Skip to main content

Reproducibility

Everything at Fluid Attacks is Open Source. This means that you can download, inspect, modify and enhance the source code that powers it all.

Going Open Source gives our customers the confidence that what we do is transparent and secure.

In order to verify the OWASP benchmark results we'll need to:

  1. Meet the requirements for installing Fluid Attacks' scanner.

  2. Install the scanner as explained in the Fluid Attack's scanner installation guide.

  3. Clone the OWASP Benchmark 1.2.

    We are using a Fluid Attack's fork in order to add support for parsing the scanner results.

    git clone https://github.com/fluidattacks/Benchmark.git benchmark
    cd benchmark

    There is an open pull request at the OWASP Benchmark official repository in order to add support natively.

  4. Create a config file as follows:

    config.yaml
    checks:
    - F004
    - F008
    - F021
    - F034
    - F042
    - F052
    - F063
    - F089
    - F107
    - F112
    namespace: OWASP
    output: results/Benchmark_1.2-Fluid-Attacks-v2021.csv
    path:
    include:
    - .
  5. Execute:

    skims scan config.yaml

    This will take some time, enough for drinking a coffee โ˜•.

    When this ends, the results file will be located in the results/ folder with the name of Fluid Attacks and CSV extension.

  6. At this point you can generate a scorecard for the tool:

    mvn compile
    ./createScorecards.sh
  7. Open the results in your browser.

    Example:

    firefox scorecard/OWASP_Benchmark_Home.html

    Or:

    google-chrome-stable scorecard/OWASP_Benchmark_Home.html