Add runCognium.sh script for OWASP Benchmark scoring#453
Open
coggiyadmin wants to merge 2 commits intoOWASP-Benchmark:masterfrom
Open
Add runCognium.sh script for OWASP Benchmark scoring#453coggiyadmin wants to merge 2 commits intoOWASP-Benchmark:masterfrom
coggiyadmin wants to merge 2 commits intoOWASP-Benchmark:masterfrom
Conversation
Adds a script to scan BenchmarkJava with Cognium and produce a SARIF result file compatible with the BenchmarkUtils Cognium reader. Install: npm install -g cognium Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
@darkspirit510 - Can you use this script to generate a results file and test against the reader he created in BenchmarkUtils and if all good, let me know and I can merge both. |
Contributor
|
@coggiyadmin first attempt failed with second attempt worked. Any idea what might be the reason? |
Contributor
|
Okay, Mac disk was full, maybe this was the reason. General question: Why do I have to install this as global package? Do you plan to offer this as Docker container? |
Author
|
@darkspirit510 Unfortunately we dont have docker image, It is in our roadmap, we plan to release them in the future. |
Contributor
|
@coggiyadmin got similar error on one of my linux servers. Guess this is a bug in cognium. @davewichers since this error is relativ with the scan tool, not the script, this can be merged. |
getBenchmarkVersion.sh runs mvn and pipes through grep -v '[INFO]', but
Maven's transfer progress lines ("Downloading from central: ...",
"Downloaded from central: ...") have no [INFO] prefix so they bypass
the filter. On a cold Maven cache these lines get captured into
benchmark_version, producing an invalid filename like:
results/Benchmark_Downloading from central: https://...1.2-cognium-v1.6.9.sarif
The fix adds 2>/dev/null to silence stderr and pipes through
grep -E '^[0-9]+\.[0-9]' to accept only lines that start with digits —
the actual version string (e.g. 1.2). All Maven noise is discarded.
The second run worked because the local Maven cache was warm so no
download lines were emitted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Author
|
@davewichers I pushed the changes based on your feedback and please help merge this one |
Contributor
|
I merged OWASP-Benchmark/BenchmarkUtils#285. @darkspirit510, can you review this and let me know if you are good with this PR too? |
Author
|
Hello @davewichers let me know anything I need to do from my side? |
Contributor
Sorry, I meant to tag @darkspirit510 in that comment. It was meant for him, not you. I updated the comment to include his tag. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a script to scan BenchmarkJava with Cognium and produce a SARIF result file compatible with the BenchmarkUtils Cognium reader.
Install: npm install -g cognium