Change Contrast agent setup to use contrast.yaml config file per

vendor request.

Author: davewichers

.gitignore

@@ -1,6 +1,12 @@
 .DS_Store
 .java-version
+.classpath
+.project
+.settings/
 reports/
 target/
 testfiles/
+tools/Contrast/contrast.jar
+tools/Contrast/contrast.yaml
+tools/Contrast/working/
 

pom.xml

@@ -320,14 +320,7 @@
                                         -Xmx8G
                                         -javaagent:${basedir}/tools/Contrast/contrast.jar
                                         -Dcontrast.dir=${basedir}/tools/Contrast/working
-                                        -Dcontrast.agent.java.standalone_app_name=OWASPBenchmark
-                                        -Dcontrast.application.name=OWASPBenchmark
-                                        -Dcontrast.application.path=/
-                                        -Dcontrast.assess.rules.disabled_rules="autocomplete-missing,cache-controls-missing,clickjacking-control-missing,csrf"
-                                        -Dcontrast.assess.threshold.entries=100000
-                                        -Dcontrast.protect.enable=false
-                                        -Dcontrast.level=debug
-                                        -Dcontrast.log.daily=true
+                                        -Dcontrast.config.path=${basedir}/tools/Contrast/contrast.yaml
                                     </cargo.jvmargs>
                                     <cargo.servlet.port>8443</cargo.servlet.port>
                                     <cargo.protocol>https</cargo.protocol>

tools/Contrast/contrast.yaml

@@ -0,0 +1,27 @@
+# Contrast Security configuration file
+
+# Fill in your credentials from *your* Contrast TeamServer below:
+api:
+  url: https://___________/Contrast
+  api_key: ________________
+  service_key: ________________
+  user_name: _____________________ # The email address you login to TeamServer with
+
+# These settings are for OWASP Benchmark and shouldn't be changed
+java:
+  standalone_app_name: owasp-benchmark
+agent:
+  logger:
+    level: debug
+server:
+  name: owasp-server
+  environment: development
+assess:
+  enable: true
+  threshold:
+    entries: 100000
+  rules:
+    disabled_rules: autocomplete-missing,cache-controls-missing,clickjacking-control-missing,csrf
+protect:
+  enable: false
+

tools/Contrast/readme.txt

@@ -1,7 +1,15 @@
 DISCLAIMER: OWASP does not endorse any commercial tools, including this one. Benchmark support for this tool is simply for user convenience and should not be considered an endorsement of this tool.
 
-Contrast is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to place the contrast.jar file in this directory in order to run the Benchmark with Contrast using one of the runBenchmark_wContrast scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+Contrast is a commercial product, so you need to provide your Contrast credentials in the contrast.yaml file in order to run it. You can use your enterprise Contrast account or sign up for the free Contrast Community Edition (CE) at https://www.contrastsecurity.com/contrast-community-edition.
+
+To run Benchmark with Contrast, you can use the runBenchmark_wContrast.sh script
+  1. This script will download the latest Contrast agent
+  2. It will start the Benchmark application server with the Contrast agent as configured by contrast.yaml
+  3. It will then pause, waiting for input from the web crawler (see next step)
+  4. In a separate shell, you need to run the runCrawler.sh script from the Benchmark root directory
+  5. When the crawler finishes (after about a minute) *you* hit CTRL+C in the runBenchmark_wContrast window to stop the server
+  6. The Contrast script will then copy the Contrast vulnerability results to the Benchmark /results directory
+  7. Run createScorecards.sh in the Benchmark root directory to create a detailed scorecard in /scorecard that includes these Contrast results
 
 See the Tool Scanning Tips page at OWASP (https://owasp.org/www-project-benchmark/#div-scanning_tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Contrast.
 
-Contrast has released Contrast Community Edition (CE), which is free, subject to the terms of its use. If you don't have a commercial license for Contrast, it is likely you can use Contrast CE on Benchmark. See: https://www.contrastsecurity.com/community-edition-lp for more information.

tools/Contrast/runBenchmark_wContrast.bat

@@ -1,27 +1,49 @@
 #!/bin/sh
 
-if [ -f ./contrast.jar ]; then
-
-  if [ -d ./working ]; then
-
-    rm -r ./working/cache
-    rm -r ./working/contrast.log
-    echo ""
-    echo "Previous Contrast results in tools/Contrast/working removed"
-    echo ""
-
-  fi
-
-  cd ../..
-  mvn clean package cargo:run -Pdeploywcontrast
+if grep -q "____" "contrast.yaml"; then
+  echo
+  echo "Contrast is a commercial product, so you need to provide your Contrast credentials in the contrast.yaml file in order to run it."
+  echo "You can use your enterprise Contrast account or sign up for the free Contrast Community Edition (CE) at \"https://www.contrastsecurity.com/contrast-community-edition\"."
+  echo "When logged in to the Contrast TeamServer, your credentials are available via \"User settings\" in the top right menu. See the Profile section 'YOUR KEYS'."
+  echo
+  echo "ERROR: ____ placeholders are still present in contrast.yaml file. Please provide your credentials as directed as they are required for you to proceed."
+  echo
+  exit 1
+fi
 
-  echo "Copying Contrast report to results directory"
-  cp tools/Contrast/working/contrast.log results/Benchmark_1.2-Contrast.log
-  cd tools/Contrast
+# Check if contrast.jar is there and is less than 24 hours old. If so, don't bother to download again
+if $(find contrast.jar -mmin +1440); then
+  echo "Using Contrast agent downloaded in past day"
+else
+  echo "Fetching the latest Contrast agent"
+  curl -o contrast.jar -L "https://repository.sonatype.org/service/local/artifact/maven/redirect?r=central-proxy&g=com.contrastsecurity&a=contrast-agent&v=LATEST"
+fi
 
-else 
+if [ -d ./working ]; then
 
-  echo "Contrast is a commercial product, so you need a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent for Java (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script. If you don't have a license for Contrast, you can probably use the free Contrast Community Edition (CE) on Benchmark. See: https://www.contrastsecurity.com/community-edition-lp"
+  echo
+  echo "Removing previous Contrast results in ./working"
+  rm -rf ./working/*
 
 fi
 
+echo
+echo "Starting Benchmark application server with Contrast agent"
+echo "  1. Verify that the output shows \"Starting JVM\"."
+echo "  2. If the output contains \"Continuing without Contrast...\" the credentials in contrast.yaml are most likely incorrect or missing."
+echo "  3. Once the Benchmark server is fully started, open another terminal window and run the runCrawler.sh script from the Benchmark root directory."
+echo "  4. When the crawler finishes (takes a minute or two), hit CTRL+C in this window to stop the server and write the Contrast results to the /results folder."
+echo
+echo "========================================================================================================================"
+
+cd ../..
+mvn clean package cargo:run -Pdeploywcontrast
+
+echo
+echo "Copying Contrast report to results directory"
+cd tools/Contrast
+cp ./working/contrast.log ../../results/Benchmark_1.2-Contrast.log
+echo
+echo "  5. You can generate a scorecard by running createScorecards.sh in the Benchmark root directory."
+echo
+