OWASP Benchmark Scorecard for SiteShadow v1.0.0 (SAST)
+ +OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable. The following is the scorecard for the tool SiteShadow against version 1.2 of OWASP Benchmark. It shows how well this tool finds true positives and avoids false positives in the OWASP Benchmark test cases.
++ For more information, please visit the OWASP Benchmark Project Site. +
+
+ + Legend: Each line of the scorecard in the upper right has a category, followed by this tool's overall score in that category. After each % is this tool's TPR - FPR used to calculate this score. See the table below for more precise scoring details. +
+Statistics
+| Tool elapsed analysis time | +0:39:14 | +
|---|---|
| Tool overall score (0-100) | +100.00% | +
| Total test cases | +2740 | +
| Download raw results | +Actual Results | +
Detailed Results
+| Category | CWE # | TP | FN | TN | FP | Total | TPR | FPR | Score |
|---|---|---|---|---|---|---|---|---|---|
| Command Injection | 78 | 126 | 0 | 125 | 0 | 251 | 100.00% | 0.00% | 100.00% |
| Insecure Cookie | 614 | 36 | 0 | 31 | 0 | 67 | 100.00% | 0.00% | 100.00% |
| LDAP Injection | 90 | 27 | 0 | 32 | 0 | 59 | 100.00% | 0.00% | 100.00% |
| Path Traversal | 22 | 133 | 0 | 135 | 0 | 268 | 100.00% | 0.00% | 100.00% |
| SQL Injection | 89 | 272 | 0 | 232 | 0 | 504 | 100.00% | 0.00% | 100.00% |
| Trust Boundary | 501 | 83 | 0 | 43 | 0 | 126 | 100.00% | 0.00% | 100.00% |
| Weak Encryption Algorithm | 327 | 130 | 0 | 116 | 0 | 246 | 100.00% | 0.00% | 100.00% |
| Weak Hashing Algorithm | 328 | 129 | 0 | 107 | 0 | 236 | 100.00% | 0.00% | 100.00% |
| Weak Randomness | 330 | 218 | 0 | 275 | 0 | 493 | 100.00% | 0.00% | 100.00% |
| XPath Injection | 643 | 15 | 0 | 20 | 0 | 35 | 100.00% | 0.00% | 100.00% |
| XSS (Cross-Site Scripting) | 79 | 246 | 0 | 209 | 0 | 455 | 100.00% | 0.00% | 100.00% |
| Totals | 1415 | 0 | 1325 | 0 | 2740 | ||||
| Overall Results* | 100.00% | 0.00% | 100.00% |
*-The Overall Results are averages across all the vulnerability categories. You can't compute these averages by simply calculating the TPR and FPR rates using the values in the Totals row. If you did that, categories with larger number of tests would carry more weight than categories with less tests. The proper calculation of the Overall Results is to add up the values of each of these per row, then divide by the number of rows, which is how they are calculated.
+ + + +Key
+| Common Weakness Enumeration (CWE) | +The primary MITRE CWE number for this vulnerability category. | +
|---|---|
| True Positive (TP) | +Tests with real vulnerabilities that were correctly reported as vulnerable by the tool. | +
| False Negative (FN) | +Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool. | +
| True Negative (TN) | +Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool. | +
| False Positive (FP) | +Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool. | +
| True Positive Rate (TPR) = TP / ( TP + FN ) | +The rate at which the tool correctly reports real vulnerabilities. Also referred to as Recall, as defined at Wikipedia. + | +
| False Positive Rate (FPR) = FP / ( FP + TN ) | +The rate at which the tool incorrectly reports fake vulnerabilities as real. | +
| Score = TPR - FPR | +How good the tool is at finding true positives and avoiding false positives. | +