Skip to main content

OWASP Benchmark

This article will show you how to scan the OWASP Benchmark app with Qwiet preZero and score its results.

Scanning the OWASP Benchmark app with preZero and viewing the results

  1. Create a Qwiet account (if necessary) and log in to the dashboard.

  2. Near the top left of the Applications page, click +Add in the Applications box.

    Add app

  3. Under Automated, click Next to proceed with the GitHub Repository option.

    Select GitHub repo

  4. On Workflow Setup, select OWASP Benchmark and click Next in the top-right to proceed. Wait for Qwiet to complete the demo workflow setup process.

    Choose demo repo

  5. When your demo is set up, click See Demo App. You'll be returned to the Dashboard's Applications view.

    Demo app setup summary

  6. Find the Benchmark app and click to open the application overview.

    OWASP Benchmark Vulnerability Summary

Scoring preZero's results

In addition to running preZero against the OWASP Benchmark app, the demo repo comes with the ability to score the quality of preZero's findings.

This functionality is implemented via scripts that extract Qwiet results via API and convert them to OWASP-specific categories. This prepared data is then submitted to the official OWASP scoring mechanism via Maven.

By default, scoring runs whenever you create a new pull request in the demo repo that Qwiet created on your behalf. However, you can also manually run this workflow."

To download the scorecard that Qwiet generates:

  1. In the OWASP Benchmark repo that Qwiet created, go to Actions.
  2. Find the most recent run (if you haven't renamed the job, it should be called its default name: Add GitHub Action: Qwiet NextGen Static Analysis) and click to open.
  3. Scroll to the bottom to find the Artifacts produced during runtime.
  4. Click Benchmark_v1.2_Scorecard_for_ShiftLeft to download the zip file.
GitHub Action Summary View

Scorecards

The Benchmark_v1.2_Scorecard_for_Qwiet.zip file contains multiple files. We recommend beginning with the following files:

  • OWASP_Benchmark_Home.html: introduces preZero's overall results
  • OWASP_Benchmark_Guide.html: provides explanations of the metrics calculated and how to interpret results
  • Benchmark_v1.2_Scorecard_for_Qwiet.html: an in-depth scorecard for preZero

In addition to preZero's overall results, you can see scorecards for individual vulnerabilities (i.e., open Benchmark_v1.2_Scorecard_for_Insecure_Cookie.png to see how well preZero did when identifying insecure cookie vulnerabilities).