OWASP Benchmark

This article will show you how to scan the OWASP Benchmark app with ShiftLeft CORE's NG SAST and score its results.

Scanning the OWASP Benchmark app with NG SAST and viewing the results

  1. Create a ShiftLeft account (if necessary) and log in to the dashboard.

  2. Near the top left of the Applications page, click +Add in the Applications box.

    Add app
  3. Under Automated, click Next to proceed with the GitHub Repository option.

    Select GitHub repo
  4. On Workflow Setup, select OWASP Benchmark and click Next in the top-right to proceed. Wait for ShiftLeft to complete the demo workflow setup process.

    Choose demo repo
  5. When your demo is set up, click See Demo App. You'll be returned to the Dashboard's Applications view.

    Demo app setup summary
  6. Find the Benchmark app and click to open the application overview.

    OWASP Benchmark Vulnerability Summary

Scoring NG SAST's results

In addition to running NG SAST against the OWASP Benchmark app, the demo repo comes with the ability to score the quality of NG SAST's findings.

This functionality is implemented via scripts that extract ShiftLeft results via API and convert them to OWASP-specific categories. This prepared data is then submitted to the official OWASP scoring mechanism via Maven.

By default, scoring runs whenever you create a new pull request in the demo repo that ShiftLeft created on your behalf. However, you can also manually run this workflow."

To download the scorecard that ShiftLeft generates:

  1. In the OWASP Benchmark repo that ShiftLeft created, go to Actions.
  2. Find the most recent run (if you haven't renamed the job, it should be called its default name: Add GitHub Action: ShiftLeft NextGen Static Analysis) and click to open.
  3. Scroll to the bottom to find the Artifacts produced during runtime.
  4. Click Benchmark_v1.2_Scorecard_for_ShiftLeft to download the zip file.
GitHub Action Summary View

Scorecards

The Benchmark_v1.2_Scorecard_for_ShiftLeft.zip file contains multiple files. We recommend beginning with the following files:

  • OWASP_Benchmark_Home.html: introduces NG SAST's overall results
  • OWASP_Benchmark_Guide.html: provides explanations of the metrics calculated and how to interpret results
  • Benchmark_v1.2_Scorecard_for_ShiftLeft.html: an in-depth scorecard for NG SAST

In addition to NG SAST's overall results, you can see scorecards for individual vulnerabilities (i.e., open Benchmark_v1.2_Scorecard_for_Insecure_Cookie.png to see how well NG SAST did when identifying insecure cookie vulnerabilities).