir -p $DEPLOY_DIR/ginco-admin/lib
     mkdir -p $DEPLOY_DIR/ginco-webservices/webapp
     cp __MAIN__/target/classes/Main.class $DEPLOY_DIR/ginco-admin/webapp
     cp __MAIN__/target/classes/SKOSImportService.class __dist__/ginco-admin/webapp
@@ -48,6 +49,7 @@ if [[ ! -d $REPO_DIR ]]; then
     cd ..
 fi
 
+# Run security-analyser
 cd $SECURITY_SCANNER_HOME
 
 python3 $SCRIPT_WORKING_DIR/../../driver/run.py \

benchmarks/GENUINE/Sakai.sh

@@ -8,7 +8,7 @@ fi
 # Stop script if a command does not succeed
 set -e
 
-SCRIPT_WORKING_DIR=$(pwd)
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
 REPO_DIR=$SCRIPT_WORKING_DIR/Sakai
 DEPLOY_DIR=$REPO_DIR/__dist__
 FILES_DIR=$SCRIPT_WORKING_DIR/Sakai_files
@@ -21,7 +21,7 @@ if [[ ! -d $REPO_DIR ]]; then
     mkdir -p $REPO_DIR
     cd $REPO_DIR
     git clone https://github.com/sakaiproject/sakai.git .
-    git checkout f333f0c
+    git checkout f333f0ccd5b652408d7d635289a604cfb018a93d
 
     # Revert the sanitiser introduced in 8550c16
     patch -p0 < $FILES_DIR/remove_sanitiser.patch
@@ -30,6 +30,7 @@ if [[ ! -d $REPO_DIR ]]; then
     mvn install sakai:deploy -Dmaven.tomcat.home="$DEPLOY_DIR" -DskipTests -Dmaven.test.skip=true
 fi
 
+# Run security-analyser
 cd $SECURITY_SCANNER_HOME
 
 python3 $SCRIPT_WORKING_DIR/../../driver/run.py \

benchmarks/GENUINE/WebGoat.sh

@@ -11,7 +11,7 @@ LESSONS_WHICH_DO_NOT_WORK='CrossSiteScriptingLesson5a Assignment3 ContentTypeAss
 # Stop script if a command does not succeed
 set -e
 
-SCRIPT_WORKING_DIR=$(pwd)
+SCRIPT_WORKING_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
 REPO_DIR=$SCRIPT_WORKING_DIR/WebGoat
 DEPLOY_DIR=$REPO_DIR
 FILES_DIR=$SCRIPT_WORKING_DIR/WebGoat_files
@@ -21,44 +21,29 @@ if [ -z "$OUTPUT_DIR" ]; then
 fi
 
 if [[ ! -d $REPO_DIR ]]; then
-    # 1. git https://github.com/WebGoat/WebGoat.git
-    #  2. cd WebGoat
+    # Clone the repository and checkout a commit which builds
     mkdir -p $REPO_DIR
     cd $REPO_DIR
     git clone https://github.com/WebGoat/WebGoat.git .
+    git checkout a922c001824d4571578e2188d13574597446318b
 
-    #  3. git checkout develop
-    git checkout a922c00
-
-    #  4. mvn clean install -DskipTests
+    #Build and install
     mvn clean install -DskipTests
 
-    #  5. Create the following files representing the entry point to WebGoat:
+    # Create an artificial entry-point project
     mkdir -p __MAIN__/src/main/java
     cp $FILES_DIR/Main.java __MAIN__/src/main/java/Main.java
     cp $FILES_DIR/pom.xml __MAIN__/pom.xml
-
-    #  6. copy ../../LIBRARIES/models/model/src/main/java/org to ./__MAIN__/src/main/java/
     cp -r $MODELS_LIB_DIR/model/src/main/java/org __MAIN__/src/main/java/
 
-    #  7. cd __MAIN__
+    # Build the artificial entry-point project
     cd __MAIN__
-
-    #  8. python3 ./build.py
-    if [ -d "./target" ]; then
-        rm -rf ./target
-    fi
+    rm -rf ./target
     mvn clean package
-    if [ -d "./target/classes/org" ]; then
-        rm -rf ./target/classes/org
-    fi
-    if [ -e "./target/__MAIN__-8.0.0.M3.jar" ]; then
-        rm ./target/__MAIN__-8.0.0.M3.jar
-    fi
 
-    #  9. cd ..
-    # 10. cd ..
-    # 11. rm -rf ./webgoat-container
+    # Remove unneeded files
+    rm -rf ./target/classes/org
+    rm -f ./target/__MAIN__-8.0.0.M3.jar
     rm -rf ../../webgoat-container
 fi