I have scanned benchmark app with contrast community edition and I found several vulnerabilities. What I want to do is to run createScorecard.sh. So, I export findings in contrast in csv format (xml format is not supported in contrast security community edition). And, I put the csv file in results folder and ran createScorecard.sh. But it shows "java.lang.IllegalArgumentException: Mapping for CheckerKey not found" error. So, how can I solve this?

Vulnerabilities

DepShield reports that this application's usage of dom4j:dom4j:1.6.1 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2018-1000632] XML Injection (aka Blind XPath Injection)

Occurrences

dom4j:dom4j:1.6.1 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.directory.server:apacheds-all:1.5.7
        └─ org.apache.directory.shared:shared-dsml-parser:0.9.19
              └─ dom4j:dom4j:1.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WebInspect reported command injection vulnerabilities but the scoreboard parser finds nothing. The vulnerabilities .xml : https://we.tl/QpqtUF2Qg0. Can you check that? Thx

It is my understanding that test cases are to be fully executable and exploitable. Trust Boundary Violation issues do not appear to meet this baseline as they are not exploitable. As such, I'm requesting that this category of issues be removed. Please find below supporting evidence.

According to CWE-501 - Trust Boundary Violation the negative consequence of a Trust Boundary Violation is that "it becomes easier for programmers to mistakenly trust unvalidated data". Should a developer mistakenly trust the unvalidated in some other part of the application, then this certainly could lead to an exploitable scenario. However, "combining trusted and untrusted data in the same data structure" alone is not something actionable by an attacker and thus not exploitable.

The OWASP website itself has essentially no meaningful information on this issue.

I could not identify any CVEs associated to Trust Boundary Violations. For example, a CVE search for such issues returns 0 results.

Since a few days, the running Docker image gives a 404 page. I noticed errors (among others):
Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/15/maven-shared-components-15.pom [java] 2018-07-11 11:48:06 ERROR DefaultServerAttribute:368 - ERR_04450 The value {0} is incorrect, it hasnt been added [java] 2018-07-11 11:48:06 ERROR DefaultServerAttribute:368 - ERR_04450 The value {0} is incorrect, it hasnt been added

[INFO] [talledLocalContainer] SEVERE: Error deploying web application archive [/benchmark/benchmark/target/cargo/configurations/tomcat9x/webapps/benchmark.war] [INFO] [talledLocalContainer] java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/benchmark]]

Vulnerabilities

DepShield reports that this application's usage of org.owasp.antisamy:antisamy:1.5.3 results in the following vulnerability(s):

• (CVSS 6.1) [CVE-2017-14735] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
• (CVSS 6.1) [CVE-2016-10006] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")

Occurrences

org.owasp.antisamy:antisamy:1.5.3 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.1.0.1
        └─ org.owasp.antisamy:antisamy:1.5.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-httpclient:commons-httpclient:3.1 results in the following vulnerability(s):

• (CVSS 5.8) [CVE-2014-3577] org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient be...
• (CVSS 4.3) [CVE-2015-5262] Resource Management Errors

Occurrences

commons-httpclient:commons-httpclient:3.1 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.1.0.1
        └─ org.owasp.antisamy:antisamy:1.5.3
              └─ commons-httpclient:commons-httpclient:3.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Uses sun.misc.BASE64Encoder and BASE64Decoder and these have been removed from Java 9. Expect we can just replace these with equivalent Base 64 Encoders/Decoders from other sources to solve this issue.

hi admin,

i would like to contribute the parser reader for Checkmarx IAST scan result in CSV format.
please advise me how to proceed this

thanks
Jason
[email protected]

I'm trying to scan Owasp Benchmark with Arachni in the VM environment. For some reasons I can not run runRemoteAccessibleBenchmark.sh (it appears white coloured in the file list) to enable remote scanning.Please Note the Benchmark still works with runBenchmark.sh (appears green coloured in the list)
Thanks in advance,
Serg

First I wanted to thank you for your great project.
I installed arachni on VM, but arachni doesn't allow scanning on localhost or 127.0.0.1. I checked and their host address cannot be changed.
I wanted to know how to run an scan from arachni on Benchmark? Can we change ip address of the Benchmark.

I'm seeing errors starting the LDAP server on Java 10 on my Mac. I'll have to test on Linux/Windows to see if it's platform specific or not. So, even if Benchmark starts up just fine on Java9/10, the LDAP test cases might all be failing, so tools would score zero in that category when they shouldn't. As a fallback for now, run Benchmark with Java 8, which is the version of Java its been tested most on.

Note: This should only affect DAST and IAST tools, not SAST tools.

The OWASP Benchmark has lots of test cases for CWE 327: Use of a Broken or Risky Cryptographic Algorithm. All of these test cases encrypt some data using this or that cryptographic algorithm. Some of the test cases are labeled as vulnerable in their corresponding XML file, while others are labeled as not vulnerable.

It seems to me that even the algorithms used in the test cases labeled as not vulnerable cannot be in good conscience considered as secure.

Each of the test cases labeled as not vulnerable uses one of the three following algorithms:

• AES/CBC/PKCS5Padding (e.g., test case 54)
• DESede/ECB/PKCS5Padding (e.g., test case 58 or test case 59 which reads the algorithm from the file benchmark.properties)
• RSA/ECB/PKCS1Padding (e.g., test case 209 which obtains the algorithm using Utils.getCipher())

None of these algorithms are very good. In a nutshell,

• AES/CBC/PKCS5Padding uses the CBC mode of operation with PKCS#5 (or PKCS#7) padding which may be vulnerable to padding oracle attacks;
• DESede/ECB/PKCS5Padding uses the EBC mode of operation which preserves the structure of the plaintext;
• RSA/ECB/PKCS1Padding refers to RSA encryption with PKCS#1 v1.5 padding, which is vulnerable to the Bleichenbacher attack, which is why OAEP-RSA was subsequently proposed to replace RSA encryption with PKCS#1 v1.5 padding.

