This article will show you how to scan the OWASP Benchmark app with ShiftLeft CORE's NG SAST and score its results.
Scanning the OWASP Benchmark app with NG SAST and viewing the results
- Create a ShiftLeft account (if necessary) and log in to the Dashboard.
- If this is the first time you're logging in, you'll be redirected to the Select GitHub Repository Access page; otherwise, click Add App to launch this page.
- Choose whether your want ShiftLeft to access both Public and Private repos or Public repos only.
- On Workflow Setup, select Java > OWASP Benchmark.
- Click Next in the top-right. Wait for ShiftLeft to complete the demo workflow setup process.
- When your demo is set up, click See Demo App. You'll be returned to the Dashboard's Applications view.
- Find the Benchmark app and click to open the application overview.
Scoring NG SAST's results
In addition to running NG SAST against the OWASP Benchmark app, the demo repo comes with the ability to score the quality of NG SAST's findings.
This functionality is implemented via scripts that extract ShiftLeft results via API and convert them to OWASP-specific categories. This prepared data is then submitted to the official OWASP scoring mechanism via Maven.
By default, scoring runs whenever you create a new pull request in the demo repo that ShiftLeft created on your behalf. However, you can also manually run this workflow."
To download the scorecard that ShiftLeft generates:
- In the OWASP Benchmark repo that ShiftLeft created, go to Actions.
- Find the most recent run (if you haven't renamed the job, it should be called its default name: Add GitHub Action: ShiftLeft NextGen Static Analysis) and click to open.
- Scroll to the bottom to find the Artifacts produced during runtime.
- Click Benchmark_v1.2_Scorecard_for_ShiftLeft to download the zip file.
The Benchmark_v1.2_Scorecard_for_ShiftLeft.zip file contains multiple files. We recommend beginning with the following files:
- OWASP_Benchmark_Home.html: introduces NG SAST's overall results
- OWASP_Benchmark_Guide.html: provides explanations of the metrics calculated and how to interpret results
- Benchmark_v1.2_Scorecard_for_ShiftLeft.html: an in-depth scorecard for NG SAST
In addition to NG SAST's overall results, you can see scorecards for individual vulnerabilities (i.e., open Benchmark_v1.2_Scorecard_for_Insecure_Cookie.png to see how well NG SAST did when identifying insecure cookie vulnerabilities).