It found things for confusing, brain-overload and suspicious but no owasp.
Is it expected? Or did I have a configuration error? I was under the impression that I should get some owasp for an owasp intentional vulnerable web app.
@ganncamp do you happen to know where the blog got the Ground Truth & Results table from? I’m trying to look for a list of vulnerabilities and their locations in juice shop app but wasn’t able to.
Thanks that would be really great. There is a table under the Challenges tab but that’s as far as I could go. I didn’t find their location in the source code.
As far as I can remember, we built manually the initial ground truth based on the Challenge Solutions and on top of that, we added one or two vulnerabilities that were detected by SonarCloud and that were not expected by any challenge but that our AppSec guys confirmed as a TP.
@Alexandre_Gigleux thanks for the response. It is very cool that you guys build the chart yourselves. I noticed that in the blog post you emphasized a lot more on injection vulnerabilities than other ones. Why did you only reference the stats of injection vulnerabilities for evaluating the tool?
We focused on the injection vulnerabilities because that’s one of the most complex types of vuln. to detect with static analysis and that is part of the value we provide to our customers on SonarCloud or with SonarQube Developer Edition.
Running against the “OpenSSF CVE Benchmark”?
To be honest it is currently on pause mode as we are focusing on other priorities AND because the OpenSSF CVE project is no longer moving from what I can see. I was expecting it to be extended to more CVEs, and more languages but looks like no one is still working on it actively.
Thanks for your answer. It’s unfortunate that the project is not moving forward. Looking forward to more benchmark project being tested on Sonar product.