I did confirm these suspicions on Security SE. :-)

At the very least, I would argue that if a vulnerability detection tool raised an issue because some data is encrypted using one of these algorithms, it wouldn't be fair to call that a false positive.

I would therefore propose to replace these algorithms by algorithms that are still considered secure by today's standards, such as AES/GCM/NoPadding , RSA/ECB/OAEPWithSHA-1AndMGF1Padding, or RSA/ECB/OAEPWithSHA-256AndMGF1Padding for example. I'd be happy to submit a pull request, but I wanted to raise these concerns here first and hear your thoughts. :-)

Apparently, when using runRemoteAccessibleBenchmark.sh/.bat, some of the JavaScript doesn't work in IE when accessing Benchmark via the exposed IP address. Not sure if this is IE version specific. But IE does work when accessing Benchmark via localhost. The JavaScript does seem to behave properly with Chrome via the exposed IP address.

The Hypersonic database behind the scenes gets in a knot when it's actively tested with vulnerability assessment tools. This makes it impossible to dynamically detect or exploit even obvious SQL Injection vulnerabilities (using either manual or automated techniques), in some cases.

What I suggest is needed is a URL that the tester can request to "normalise" the database periodically (in between test cases, for instance). Note that re-starting the Tomcat instance has this effect, by virtue of re-creating the HSQL database from scratch (using the code in src/main/java/org/owasp/benchmark/helpers/DatabaseHelper.java), but this is an extremely heavyweight approach, and is not suitable for integrating into an automated vulnerability assessment test of a scanner.

I cant directly access Benchmark using the latest Firefox or Chrome (on Fedora) due to the weak Diffie-Hellman key.
I have to always proxy through ZAP :P

Secure Connection Failed

An error occurred during a connection to localhost:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.

Vulnerabilities

DepShield reports that this application's usage of org.apache.tomcat:el-api:6.0.30 results in the following vulnerability(s):

• (CVSS 5.0) [CVE-2014-7810] Improper Access Control

Occurrences

org.apache.tomcat:el-api:6.0.30 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.sling:org.apache.sling.scripting.jsp:2.3.4
        └─ org.apache.tomcat:jasper-el:6.0.30
              └─ org.apache.tomcat:el-api:6.0.30

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Looking at test cases we can appreciate some occurences of localhost as hardcoded part of the href list at test category index.

All those hrefs seems to need being relative in order to be able to run benchmark server both remote and local mode.

An example of this could be found at benchmark/src/main/webapp/securecookie-Index.html

Please could anyone @OWASPFoundation confirm this issue so I can start working into a PR to fix this asap?

Thanks!

Thanks!

Vulnerabilities

DepShield reports that this application's usage of commons-collections:commons-collections:3.2.1 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2017-15708] In Apache Synapse, by default no authentication is required for Java Remote Meth...
• (CVSS 7.5) [CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En...

Occurrences

commons-collections:commons-collections:3.2.1 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.directory.server:apacheds-all:1.5.7
        └─ org.apache.directory.shared:shared-ldap:0.9.19
              └─ commons-collections:commons-collections:3.2.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I am running into SAXParseException while trying to generate scorecard using ./createScorecards.sh. find the logs below

Analyzing results from Benchmark_1.2-findsecbugs-v1.4.6-xxx.xml
Actual results file generated: ~/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.6.csv
Report written to: ~/Benchmark/scorecard/Benchmark_v1.2_Scorecard_for_FBwFindSecBugs_v1.4.6.html

Analyzing results from Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml
[Fatal Error] :1:11: The markup in the document following the root element must be well-formed.
Error processing results/Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml. Continuing.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 11; The markup in the document following the root element must be well-formed.
	at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
	at org.owasp.benchmark.score.BenchmarkScore.getXMLDocument(BenchmarkScore.java:1471)
	at org.owasp.benchmark.score.BenchmarkScore.readActualResults(BenchmarkScore.java:790)
	at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:428)
	at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:336)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:282)
	at java.base/java.lang.Thread.run(Thread.java:834)

The Sonar results file Benchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml was generated by ./createScorecards.sh with SonarQube (docker 8.4.2-community instance) running locally.

How do i fix this issue.

SinceBenchmark_1.2-sonar-v8.4.2.xxxxx-xxx.xml file is large ~18 MB i haven't attached it here. Let me know if it you like to get hold of it.

When I last tried Benchmark (which was a while ago;) I was able to run createScorecards.sh successfully on the Benchmark docker image, which is headless.
I've just tried this again but it failed - output given below.
I'd love to be able to run ZAP against Benchmark as part of our scheduled tests - this is a blocker :(

Analyzing results from Benchmark_1.2beta_ZAPweekly-18000.xml
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at javax.swing.JFrame.(JFrame.java:218)
at org.owasp.benchmark.score.report.ScatterTools.display(ScatterTools.java:54)
at org.owasp.benchmark.score.report.ScatterTools.(ScatterTools.java:49)
at org.owasp.benchmark.score.report.Report.(Report.java:76)
at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:406)
at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:299)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)
Actual results file generated: /benchmark/benchmark/scorecard/Benchmark_v1.2beta_Scorecard_for_OWASP_ZAP_vD-2016-02-01.csv
Error processing results/Benchmark_1.2beta_ZAPweekly-18000.xml. Continuing.
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at javax.swing.JFrame.(JFrame.java:218)
at org.owasp.benchmark.score.report.ScatterTools.display(ScatterTools.java:54)
at org.owasp.benchmark.score.report.ScatterTools.(ScatterTools.java:49)
at org.owasp.benchmark.score.report.Report.(Report.java:76)
at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:406)
at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:299)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)

