Warn/Ignore when multiple warnings are on same rule

Skip to first unread message

Christian López Espínola

Feb 7, 2023, 9:52:41 PM2/7/23
to OWASP ZAP Developer Group

First, sorry if this should be on -users group. I wasn't 100% sure where it would fit.

I'm using zap for hardening services and works great so far, thanks for this software.

However, I want to get warns if my Permissions Policy goes wrong, but would like to ignore Features Policy deprecation, as I want to use that for broader browser support.

So if I have a rule like

10063    WARN    (Permissions Policy Header Not Set)
# Features policy is deprecated, but we need that for improved browser support:
# https://caniuse.com/mdn-http_headers_permissions-policy
10063    IGNORE    (Deprecated Feature Policy Header Set)

But that will ignore both, as they are part of the same rule (https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java)

Would be a valid contribution to split those in two different rules? Or Is there any workaround I'm missing?

Thanks for your help.


Feb 8, 2023, 3:56:58 AM2/8/23
to OWASP ZAP Developer Group

Many rules raise multiple alerts, which is why most of them now support Alert References which uniquely identify the "sub" alerts.
This rule does support those: https://www.zaproxy.org/docs/alerts/10063/

It looks like you are using the packaged scans.
I'm not actually sure if these support alert refs - I'll need to check.
If they dont then we should enhance the scans to support them.



Christian López Espínola

Feb 8, 2023, 9:56:13 AM2/8/23
to OWASP ZAP Developer Group
Thanks for answering. I was pretty sure I was missing something.

Yes, I'm using the packaged scans (with zap-baseline.py). Something like

10063-1    WARN    (Permissions Policy Header Not Set)

is not supported as they are expected to be ints on the python scripts:

Traceback (most recent call last):
  File "/zap//zap-baseline.py", line 655, in <module>
  File "/zap//zap-baseline.py", line 380, in main
    jobs.append(get_af_output_summary(('Short', 'Long')[detailed_output], summary_file, config_dict, config_msg))
  File "/zap/zap_common.py", line 668, in get_af_output_summary
    rules.append({'id': int(id), 'action': action, 'customMessage': config_msg[id]})
ValueError: invalid literal for int() with base 10: '10063-1'

If I try with ./zap.sh -cmd -autorun config.yaml having 

- action: WARN
customMessage: ''
id: 10063-1
- action: IGNORE
customMessage: ''
id: 10063-2

I get a similar error as those are expected to be ints:

Unexpected error accessing file /zap/wrk/zap.yaml : class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap') - see log for details
Reply all
Reply to author
0 new messages