From 428a0f582269dd5d64bcb56b4b2036755ded20a2 Mon Sep 17 00:00:00 2001 From: Asok Shanmugam Date: Wed, 22 Apr 2026 08:36:23 -0700 Subject: [PATCH 1/2] Add runCognium.sh script for OWASP Benchmark scoring Adds a script to scan BenchmarkJava with Cognium and produce a SARIF result file compatible with the BenchmarkUtils Cognium reader. Install: npm install -g cognium Co-Authored-By: Claude Sonnet 4.6 --- scripts/runCognium.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100755 scripts/runCognium.sh diff --git a/scripts/runCognium.sh b/scripts/runCognium.sh new file mode 100755 index 0000000000..49939b2878 --- /dev/null +++ b/scripts/runCognium.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +# Install: npm install -g cognium +# Check for install/updates at https://github.com/cogniumhq/cognium + +source scripts/requireCommand.sh + +requireCommand cognium + +benchmark_version=$(scripts/getBenchmarkVersion.sh) +cognium_version=$(cognium --version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') +result_file="results/Benchmark_$benchmark_version-cognium-v$cognium_version.sarif" + +cognium scan src/main/java --format sarif --category security --output "$result_file" From 48f32a2f0fdb13166249307ddf9151403be25422 Mon Sep 17 00:00:00 2001 From: Asok Shanmugam Date: Sun, 26 Apr 2026 17:29:16 -0700 Subject: [PATCH 2/2] fix(runCognium): strip Maven download noise from benchmark_version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit getBenchmarkVersion.sh runs mvn and pipes through grep -v '[INFO]', but Maven's transfer progress lines ("Downloading from central: ...", "Downloaded from central: ...") have no [INFO] prefix so they bypass the filter. On a cold Maven cache these lines get captured into benchmark_version, producing an invalid filename like: results/Benchmark_Downloading from central: https://...1.2-cognium-v1.6.9.sarif The fix adds 2>/dev/null to silence stderr and pipes through grep -E '^[0-9]+\.[0-9]' to accept only lines that start with digits — the actual version string (e.g. 1.2). All Maven noise is discarded. The second run worked because the local Maven cache was warm so no download lines were emitted. Co-Authored-By: Claude Sonnet 4.6 --- scripts/runCognium.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/runCognium.sh b/scripts/runCognium.sh index 49939b2878..198fc420af 100755 --- a/scripts/runCognium.sh +++ b/scripts/runCognium.sh @@ -7,7 +7,7 @@ source scripts/requireCommand.sh requireCommand cognium -benchmark_version=$(scripts/getBenchmarkVersion.sh) +benchmark_version=$(scripts/getBenchmarkVersion.sh 2>/dev/null | grep -E '^[0-9]+\.[0-9]') cognium_version=$(cognium --version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') result_file="results/Benchmark_$benchmark_version-cognium-v$cognium_version.sarif"