Analyzing results from Benchmark_1.2beta-findbugs-v3.0.1-315.xml
Actual results file generated: /benchmark/benchmark/scorecard/Benchmark_v1.2beta_Scorecard_for_FindBugs_v3.0.1.csv
Error processing results/Benchmark_1.2beta-findbugs-v3.0.1-315.xml. Continuing.
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at javax.swing.JFrame.(JFrame.java:218)
at org.owasp.benchmark.score.report.ScatterTools.display(ScatterTools.java:54)
at org.owasp.benchmark.score.report.ScatterTools.(ScatterTools.java:49)
at org.owasp.benchmark.score.report.Report.(Report.java:76)
at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:406)
at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:299)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)

Analyzing results from Benchmark_1.2beta-findsecbugs-v1.4.3-196.xml
Actual results file generated: /benchmark/benchmark/scorecard/Benchmark_v1.2beta_Scorecard_for_FBwFindSecBugs_v1.4.3.csv
Error processing results/Benchmark_1.2beta-findsecbugs-v1.4.3-196.xml. Continuing.
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at javax.swing.JFrame.(JFrame.java:218)
at org.owasp.benchmark.score.report.ScatterTools.display(ScatterTools.java:54)
at org.owasp.benchmark.score.report.ScatterTools.(ScatterTools.java:49)
at org.owasp.benchmark.score.report.Report.(Report.java:76)
at org.owasp.benchmark.score.BenchmarkScore.process(BenchmarkScore.java:406)
at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:299)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)

Analyzing results from Benchmark_1.2beta_ZAPweekly-18000.prev
Error!!: actual results were null for file: results/Benchmark_1.2beta_ZAPweekly-18000.prev
Tool scorecards computed.
Vulnerability scorecards computed.
[WARNING]
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at javax.swing.JFrame.(JFrame.java:218)
at org.owasp.benchmark.score.report.ScatterHome.display(ScatterHome.java:69)
at org.owasp.benchmark.score.report.ScatterHome.(ScatterHome.java:65)
at org.owasp.benchmark.score.report.ScatterHome.generateComparisonChart(ScatterHome.java:359)
at org.owasp.benchmark.score.BenchmarkScore.main(BenchmarkScore.java:353)
... 6 more
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:14 min
[INFO] Finished at: 2016-02-03T15:28:13+00:00
[INFO] Final Memory: 14M/265M
[INFO] ------------------------------------------------------------------------
[INFO] Build Time Summary:
[INFO]
[INFO] benchmark
[INFO] exec-maven-plugin:java (default) ......................... [6.397s]
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.4.0:java (default) on project benchmark: An exception occured while executing the Java class. null: InvocationTargetException:
[ERROR] No X11 DISPLAY variable was set, but this program performed an operation which requires it.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

I tried several times to scan the benchmark with the current version and get a adequate result, but I seem to fail every time. The following image shows the generated scorecard with my current results. I cannot imagine my results are valid, because the result is worse than older published ones of zap. I followed the instructions on the projects website, which tell how to setup zap. I even went to increase the HTTP file size threshold and set the crawling depth to infinity (I thought maybe some tests didn't get found). But didn't change anything. As you can see I tried to scan with two weekly versions next to one stable version of ZAP and once with arachni (the one with arachni crashed, because HTTP header size error; I reconfigured it and start a new scan - I will update will update if I get the results).
I posted a question on stackoverflow regarding this as well. I and I guess guys that want to reconstruct would really appreciate help from your team! Thanks in advance!

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Hi,

I was testing the exploit on BenchmarkTest00215.java and it appears not to be exploitable.
As per the HTTP RFC, '\' and '/' characters are reserved and must be encoded to be used in Header names.
I don't know if this was previously exploitable due to Java or Tomcat not following the HTTP spec previously, but currently on JVM v1.8.0_111-b14 and Apache Tomcat/7.0.67, those characters are stripped from the header name.
There is also an interesting comment on the aforementioned test that suggests perhaps previously the parameter was URLDecoded in order for the exploit to work (which it does under that scenario), but not at its present state.
Can you please look into this?

Thanks,
João

While looking at a generated scorecard, I saw there is inconsistency in the score.
The score on the graph is:

While the score at the bottom of the table is:

There is a diff of 1.27%

Looks like the calculation of the averages is done in two different places and ways.
The rounding causes inconsistency between the two scores.

#37 The "IconFile" path may be considered (by some) to be leaking personal data.

https://github.com/OWASP/Benchmark/blob/master/OWASP%20Benchmark.URL

When I saw the first description of the project I though that the benchmark was checking how many WebGoat issues where discovered

But this looks like it has a difference code base, is that correct?

Component: org.springframework:spring-core:4.1.9.RELEASE
CVSS Score: 7.5
Vulnerability: [CVE-2018-1272] Permissions, Privileges, and Access Controls

Details about the vulnerability are available on the OSS Index page for [CVE-2018-1272] Permissions, Privileges, and Access Controls.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Vulnerabilities

DepShield reports that this application's usage of org.beanshell:bsh-core:2.0b4 results in the following vulnerability(s):

• (CVSS 8.1) [CVE-2016-2510] Data Handling

Occurrences

org.beanshell:bsh-core:2.0b4 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.1.0.1
        └─ org.beanshell:bsh-core:2.0b4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of xalan:xalan:2.7.0 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2014-0107] Permissions, Privileges, and Access Controls

Occurrences

xalan:xalan:2.7.0 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.1.0.1
        └─ xom:xom:1.2.5
              └─ xalan:xalan:2.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

DepShield reports that this application's usage of org.apache.struts:struts2-core:2.5.16 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-11776] Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remo...

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-beanutils:commons-beanutils:1.9.3 results in the following vulnerability(s):

• (CVSS 7.3) [CVE-2019-10086] In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added wh...

