Minor tweaks to runContrast scripts and add placeholder file so a directory gets created on git pull.

Author: davewichers

runBenchmark_wContrast.bat

@@ -1,9 +1,9 @@
 @ECHO OFF
 IF EXIST tools\Contrast\contrast.jar (
-  IF EXIST tools\Contrast\findings (
-        DEL \F \Q tools\Contrast\findings
+  IF EXIST tools\Contrast\working (
+        DEL \F \Q tools\Contrast\contrast.log
 
-        RMDIR \S tools\Contrast\working
+        RMDIR \S tools\Contrast\cache
 
         ECHO ""
 
@@ -18,5 +18,5 @@ IF EXIST tools\Contrast\contrast.jar (
     COPY tools\Contrast\working\contrast.log results\Benchmark_1.2beta-Contrast.log
 
 ) ELSE (
-    ECHO Given that Contrast is a commercial product, you have to have a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Java 1.5 version of contrast.jar from the Team Server and put it into the /tools/Contrast folder, and then rerun this script.
-)
+    ECHO Contrast is a commercial product, so you need a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent for Java (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script.
+)

runBenchmark_wContrast.sh

@@ -2,24 +2,24 @@
 
 if [ -f tools/Contrast/contrast.jar ]; then
 
-  if [ -d tools/Contrast/findings ]; then
+  if [ -d tools/Contrast/working ]; then
 
-    rm -r tools/Contrast/findings
-    rm -r tools/Contrast/working
+    rm -r tools/Contrast/working/cache
+    rm -r tools/Contrast/working/contrast.log
     echo ""
     echo "Previous Contrast results in tools/Contrast/findings removed"
     echo ""
 
   fi
 
-  chmod 755 src/main/resources/insecureCmd.sh
+  chmod 755 target/classes/insecureCmd.sh
   mvn clean package cargo:run -Pdeploywcontrast
 
   echo "Copying Contrast report to results directory"
   cp tools/Contrast/working/contrast.log results/Benchmark_1.2beta-Contrast.log
 
 else 
 
-  echo "Given that Contrast is a commercial product, you have to have a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Java 1.5 version of contrast.jar from the Team Server and put it into the /tools/Contrast folder, and then rerun this script."
+  echo "Given that Contrast is a commercial product, you have to have a licensed version of Contrast in order to run it on the Benchmark. If you have access to Contrast, download the Contrast Agent (contrast.jar) from the Team Server and put it into the /tools/Contrast folder, and then rerun this script."
 
 fi

tools/Contrast/readme.txt

@@ -0,0 +1,3 @@
+Contrast is a commercial tool. If you are interested in running Contrast on the Benchmark, you'll have to get a license for it from the vendor just like you would for any commercial tool. Once you have it, you need to place the contrast.jar file in this directory in order to run the Benchmark with Contrast using one of the runBenchmark_wContrast scripts, and then crawl the Benchmark to generate scan results with one of the runCrawler scripts.
+
+See the Tool Scanning Tips page at OWASP (https://www.owasp.org/index.php/Benchmark#tab=Tool_Scanning_Tips) for the latest instructions on how to scan the Benchmark with any vulnerability detection tool, including Contrast.