In order to verify the OWASP benchmark results we'll need to:
Install the scanner as explained in the Fluid Attack's scanner installation guide.
Clone the OWASP Benchmark 1.2.
We are using a Fluid Attack's fork in order to add support for parsing the scanner results.git clone https://github.com/fluidattacks/Benchmark.git benchmarkcd benchmark
There is an open pull request at the OWASP Benchmark official repository in order to add support natively.
Create a config file as follows:config.yamlchecks:- F004- F008- F021- F034- F042- F052- F063- F089- F107- F112namespace: OWASPoutput: results/Benchmark_1.2-Fluid-Attacks-v2021.csvpath:include:- .
Execute:skims scan config.yaml
This will take some time, enough for drinking a coffee ☕.
When this ends, the results file will be located in the results/ folder with the name of Fluid Attacks and CSV extension.
At this point you can generate a scorecard for the tool:mvn compile./createScorecards.sh
Open the results in your browser.