Occurrences

commons-beanutils:commons-beanutils:1.9.3 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.2.0.0
        └─ commons-beanutils:commons-beanutils:1.9.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of com.sun.mail:javax.mail:1.5.0 results in the following vulnerability(s):

• (CVSS 4.3) CWE-200: Information Exposure

Occurrences

com.sun.mail:javax.mail:1.5.0 is a transitive dependency introduced by the following direct dependency(s):

• javax:javaee-api:7.0
        └─ com.sun.mail:javax.mail:1.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-fileupload:commons-fileupload:1.3.1 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2016-1000031] Improper Access Control
• (CVSS 7.5) [CVE-2016-3092] Improper Input Validation

Occurrences

commons-fileupload:commons-fileupload:1.3.1 is a transitive dependency introduced by the following direct dependency(s):

• org.owasp.esapi:esapi:2.1.0.1
        └─ commons-fileupload:commons-fileupload:1.3.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

DepShield reports that this application's usage of org.springframework:spring-core:4.1.9.RELEASE results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2018-1272] Permissions, Privileges, and Access Controls

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Component: org.apache.struts:struts2-core:2.5.16
CVSS Score: 9.8
Vulnerability: [CVE-2018-11776] Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remo...

Details about the vulnerability are available on the OSS Index page for [CVE-2018-11776] Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remo....

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

A number of test cases fail on Kali 1.1.0. By "fail", I mean that the test cases themselves do not execute correctly (even if not under attack), so any tools will not be able to successfully detect vulnerabilities in those cases.

Some brief source code analysis indicates that this appears to be related to the following runtime error:

./runBenchmark.sh

...
[INFO] [talledLocalContainer] Tomcat 8.x started on port [8443]
[INFO] Press Ctrl-C to stop the container...
[INFO] [talledLocalContainer] Problem with database table/procedure creations: Error creating bean with name 'dataSource' defined in class path resource [context.xml]: Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: org/apache/commons/pool/impl/GenericObjectPool
[INFO] [talledLocalContainer] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataSource' defined in class path resource [context.xml]: Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: org/apache/commons/pool/impl/GenericObjectPool
[INFO] [talledLocalContainer] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1101)

Note that I modified the source to print the stack trace, and to change the Maven version, but aside from that, it's as is.

I'm guessing this is some Maven related issue, but since I know nothing about Maven, I don't know where to start. I'm using Maven 3.3.3, since the version of Maven built into Kali 1.1 (Maven 3.0.4) gives errors when it tries to run+compile Benchmark.

My suggestion or feature-request is to add "Line of Code" or "Position" information to each test-case meta-data. The current meta-data includes version, category, test-number, vulnerability-status (true/false), and CWE-ID. Here is a sample:

<test-metadata>
  <benchmark-version>1.2beta</benchmark-version>
  <category>pathtraver</category>
  <test-number>00001</test-number>
  <vulnerability>true</vulnerability>
  <cwe>22</cwe>
</test-metadata>

My suggestion is to add a <line> entry; for example:

<test-metadata>
  <benchmark-version>1.2beta</benchmark-version>
  <category>pathtraver</category>
  <test-number>00001</test-number>
  <vulnerability>true</vulnerability>
  <cwe>22</cwe>
  <line>63</line>
</test-metadata>

Of course, specifying a line-of-code for some vulnerabilities might be difficult; so another option might be to add a <position> entry which could specify an approximate position by a range of line-of-codes. For example:

<test-metadata>
  <benchmark-version>1.2beta</benchmark-version>
  <category>pathtraver</category>
  <test-number>00001</test-number>
  <vulnerability>true</vulnerability>
  <cwe>22</cwe>
  <position>62-63</position>
</test-metadata>

For non-vulnerable files the values can be set to zero (e.g. <line>0</line>) or :

<test-metadata>
  ...
  <vulnerability>false</vulnerability>
  <position>0</position>
</test-metadata>

This information can be very useful for evaluation of program analysis tools. This also can be a must-have in order to define test-cases with multiple vulnerabilities:

<test-metadata>
  <category>pathtraver</category>
  <test-number>000XX</test-number>
  <vulnerability>true</vulnerability>
  <cwe>22</cwe>
  <position>62-63</position>
</test-metadata>
<test-metadata>
  <category>crypto</category>
  <test-number>000XX</test-number>
  <vulnerability>true</vulnerability>
  <cwe>327</cwe>
  <position>85</position>
</test-metadata>

Hi
Is it possible to find false positive of javascript test case or c# test case with owasp ?

How is the OWASP Benchmark expected results "work" in the case I'm scanning multiple languages in the project?

Let's imagine my tool gives has a result for the following:
BenchmarkTest00390.java - Java Vulnerability Result
BenchmarkTest00389.html - JavaScript Vulnerability Result

Should the Javascript result be accounted for the OWASP Grade?
Because if I look to the csv file with the expected results I have the following:
...
BenchmarkTest00389,xss,false,79
BenchmarkTest00390,xss,true,79
...

Has we can see by this example if I only scan for Java results I'm going to have a different grade.
Does OWASP only contains vulnerabilities for .java file extensions, or we should account all file extensions in the results?
Because I can have different results if I scan the project for java only or if I scan in a perspective of multi language mode (because OWASP Grade does not "look" at the extension of the file)

please consider RASP tools also for your benchmark

This is regarding the Insecure Cookie vulnerability in the following files:
BenchmarkTest00088.java
BenchmarkTest00089.java
BenchmarkTest01862.java
BenchmarkTest01863.java

The cookie in the doGet() method is added to the HTTPServletResponse without being secured.
It's vulnerable. If it ever contains sensitive data without Secure and the site offers mixed content, all you have to do is MITM.
If you want to trigger this in POC, just inject some mixed content with an iframe pointing to doGet, have it issue a new sensitive cookie, short delay, and add a new iframe to HTTP content to grab a new valid cookie.

The expected results of these 4 cases (88, 89, 1862, 1863) should be changed from FALSE to TRUE (quick fix).
Another option is to change the test cases themselves to not be vulnerable.

