This relates to
Issue #1843 : Allow users to specify a list of alerts to ignore My proposal is to introduce "Context Alert Rules" which will allow the user to override the risk level of any alerts raised within a specified context.
There will be a new Context page ("Alert rules"?) which will show a table of all of the alert rules, with the usual Add, Modify and Delete buttons.
Add and Modify will show an Alert Rule dialog, something like:
+-------------------------------------------------------+
| Add Alert Rule |
+-------------------------------------------------------+
| Alert: [ Cross Site Scripting (Reflected) v] | | URL Regex: [ http://www.example.com/xssfp ] |
| Parameter: [ abc ] | | New Risk: [ False Positive v] |
+-------------------------------------------------------+
| [ Cancel ] [ Add ] |
+-------------------------------------------------------+
Where the Alert is a pull down of all of the valid alerts, and New Risk one of: High, Medium, Low, Info, False Positive.
Parameter will be optional, but if supplied must match exactly.
If an alert is raised during active/passive scanning for a URL in a Context and matches one of those rules then the Risk will be changed accordingly.
There will also be a right click option in the Alerts tab if the URL is in a Context, eg "Create Alert Rule for Context: aaa".
The idea is that this allows you to automatically flag false positives.
It will also allow you to 'ignore' known problems by setting the Risk to Info.
As a side effect it will also allow you to raise or lower the risk level if you want.
The data will be saved in the Context file, and loaded when that context is loaded.
There will also be full control of all aspects of this via the API.
The plan is for this to be a new add-on, and hopefully it can work with 2.4.1.
I'd also like to introduce the concept of 'expected alerts', which could be based on this functionality. These would be very useful for testing ZAP against 'benchmark' apps.
But thats a future phase ;)
Feedback appreciated :)
Simon