Warn/Ignore when multiple warnings are on same rule

18 views
Skip to first unread message

Christian López Espínola

unread,
Feb 7, 2023, 9:52:41 PM2/7/23
to OWASP ZAP Developer Group
Hi,

First, sorry if this should be on -users group. I wasn't 100% sure where it would fit.

I'm using zap for hardening services and works great so far, thanks for this software.

However, I want to get warns if my Permissions Policy goes wrong, but would like to ignore Features Policy deprecation, as I want to use that for broader browser support.

So if I have a rule like

10063    WARN    (Permissions Policy Header Not Set)
# Features policy is deprecated, but we need that for improved browser support:
# https://caniuse.com/mdn-http_headers_permissions-policy
10063    IGNORE    (Deprecated Feature Policy Header Set)

But that will ignore both, as they are part of the same rule (https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java)

Would be a valid contribution to split those in two different rules? Or Is there any workaround I'm missing?

Thanks for your help.

psiinon

unread,
Feb 8, 2023, 3:56:58 AM2/8/23
to OWASP ZAP Developer Group
Hiya,

Many rules raise multiple alerts, which is why most of them now support Alert References which uniquely identify the "sub" alerts.
This rule does support those: https://www.zaproxy.org/docs/alerts/10063/

It looks like you are using the packaged scans.
I'm not actually sure if these support alert refs - I'll need to check.
If they dont then we should enhance the scans to support them.

Cheers,

Simon

Christian López Espínola

unread,
Feb 8, 2023, 9:56:13 AM2/8/23
to OWASP ZAP Developer Group
Thanks for answering. I was pretty sure I was missing something.

Yes, I'm using the packaged scans (with zap-baseline.py). Something like

10063-1    WARN    (Permissions Policy Header Not Set)

is not supported as they are expected to be ints on the python scripts:

Traceback (most recent call last):
  File "/zap//zap-baseline.py", line 655, in <module>
    main(sys.argv[1:])
  File "/zap//zap-baseline.py", line 380, in main
    jobs.append(get_af_output_summary(('Short', 'Long')[detailed_output], summary_file, config_dict, config_msg))
  File "/zap/zap_common.py", line 668, in get_af_output_summary
    rules.append({'id': int(id), 'action': action, 'customMessage': config_msg[id]})
ValueError: invalid literal for int() with base 10: '10063-1'

If I try with ./zap.sh -cmd -autorun config.yaml having 

- action: WARN
customMessage: ''
id: 10063-1
- action: IGNORE
customMessage: ''
id: 10063-2

I get a similar error as those are expected to be ints:

Unexpected error accessing file /zap/wrk/zap.yaml : class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap') - see log for details
Reply all
Reply to author
Forward
0 new messages