Java version:

java version "1.7.0_79"
OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-0ubuntu1.14.04.1)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)

Error

user@workstation $ mvn compile
[INFO] Scanning for projects...
Downloading: http://repo.maven.apache.org/maven2/co/leantechniques/maven-buildtime-extension/2.0.2/maven-buildtime-extension-2.0.2.pom
Downloaded: http://repo.maven.apache.org/maven2/co/leantechniques/maven-buildtime-extension/2.0.2/maven-buildtime-extension-2.0.2.pom (5 KB at 3.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/oss/oss-parent/7/oss-parent-7.pom (5 KB at 13.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-core/3.2.1/maven-core-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-core/3.2.1/maven-core-3.2.1.pom (8 KB at 18.7 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven/3.2.1/maven-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven/3.2.1/maven-3.2.1.pom (23 KB at 42.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/23/maven-parent-23.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-parent/23/maven-parent-23.pom (32 KB at 51.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/apache/13/apache-13.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/apache/13/apache-13.pom (14 KB at 40.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-model/3.2.1/maven-model-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-model/3.2.1/maven-model-3.2.1.pom (5 KB at 11.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.17/plexus-utils-3.0.17.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.17/plexus-utils-3.0.17.pom (4 KB at 9.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/3.3.1/plexus-3.3.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/3.3.1/plexus-3.3.1.pom (20 KB at 47.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/17/spice-parent-17.pom (7 KB at 19.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/10/forge-parent-10.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/10/forge-parent-10.pom (14 KB at 34.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-settings/3.2.1/maven-settings-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-settings/3.2.1/maven-settings-3.2.1.pom (3 KB at 5.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-settings-builder/3.2.1/maven-settings-builder-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-settings-builder/3.2.1/maven-settings-builder-3.2.1.pom (3 KB at 7.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.pom (2 KB at 3.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-components/1.3.1/plexus-components-1.3.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-components/1.3.1/plexus-components-1.3.1.pom (3 KB at 6.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.pom (815 B at 2.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-containers/1.5.5/plexus-containers-1.5.5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-containers/1.5.5/plexus-containers-1.5.5.pom (5 KB at 12.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/2.0.7/plexus-2.0.7.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/2.0.7/plexus-2.0.7.pom (17 KB at 38.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.pom (3 KB at 7.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/12/spice-parent-12.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/12/spice-parent-12.pom (7 KB at 16.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/4/forge-parent-4.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/4/forge-parent-4.pom (9 KB at 24.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.pom (6 KB at 12.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/1.0.11/plexus-1.0.11.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/1.0.11/plexus-1.0.11.pom (9 KB at 22.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.pom (3 KB at 5.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-repository-metadata/3.2.1/maven-repository-metadata-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-repository-metadata/3.2.1/maven-repository-metadata-3.2.1.pom (3 KB at 6.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-artifact/3.2.1/maven-artifact-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-artifact/3.2.1/maven-artifact-3.2.1.pom (2 KB at 4.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-plugin-api/3.2.1/maven-plugin-api-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-plugin-api/3.2.1/maven-plugin-api-3.2.1.pom (4 KB at 8.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M5/org.eclipse.sisu.plexus-0.0.0.M5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M5/org.eclipse.sisu.plexus-0.0.0.M5.pom (5 KB at 13.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/sisu-plexus/0.0.0.M5/sisu-plexus-0.0.0.M5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/sisu-plexus/0.0.0.M5/sisu-plexus-0.0.0.M5.pom (13 KB at 28.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/enterprise/cdi-api/1.0/cdi-api-1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/javax/enterprise/cdi-api/1.0/cdi-api-1.0.pom (2 KB at 4.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-api-parent/1.0/weld-api-parent-1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-api-parent/1.0/weld-api-parent-1.0.pom (3 KB at 6.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-api-bom/1.0/weld-api-bom-1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-api-bom/1.0/weld-api-bom-1.0.pom (8 KB at 22.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-parent/6/weld-parent-6.pom
Downloaded: http://repo.maven.apache.org/maven2/org/jboss/weld/weld-parent/6/weld-parent-6.pom (21 KB at 54.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.pom (1023 B at 2.9 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/inject/javax.inject/1/javax.inject-1.pom
Downloaded: http://repo.maven.apache.org/maven2/javax/inject/javax.inject/1/javax.inject-1.pom (612 B at 1.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/com/google/guava/guava/10.0.1/guava-10.0.1.pom
Downloaded: http://repo.maven.apache.org/maven2/com/google/guava/guava/10.0.1/guava-10.0.1.pom (6 KB at 15.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/com/google/guava/guava-parent/10.0.1/guava-parent-10.0.1.pom
Downloaded: http://repo.maven.apache.org/maven2/com/google/guava/guava-parent/10.0.1/guava-parent-10.0.1.pom (2 KB at 5.7 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom
Downloaded: http://repo.maven.apache.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom (965 B at 2.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0.pom (10 KB at 28.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/sisu/inject/guice-parent/3.1.0/guice-parent-3.1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/sisu/inject/guice-parent/3.1.0/guice-parent-3.1.0.pom (11 KB at 25.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/aopalliance/aopalliance/1.0/aopalliance-1.0.pom
Downloaded: http://repo.maven.apache.org/maven2/aopalliance/aopalliance/1.0/aopalliance-1.0.pom (363 B at 1.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M5/org.eclipse.sisu.inject-0.0.0.M5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M5/org.eclipse.sisu.inject-0.0.0.M5.pom (3 KB at 6.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/sisu-inject/0.0.0.M5/sisu-inject-0.0.0.M5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/sisu-inject/0.0.0.M5/sisu-inject-0.0.0.M5.pom (14 KB at 30.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-classworlds/2.4/plexus-classworlds-2.4.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-classworlds/2.4/plexus-classworlds-2.4.pom (4 KB at 10.7 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/2.1/plexus-utils-2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/2.1/plexus-utils-2.1.pom (4 KB at 8.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/16/spice-parent-16.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/16/spice-parent-16.pom (9 KB at 23.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/5/forge-parent-5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/forge/forge-parent/5/forge-parent-5.pom (9 KB at 13.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-model-builder/3.2.1/maven-model-builder-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-model-builder/3.2.1/maven-model-builder-3.2.1.pom (3 KB at 4.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-aether-provider/3.2.1/maven-aether-provider-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-aether-provider/3.2.1/maven-aether-provider-3.2.1.pom (4 KB at 6.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.pom (2 KB at 5.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether/0.9.0.M2/aether-0.9.0.M2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether/0.9.0.M2/aether-0.9.0.M2.pom (28 KB at 43.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.pom (2 KB at 2.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.pom (2 KB at 2.7 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.pom (4 KB at 9.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-classworlds/2.5.1/plexus-classworlds-2.5.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-classworlds/2.5.1/plexus-classworlds-2.5.1.pom (5 KB at 12.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-embedder/3.2.1/maven-embedder-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-embedder/3.2.1/maven-embedder-3.2.1.pom (5 KB at 12.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-compat/3.2.1/maven-compat-3.2.1.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-compat/3.2.1/maven-compat-3.2.1.pom (4 KB at 11.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-provider-api/2.6/wagon-provider-api-2.6.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon-provider-api/2.6/wagon-provider-api-2.6.pom (2 KB at 4.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/2.6/wagon-2.6.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/2.6/wagon-2.6.pom (20 KB at 53.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.8/plexus-utils-3.0.8.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.8/plexus-utils-3.0.8.pom (4 KB at 8.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/3.2/plexus-3.2.pom
