Minor tweaks to runCodeQL.sh and README.

davewichers · davewichers · commit 2665e65228fd · 2025-11-01T14:57:51.000-04:00
diff --git a/README.md b/README.md
@@ -1,6 +1,12 @@
-# OWASP Benchmark
-The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://www.zaproxy.org/">ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time.
+# OWASP Benchmark for Java
+The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like <a href="https://www.zaproxy.org/">ZAP</a>), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool.
+
+The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP/BenchmarkUtils.
 
 The project documentation is all on the OWASP site at the <a href="https://owasp.org/www-project-benchmark">OWASP Benchmark</a> project pages. Please refer to that site for all the project details.
 
-The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
+
+Running Benchmark Itself:
+* runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only)
+* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on.
diff --git a/scripts/runCodeQL.sh b/scripts/runCodeQL.sh
@@ -9,7 +9,7 @@
 ## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed.
 
 # This then runs the CodeQL scan:
-## The following CodeQL query is a big complex. I had to raise an issue with the CodeQL team to figure out how to do this.
+## The following CodeQL query is a bit complex. I had to raise an issue with the CodeQL team to figure out how to do this.
 ## The issue raised and the answer that documents this query is here: https://github.com/github/codeql/issues/18518#issuecomment-2730684184
 benchmark_version=$(scripts/getBenchmarkVersion.sh)
 ../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark codeql/java-queries:codeql-suites/java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif -j0 --download
