Can we update the benchmark scorecards?

OWASP / www-project-benchmark

OWASP Foundation Web Respository

17 stars 10 forks source link

Can we update the benchmark scorecards? #7

Open kamadorueda opened 3 years ago

kamadorueda commented 3 years ago

I was looking at the "tool support / results" tab:

And found that we have very nice results in this link: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html

However:

[ ] It was generated in 2016, can we run results today and update the image?
[ ] We (Fluid Attacks) would like to include our security vulnerability detection tool in which we've recently evaluated results against the benchmark:
- https://fluidattacks.com/blog/owasp-benchmark-fluid-attacks/
- https://docs.fluidattacks.com/machine/scanner/reproducibility (this link is experimental)
  
  Could you please give us some orientation on how to appear in the results? here: https://owasp.org/www-project-benchmark/
[ ] rawgit.com "RawGit has reached the end of its useful life", can we host it in other place?

I volunteer myself for any task needed, just let me know how could we push this forward

Thanks!

davewichers commented 3 years ago

A few things. 1) Can you figure out a way to host or display the Benchmark scorecard that is in git now at: https://pages.github.com/ ? 2) OWASP doesn't publish scorecards for commercial tools, so we won't publish your score, but we can add support for scorecard generation for your tool. And once that has been added, we'll add your tool to the list of supported SAST tools on the project wiki pages. 3) Can you submit a pull request to the github project for Benchmark with the scorecard generator for your tool?

p.s. I notice you have a link to: https://doc.fluidattacks.com/owasp-benchmark/transparency from this page: https://fluidattacks.com/blog/owasp-benchmark-fluid-attacks/. But that page doesn't appear to exist.

And this link is dead too: https://docs.fluidattacks.com/machine/scanner/reproducibility (No such key error?)

kamadorueda commented 3 years ago

sure, should be simple
can we publish it on the scorecard as non-commercial? the tool is open source anyway, we use it as part of a bundle that we sell to customers, but the tool itself is free and open source
got it

please try with these, we are moving some things around and experimenting a little bit:

https://docs.fluidattacks.com/machine/scanner/reproducibility
https://fluidattacks.com/blog/owasp-benchmark-fluid-attacks/ (we'll fix the broken link soon, thanks!)

davewichers commented 3 years ago

For 2) - where is the code repo for this free tool? Can you point me to it?

kamadorueda commented 3 years ago

- source code: https://gitlab.com/fluidattacks/product/-/tree/master/skims we are monorepo
- license: https://gitlab.com/fluidattacks/product/-/blob/master/LICENSE
- here are some docs: https://docs.fluidattacks.com/machine/scanner (experimental, links may change)