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus/3.2/plexus-3.2.pom (19 KB at 48.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.7/plexus-cipher-1.7.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.7/plexus-cipher-1.7.pom (5 KB at 9.7 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/15/spice-parent-15.pom
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/spice/spice-parent/15/spice-parent-15.pom (9 KB at 24.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/1.7.5/slf4j-api-1.7.5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/1.7.5/slf4j-api-1.7.5.pom (3 KB at 2.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-parent/1.7.5/slf4j-parent-1.7.5.pom
Downloaded: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-parent/1.7.5/slf4j-parent-1.7.5.pom (12 KB at 29.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/commons-cli/commons-cli/1.2/commons-cli-1.2.pom
Downloaded: http://repo.maven.apache.org/maven2/commons-cli/commons-cli/1.2/commons-cli-1.2.pom (8 KB at 22.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/commons/commons-parent/11/commons-parent-11.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/commons/commons-parent/11/commons-parent-11.pom (25 KB at 65.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/apache/4/apache-4.pom
Downloaded: http://repo.maven.apache.org/maven2/org/apache/apache/4/apache-4.pom (5 KB at 13.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/co/leantechniques/maven-buildtime-extension/2.0.2/maven-buildtime-extension-2.0.2.jar
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.jar
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.jar
Downloaded: http://repo.maven.apache.org/maven2/co/leantechniques/maven-buildtime-extension/2.0.2/maven-buildtime-extension-2.0.2.jar (13 KB at 30.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M5/org.eclipse.sisu.plexus-0.0.0.M5.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.jar (18 KB at 26.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar
Downloaded: http://repo.maven.apache.org/maven2/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar (44 KB at 86.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
Downloaded: http://repo.maven.apache.org/maven2/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar (6 KB at 16.0 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/javax/inject/javax.inject/1/javax.inject-1.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M5/org.eclipse.sisu.plexus-0.0.0.M5.jar (192 KB at 141.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/com/google/guava/guava/10.0.1/guava-10.0.1.jar
Downloaded: http://repo.maven.apache.org/maven2/javax/inject/javax.inject/1/javax.inject-1.jar (3 KB at 7.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.jar (131 KB at 65.4 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0-no_aop.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar (131 KB at 63.1 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
Downloaded: http://repo.maven.apache.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar (33 KB at 81.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M5/org.eclipse.sisu.inject-0.0.0.M5.jar
Downloaded: http://repo.maven.apache.org/maven2/aopalliance/aopalliance/1.0/aopalliance-1.0.jar (5 KB at 9.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.jar
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0-no_aop.jar (350 KB at 447.5 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.17/plexus-utils-3.0.17.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar (142 KB at 50.8 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.jar (61 KB at 125.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar
Downloaded: http://repo.maven.apache.org/maven2/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M5/org.eclipse.sisu.inject-0.0.0.M5.jar (285 KB at 282.6 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/maven-embedder/3.2.1/maven-embedder-3.2.1.jar
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar (28 KB at 74.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.7/plexus-cipher-1.7.jar
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.17/plexus-utils-3.0.17.jar (246 KB at 295.2 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/1.7.5/slf4j-api-1.7.5.jar
Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/maven-embedder/3.2.1/maven-embedder-3.2.1.jar (59 KB at 147.3 KB/sec)
Downloading: http://repo.maven.apache.org/maven2/commons-cli/commons-cli/1.2/commons-cli-1.2.jar
Downloaded: http://repo.maven.apache.org/maven2/org/sonatype/plexus/plexus-cipher/1.7/plexus-cipher-1.7.jar (14 KB at 35.9 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar (5 KB at 3.9 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/1.7.5/slf4j-api-1.7.5.jar (26 KB at 72.2 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/commons-cli/commons-cli/1.2/commons-cli-1.2.jar (41 KB at 110.3 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/com/google/guava/guava/10.0.1/guava-10.0.1.jar (1467 KB at 215.5 KB/sec)
Aug 17, 2015 9:47:10 AM org.sonatype.guice.bean.reflect.Logs$JULSink warn
WARNING: Error injecting: co.leantechniques.maven.buildtime.BuildTimeMavenLifecycleParticipant
java.lang.NoClassDefFoundError: org/slf4j/ILoggerFactory
    at org.codehaus.plexus.DefaultPlexusContainer$SLF4JLoggerFactoryProvider.get(DefaultPlexusContainer.java:873)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.getSLF4JLogger(PlexusLifecycleManager.java:231)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager$2.injectProperty(PlexusLifecycleManager.java:111)
    at org.sonatype.guice.bean.inject.BeanInjector.injectMembers(BeanInjector.java:53)
    at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:128)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:117)
    at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
    at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:91)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:89)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:259)
    at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
    at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
    at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1025)
    at org.sonatype.guice.bean.reflect.AbstractDeferredClass.get(AbstractDeferredClass.java:45)
    at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:84)
    at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:52)
    at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:70)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.onProvision(PlexusLifecycleManager.java:138)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:108)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
    at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:68)
    at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
    at com.google.inject.Scopes$1$1.get(Scopes.java:59)
    at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
    at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1036)
    at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
    at org.sonatype.guice.bean.locators.LazyBeanEntry.getValue(LazyBeanEntry.java:83)
    at org.sonatype.guice.plexus.locators.LazyPlexusBean.getValue(LazyPlexusBean.java:49)
    at org.sonatype.guice.bean.locators.EntryListAdapter$ValueIterator.next(EntryListAdapter.java:112)
    at java.util.AbstractCollection.addAll(AbstractCollection.java:341)
    at org.apache.maven.DefaultMaven.getLifecycleParticipants(DefaultMaven.java:538)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:270)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.lang.ClassNotFoundException: org.slf4j.ILoggerFactory
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:259)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:235)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:227)
    ... 53 more

