Tagging scan rules
187 views
Skip to first unread message
psiinon
Jan 27, 2016, 7:07:15 AM1/27/16
to OWASP ZAP Developer Group
Proposal - we support the tagging of scan rules, both 'built in' and 'user defined'.
I was planning on adding an Alert field for OWASP Top 10 category (for #1882) but I'd also like to be able to flag rules as being time based (and potentially other things).
We could add a set of fields, but I think supporting generic tags could be much more useful.
We could have a 'built in' set that correspond to existing fields, eg
I was planning on adding an Alert field for OWASP Top 10 category (for #1882) but I'd also like to be able to flag rules as being time based (and potentially other things).
We could add a set of fields, but I think supporting generic tags could be much more useful.
We could have a 'built in' set that correspond to existing fields, eg
- Beta, or maybe Quality-beta?
- CWE-10
- WASC-12
- MySql, or maybe Tech-MySql
- OWASP-2013-A1
And also support any tags the user feels like defining.
Then we could support the use of tags in scan profiles, so that you could have a profile that just checks for OWASP Top 10 issues using tags: OWASP-2013.*
What do you all think?
Cheers,
Simon
kingthorin+owaspzap
Jan 27, 2016, 8:17:07 AM1/27/16
to OWASP ZAP Developer Group
Would this apply to the plugins, to the alerts, or somehow to both?
psiinon
Jan 27, 2016, 8:34:05 AM1/27/16
to OWASP ZAP Developer Group
I was thinking just plugins - not sure what value there is to tagging Alerts.
But if anyone can suggest how this could be useful ... :)
But if anyone can suggest how this could be useful ... :)
kingthorin+owaspzap
Jan 27, 2016, 6:21:09 PM1/27/16
to OWASP ZAP Developer Group
Tagging alerts could give further options in reporting?
psiinon
Jan 28, 2016, 3:59:46 AM1/28/16
to OWASP ZAP Developer Group
Definitely.
Reply all
Reply to author
Forward
0 new messages