Warn/Ignore when multiple warnings are on same rule
18 views
Skip to the first unread message
Christian López Espínola
7 Feb 2023, 21:52:4107/02/2023
to OWASP ZAP Developer Group
Hi,
First, sorry if this should be on -users group. I wasn't 100% sure where it would fit.
I'm using zap for hardening services and works great so far, thanks for this software.
However, I want to get warns if my Permissions Policy goes wrong, but would like to ignore Features Policy deprecation, as I want to use that for broader browser support.
So if I have a rule like
10063 WARN (Permissions Policy Header Not Set)
# Features policy is deprecated, but we need that for improved browser support:
# https://caniuse.com/mdn-http_headers_permissions-policy
10063 IGNORE (Deprecated Feature Policy Header Set)
But that will ignore both, as they are part of the same rule (https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java)
Would be a valid contribution to split those in two different rules? Or Is there any workaround I'm missing?
Thanks for your help.
First, sorry if this should be on -users group. I wasn't 100% sure where it would fit.
I'm using zap for hardening services and works great so far, thanks for this software.
However, I want to get warns if my Permissions Policy goes wrong, but would like to ignore Features Policy deprecation, as I want to use that for broader browser support.
So if I have a rule like
10063 WARN (Permissions Policy Header Not Set)
# Features policy is deprecated, but we need that for improved browser support:
# https://caniuse.com/mdn-http_headers_permissions-policy
10063 IGNORE (Deprecated Feature Policy Header Set)
But that will ignore both, as they are part of the same rule (https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java)
Would be a valid contribution to split those in two different rules? Or Is there any workaround I'm missing?
Thanks for your help.
psiinon
8 Feb 2023, 03:56:5808/02/2023
to OWASP ZAP Developer Group
Hiya,
Many rules raise multiple alerts, which is why most of them now support Alert References which uniquely identify the "sub" alerts.
This rule does support those: https://www.zaproxy.org/docs/alerts/10063/
It looks like you are using the packaged scans.
I'm not actually sure if these support alert refs - I'll need to check.
If they dont then we should enhance the scans to support them.
Cheers,
Simon
Christian López Espínola
8 Feb 2023, 09:56:1308/02/2023
to OWASP ZAP Developer Group
Thanks for answering. I was pretty sure I was missing something.
Yes, I'm using the packaged scans (with zap-baseline.py). Something like
10063-1 WARN (Permissions Policy Header Not Set)
is not supported as they are expected to be ints on the python scripts:
Traceback (most recent call last):
File "/zap//zap-baseline.py", line 655, in <module>
main(sys.argv[1:])
File "/zap//zap-baseline.py", line 380, in main
jobs.append(get_af_output_summary(('Short', 'Long')[detailed_output], summary_file, config_dict, config_msg))
File "/zap/zap_common.py", line 668, in get_af_output_summary
rules.append({'id': int(id), 'action': action, 'customMessage': config_msg[id]})
ValueError: invalid literal for int() with base 10: '10063-1'
Yes, I'm using the packaged scans (with zap-baseline.py). Something like
10063-1 WARN (Permissions Policy Header Not Set)
is not supported as they are expected to be ints on the python scripts:
Traceback (most recent call last):
File "/zap//zap-baseline.py", line 655, in <module>
main(sys.argv[1:])
File "/zap//zap-baseline.py", line 380, in main
jobs.append(get_af_output_summary(('Short', 'Long')[detailed_output], summary_file, config_dict, config_msg))
File "/zap/zap_common.py", line 668, in get_af_output_summary
rules.append({'id': int(id), 'action': action, 'customMessage': config_msg[id]})
ValueError: invalid literal for int() with base 10: '10063-1'
If I try with ./zap.sh -cmd -autorun config.yaml having
- action: WARN
customMessage: ''
id: 10063-1
- action: IGNORE
customMessage: ''
id: 10063-2
I get a similar error as those are expected to be ints:
Unexpected error accessing file /zap/wrk/zap.yaml : class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap') - see log for details
customMessage: ''
id: 10063-1
- action: IGNORE
customMessage: ''
id: 10063-2
I get a similar error as those are expected to be ints:
Unexpected error accessing file /zap/wrk/zap.yaml : class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap') - see log for details
Reply all
Reply to author
Forward
0 new messages