---------------------------------------------------
constituent[0]: file:/usr/share/maven/lib/aether-api.jar
constituent[1]: file:/usr/share/maven/lib/maven-settings-builder-3.x.jar
constituent[2]: file:/usr/share/maven/lib/maven-aether-provider-3.x.jar
constituent[3]: file:/usr/share/maven/lib/wagon-provider-api.jar
constituent[4]: file:/usr/share/maven/lib/aether-util.jar
constituent[5]: file:/usr/share/maven/lib/maven-artifact-3.x.jar
constituent[6]: file:/usr/share/maven/lib/guava.jar
constituent[7]: file:/usr/share/maven/lib/plexus-component-annotations.jar
constituent[8]: file:/usr/share/maven/lib/maven-model-builder-3.x.jar
constituent[9]: file:/usr/share/maven/lib/plexus-cipher.jar
constituent[10]: file:/usr/share/maven/lib/maven-embedder-3.x.jar
constituent[11]: file:/usr/share/maven/lib/maven-core-3.x.jar
constituent[12]: file:/usr/share/maven/lib/aether-spi.jar
constituent[13]: file:/usr/share/maven/lib/wagon-file.jar
constituent[14]: file:/usr/share/maven/lib/sisu-guice.jar
constituent[15]: file:/usr/share/maven/lib/plexus-interpolation.jar
constituent[16]: file:/usr/share/maven/lib/plexus-sec-dispatcher.jar
constituent[17]: file:/usr/share/maven/lib/wagon-http-shaded.jar
constituent[18]: file:/usr/share/maven/lib/maven-plugin-api-3.x.jar
constituent[19]: file:/usr/share/maven/lib/aether-impl.jar
constituent[20]: file:/usr/share/maven/lib/maven-repository-metadata-3.x.jar
constituent[21]: file:/usr/share/maven/lib/commons-cli.jar
constituent[22]: file:/usr/share/maven/lib/commons-httpclient.jar
constituent[23]: file:/usr/share/maven/lib/aether-connector-wagon.jar
constituent[24]: file:/usr/share/maven/lib/commons-codec.jar
constituent[25]: file:/usr/share/maven/lib/plexus-utils.jar
constituent[26]: file:/usr/share/maven/lib/maven-model-3.x.jar
constituent[27]: file:/usr/share/maven/lib/sisu-inject-bean.jar
constituent[28]: file:/usr/share/maven/lib/maven-settings-3.x.jar
constituent[29]: file:/usr/share/maven/lib/sisu-inject-plexus.jar
constituent[30]: file:/usr/share/maven/lib/maven-compat-3.x.jar
constituent[31]: file:/usr/share/maven/lib/commons-logging.jar
---------------------------------------------------
Exception in thread "main" java.lang.NoClassDefFoundError: org/slf4j/ILoggerFactory
    at org.codehaus.plexus.DefaultPlexusContainer$SLF4JLoggerFactoryProvider.get(DefaultPlexusContainer.java:873)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.getSLF4JLogger(PlexusLifecycleManager.java:231)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager$2.injectProperty(PlexusLifecycleManager.java:111)
    at org.sonatype.guice.bean.inject.BeanInjector.injectMembers(BeanInjector.java:53)
    at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:128)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:117)
    at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
    at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:91)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:89)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:259)
    at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
    at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
    at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1025)
    at org.sonatype.guice.bean.reflect.AbstractDeferredClass.get(AbstractDeferredClass.java:45)
    at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:84)
    at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:52)
    at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:70)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
    at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.onProvision(PlexusLifecycleManager.java:138)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:108)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
    at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:68)
    at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
    at com.google.inject.Scopes$1$1.get(Scopes.java:59)
    at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
    at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
    at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1036)
    at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
    at org.sonatype.guice.bean.locators.LazyBeanEntry.getValue(LazyBeanEntry.java:83)
    at org.sonatype.guice.plexus.locators.LazyPlexusBean.getValue(LazyPlexusBean.java:49)
    at org.sonatype.guice.bean.locators.EntryListAdapter$ValueIterator.next(EntryListAdapter.java:112)
    at java.util.AbstractCollection.addAll(AbstractCollection.java:341)
    at org.apache.maven.DefaultMaven.getLifecycleParticipants(DefaultMaven.java:538)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:270)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.lang.ClassNotFoundException: org.slf4j.ILoggerFactory
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:259)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:235)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:227)
    ... 53 more
user@workstation $

When trying to build the docker image with docker build -t benchmark:v1.2 . I get the following error:

