empty
empty

OWASP Benchmark Scorecard for FBwFindSecBugs v1.4.0

The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their value or interpret vendor claims. The Benchmark contains over 20,000 test cases that are fully runnable and exploitable. The following is the scorecard for the tool FBwFindSecBugs against version 1.1 of the Benchmark. It shows how well this tool finds true positives and avoids false positives in the Benchmark test cases.

For more information, please visit the OWASP Benchmark Project Site.

Statistics

Tool elapsed analysis time 0:05:43
Tool overall score (0-100) 13.78%
Total test cases 21041
Download raw results Actual Results

Detailed Results

CategoryTPFNTNFPTotalTPRFPRScore
Command Injection1306496239667270872.48%73.62%-1.15%
Cross-Site Scripting2515151907234491.62%0.10%1.52%
Insecure Cookie18183190254168.96%11.63%-2.67%
LDAP Injection1363851615473626.10%25.12%0.99%
Path Traversal1366340200724263080.07%78.35%1.72%
SQL Injection19533441831049352985.02%85.15%-0.12%
Trust Boundary Violation050522007250.00%0.00%0.00%
Weak Encryption Algorithm534186346374144074.17%51.94%22.22%
Weak Hash Algorithm1635517070142122.83%0.00%22.83%
Weak Random Number16120202803640100.00%0.00%100.00%
XPath Injection112105715934751.61%45.38%6.23%
Totals72254610625229542104147.53%33.75%13.78%

Key

True Positive (TP) Tests with real vulnerabilities that were correctly reported as vulnerable by the tool
False Negative (FN) Tests with real vulnerabilities that were not correctly reported as vulnerable by the tool
True Negative (TN) Tests with fake vulnerabilities that were correctly not reported as vulnerable by the tool
False Positive (FP) Tests with fake vulnerabilities that were incorrectly reported as vulnerable by the tool
True Positive Rate (TPR) = TP / ( TP + FN ) The rate at which the tool correctly reports real vulnerabilities
False Positive Rate (FPR) = FP / ( FP + TN ) The rate at which the tool incorrectly reports fake vulnerabilities as real
Score = TPR - FPR Normalized distance from the random guess line