empty
empty

OWASP Benchmark Scorecard for SAST-02

The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. The Benchmark contains thousands of test cases that are fully runnable and exploitable. The following is the scorecard for the tool SAST-02 against version 1.1 of the Benchmark. It shows how well this tool finds true positives and avoids false positives in the Benchmark test cases.

For more information, please visit the OWASP Benchmark Project Site.

Statistics

Tool elapsed analysis time 5 Days 15:23:38
Tool overall score (0-100) 30.60%
Total test cases 21041
Download raw results Actual Results

Detailed Results

CategoryCWE #TPFNTNFPTotalTPRFPRScore
Command Injection781215587524382270867.43%42.16%25.26%
Cross-Site Scripting7910385021108801344967.40%41.96%25.44%
Insecure Cookie61420102150416100.00%0.00%100.00%
LDAP Injection90052121507360.00%0.00%0.00%
Path Traversal221161545532392263068.05%42.42%25.63%
SQL Injection892160137471761352994.04%61.77%32.27%
Trust Boundary Violation5012342711526872546.34%30.91%15.43%
Weak Encryption Algorithm327534186343377144074.17%52.36%21.81%
Weak Hash Algorithm3280714707014210.00%0.00%0.00%
Weak Random Number3301612018401883640100.00%9.27%90.73%
XPath Injection643021713003470.00%0.00%0.00%
Totals*815536806237296921041
Overall Results*56.13%25.53%30.60%

*-The Overall Results are averages across all the vulnerability categories. You can't compute these averages by simply calculating the TPR and FPR rates using the values in the Totals row. If you did that, categories with larger number of tests would carry more weight than categories with less tests. The proper calculation of the Overall Results is to add up all the TPR, FPR, and Score values, and then divide by the number of vulnerability categories, which is how they are calculated.

Key

Common Weakness Enumeration (CWE) The primary MITRE CWE number for this vulnerability category.
True Positive (TP) Tests with real vulnerabilities that were correctly reported as vulnerable by the tool.
False Negative (FN) Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool.
True Negative (TN) Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool.
False Positive (FP) Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool.
True Positive Rate (TPR) = TP / ( TP + FN ) The rate at which the tool correctly reports real vulnerabilities. Also referred to as Recall, as defined at Wikipedia.
False Positive Rate (FPR) = FP / ( FP + TN ) The rate at which the tool incorrectly reports fake vulnerabilities as real.
Score = TPR - FPR Normalized distance from the random guess line.