Sending build context to Docker daemon  3.072kB
Step 1/23 : FROM ubuntu:15.04
 ---> d1b55fd07600
Step 2/23 : MAINTAINER Simon Bennetts "[email protected]"
 ---> Using cache
 ---> c4f0f0f4d229
Step 3/23 : RUN apt-get update && apt-get clean
 ---> Running in 60ed369f1b7c
Ign http://archive.ubuntu.com vivid InRelease
Ign http://archive.ubuntu.com vivid-updates InRelease
Ign http://archive.ubuntu.com vivid-security InRelease
Ign http://archive.ubuntu.com vivid Release.gpg
Ign http://archive.ubuntu.com vivid-updates Release.gpg
Ign http://archive.ubuntu.com vivid-security Release.gpg
Ign http://archive.ubuntu.com vivid Release
Ign http://archive.ubuntu.com vivid-updates Release
Ign http://archive.ubuntu.com vivid-security Release
Ign http://archive.ubuntu.com vivid/main amd64 Packages/DiffIndex
Ign http://archive.ubuntu.com vivid/restricted amd64 Packages/DiffIndex
Err http://archive.ubuntu.com vivid/main Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid/restricted Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid/universe Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid/universe amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/main Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/restricted Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/universe Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/main amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/restricted amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-updates/universe amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/main Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/restricted Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/universe Sources
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/main amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/restricted amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid-security/universe amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid/main amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
Err http://archive.ubuntu.com vivid/restricted amd64 Packages
  404  Not Found [IP: 91.189.88.161 80]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/main/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/restricted/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/universe/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/universe/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/main/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/restricted/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/universe/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/main/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/restricted/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-updates/universe/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/main/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/restricted/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/universe/source/Sources  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/main/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/restricted/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid-security/universe/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/main/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/vivid/restricted/binary-amd64/Packages  404  Not Found [IP: 91.189.88.161 80]

E: Some index files failed to download. They have been ignored, or old ones used instead.
The command '/bin/sh -c apt-get update && apt-get clean' returned a non-zero code: 100

Maybe the Dockerfile has to be updated to use a more current version of Ubuntu?

Hi everyone!
I am making a research of many different SAST applications for the final project of my cybersecurity master, and I want to add some real benchmarks to my investigation, but I've realized there are many readers missing in OWASP Benchmark by the moment.
For example, I've seen that there is not a reader for VisualCodeGrepper, so I think I could make it for the community! (I am new at free software contributions)
I would thank any advice :)

The current way of generating a ZAP scorecard is to put a ZAP XML report in a specific directory.
It would be really useful if there was a command line tool that could be invoked with the relevant ZAP report URL, eg:
generateZAPscorecard.sh http://172.17.0.3:8090/OTHER/core/other/xmlreport/
We'd like to include Benchmark in our scheduled ZAP tests, but we run ZAP in one docker image and Benchmark in the other.
A way of retrieving the ZAP scorecard via a URL would also be really useful... ;)

The Tomcat Admin interface installed and used by Benchmark is exposed on all interfaces, with weak credentials "admin" (with no password). This exposes the webapp, and the underlying host to total compromise by any attacker on the network.

The Tomcat instance is unhardened, and has various other issues as well.

I suggest the following changes:

1. Configure the underlying Tomcat 8 instance to listen only on 127.0.0.1
2. Remove the following administrative consoles, which are not required

• /manager
• /host-manager
  3) Change the default Tomcat users configured in tomcat-users.xml (or simply remove all users, since they do not appear to be required)
  4) Remove sample.war (and the examples folder in its entirety)
  5) Remove the installed documentation folder
  6) If deploying a Tomcat instance with Benchmark, follow the CIS Tomcat Hardening guidelines.

I'm getting the following compilation error when I try to set up Benchmark on an AWS Ubuntu instance:
Exception in thread "main" java.lang.NoClassDefFoundError: org/slf4j/ILoggerFactory
at org.codehaus.plexus.DefaultPlexusContainer$SLF4JLoggerFactoryProvider.get(DefaultPlexusContainer.java:873)
at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.getSLF4JLogger(PlexusLifecycleManager.java:231)
at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager$2.injectProperty(PlexusLifecycleManager.java:111)
at org.sonatype.guice.bean.inject.BeanInjector.injectMembers(BeanInjector.java:53)
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:128)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:117)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:91)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:89)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:259)
at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1025)
at org.sonatype.guice.bean.reflect.AbstractDeferredClass.get(AbstractDeferredClass.java:45)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:84)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:52)
at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:70)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:100)
at org.sonatype.guice.plexus.lifecycles.PlexusLifecycleManager.onProvision(PlexusLifecycleManager.java:138)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:108)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:55)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:68)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1043)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.Scopes$1$1.get(Scopes.java:59)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:990)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1036)
at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:986)
at org.sonatype.guice.bean.locators.LazyBeanEntry.getValue(LazyBeanEntry.java:83)
at org.sonatype.guice.plexus.locators.LazyPlexusBean.getValue(LazyPlexusBean.java:49)
at org.sonatype.guice.bean.locators.EntryListAdapter$ValueIterator.next(EntryListAdapter.java:112)
at java.util.AbstractCollection.addAll(AbstractCollection.java:341)
at org.apache.maven.DefaultMaven.getLifecycleParticipants(DefaultMaven.java:538)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:270)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.lang.ClassNotFoundException: org.slf4j.ILoggerFactory
at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:259)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:235)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:227)
... 53 more

For info:

java -version
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

mvn -version
Apache Maven 3.0.5
Maven home: /usr/share/maven
Java version: 1.7.0_80, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-oracle/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "3.13.0-48-generic", arch: "amd64", family: "unix"

This is the default lowest level general-purpose Ubuntu image. I'll try with some of the other ones...

The report contains the results of Find Security Bugs version 1.4.0 (older version) and an incorrect CWE mapping.
The correct mapping was pushed last week.

The WriteFiles-Class fails, as SonarQube only allows to request for a maximum of 10000 issues. This could be fixed by building the request with the rules-parameter (&rules=squid:XXX), which will give us only the relevant issues. (SonarQube version 6.2)