Running a Basic Analysis with Sample Data

To provide an overview of how to use Software Risk Manager to run an analysis, the following is an outline of the process:

Make sure SRM has been installed and configured.
Launch the app and log in.
Create a project.
Configure the parameters for a new analysis.
Upload the source files.
Manually start a New Analysis for the project.
SRM will begin analyzing the code. (The analysis will run in the background until complete.)
Inspect the findings from the project Findings page or the Dashboard.

Sample Data Sets

If you would like to use sample code for testing purposes, the following are some datasets that are all intentionally vulnerable applications used for educational and training purposes. They're referenced by their primary language, although some of them are multi-language.

Java - WebGoat
We recommend you use one of the WebGoat released war files directly as the input for Software Risk Manager since those tend to package everything, including the source, bytecode, and third-party dependencies. For instance, try this release.
.NET - WebGoat.NET
Since the Software Risk Manager .NET scanners require compiled assemblies, you will need to download the WebGoat.NET source and build it on your machine. Instructions for how to do so are at the link above.

For the following datasets, you can configure your new project's Git Config to fetch the source directly from GitHub using their git URL.

Ruby on Rails - RailsGoat
git URL: https://github.com/OWASP/railsgoat.git
JavaScript - NodeGoat
git URL: https://github.com/OWASP/NodeGoat.git

For other datasets, we recommend that you browse GitHub for different projects and scan some of them for testing purposes. Here are some queries to get you started: