Merge pull request diffblue#433 from diffblue/owen-jones-diffblue/webgoat-shell-script

owen-jones-diffblue · web-flow · commit c1f0127efa58 · 2018-06-04T10:37:59.000+01:00
SEC-428: webgoat shell script
diff --git a/benchmarks/GENUINE/README.txt b/benchmarks/GENUINE/README.txt
@@ -34,14 +34,10 @@ Install guide for Ubuntu:
 
   1. git clone git@github.com:WebGoat/WebGoat.git
   2. cd WebGoat
-  3. git checkout develop
-  4. Add handling of exception 'SQLException' to the method 'completed' in file:
-        /webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
-     So, the updated should be line 34 and it should look like this:
-        public AttackResult completed(@RequestParam String ip) throws SQLException {
-  5. mvn clean install -DskipTests
-  6. Create the following files representing the entry point to WebGoat:
-        ./WebGoat/__MAIN__/src/main/java/Main.java:
+  3. git checkout a922c00
+  4. mvn clean install -DskipTests
+  5. Create the following files representing the entry point to WebGoat:
+        ./__MAIN__/src/main/java/Main.java:
                 /*
                 Lessons considered in this file:
                     [Sql Injection] Assignment6, registerNewUser
@@ -281,7 +277,7 @@ Install guide for Ubuntu:
 
         Uncomment one of the blocks (depending on what lesson you want to analyse).
 
-        ./WebGoat/__MAIN__/pom.xml:
+        ./__MAIN__/pom.xml:
                 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
                     <modelVersion>4.0.0</modelVersion>
@@ -348,7 +344,7 @@ Install guide for Ubuntu:
                     </dependencies>
                 </project>
 
-        ./WebGoat/__MAIN__/build.py:
+        ./__MAIN__/build.py:
                 import os
                 import shutil
 
@@ -359,12 +355,13 @@ Install guide for Ubuntu:
                     shutil.rmtree("./target/classes/org")
                 if os.path.isfile("./target/__MAIN__-8.0.0.M3.jar"):
                     os.remove("./target/__MAIN__-8.0.0.M3.jar")
-        
-  6. cd __MAIN__
-  7. python3 ./build.py
-  8. cd ..
+
+  6. copy ../../LIBRARIES/models/model/src/main/java/org to ./__MAIN__/src/main/java/
+  7. cd __MAIN__
+  8. python3 ./build.py
   9. cd ..
- 10. rm -rf ./webgoat-container
+ 10. cd ..
+ 11. rm -rf ./webgoat-container
   
 The WebGoat does not seem to have a deployment step. Fortunately, the whole
 app is relatively small, so we can load everything for each lesson. It means
diff --git a/benchmarks/GENUINE/WebGoat.sh b/benchmarks/GENUINE/WebGoat.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+if [ -z "$SECURITY_SCANNER_HOME" ]; then
+    echo "Need to set SECURITY_SCANNER_HOME to cmake directory"
+    exit 1
+fi
+
+LESSONS_WHICH_WORK='webgoat-run-SqlInjectionLesson5a webgoat-run-SqlInjectionLesson5b webgoat-run-SqlInjectionLesson6a webgoat-run-SqlInjectionLesson12a webgoat-run-SqlInjectionChallenge webgoat-run-Assignment5 webgoat-run-Assignment6 webgoat-run-CrossSiteScriptingLesson5a webgoat-run-SimpleXXE webgoat-run-BlindSendFileAssignment'
+LESSONS_WHICH_DO_NOT_WORK='webgoat-run-CrossSiteScriptingLesson5a webgoat-run-Assignment3 webgoat-run-ContentTypeAssignment webgoat-run-VulnerableComponentsLesson webgoat-run-MissingFunctionACUsers'
+
+set -u
+set -x
+
+SCRIPT_WORKING_DIR=$(pwd)
+REPO_DIR=$SCRIPT_WORKING_DIR/WebGoat
+
+# 1. git clone git@github.com:WebGoat/WebGoat.git
+git clone git@github.com:WebGoat/WebGoat.git
+
+#  2. cd WebGoat
+cd WebGoat
+
+#  3. git checkout develop
+git checkout a922c00
+
+#  4. mvn clean install -DskipTests
+mvn clean install -DskipTests
+
+#  5. Create the following files representing the entry point to WebGoat:
+mkdir -p __MAIN__/src/main/java
+cp ../WebGoat_files/Main.java __MAIN__/src/main/java/Main.java
+cp ../WebGoat_files/pom.xml __MAIN__/pom.xml
+
+#  6. copy ../../LIBRARIES/models/model/src/main/java/org to ./__MAIN__/src/main/java/
+cp -r ../../LIBRARIES/models/model/src/main/java/org __MAIN__/src/main/java/
+
+#  7. cd __MAIN__
+cd __MAIN__
+
+#  8. python3 ./build.py
+if [ -d "./target" ]; then
+    rm -rf ./target
+fi
+mvn clean package
+if [ -d "./target/classes/org" ]; then
+    rm -rf ./target/classes/org
+fi
+if [ -e "./target/__MAIN__-8.0.0.M3.jar" ]; then
+    rm ./target/__MAIN__-8.0.0.M3.jar
+fi
+
+#  9. cd ..
+# 10. cd ..
+# 11. rm -rf ./webgoat-container
+rm -rf ../../webgoat-container
+
+# Run security-analyser on each lesson which works separately
+cd $SECURITY_SCANNER_HOME
+
+for LESSON in $LESSONS_WHICH_WORK
+do
+	python3 $SCRIPT_WORKING_DIR/../../driver/run.py -C $SCRIPT_WORKING_DIR/WebGoatRules.json -I $REPO_DIR -L $REPO_DIR -R $SCRIPT_WORKING_DIR/WebGoat-results/$LESSON -T $SCRIPT_WORKING_DIR/WebGoat-tmp --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.$LESSON
+done
