rules in ignore-rules.conf file not taken into consideration

[Salam Elias]

I created a file where I added the following 2 lines

10035 IGNORE Strict-Transport-Security Header - Passive/release
10051 IGNORE Relative Path Confusion - Active/beta

After running the scan, at the end I see

SKIP: Relative Path Confusion [10051]
IGNORE-NEW: Strict-Transport-Security Header Not Set [10035] x 4
        https://www.mysite.fr/ (301 Moved Permanently)
        https://www. mysite .fr (301 Moved Permanently)
        https://www. mysite .fr/robots.txt (301 Moved Permanently)
        https://www. mysite .fr/sitemap.xml (301 Moved Permanently)
FAIL-NEW: 0     FAIL-INPROG: 0  WARN-NEW: 0     WARN-INPROG: 0  INFO: 0 IGNORE: 1       PASS: 137

Why one is SKIP, 2nd is IGNORE-NEW

In fact I thought that using ignore rule will noit display anyhting about those 2 items in the output? Am I mistaken?

[Simon Bennetts]

Hiya,

If you "IGNORE" an active scan rule then it will not be run - hence the "SKIP" line.

If you "IGNORE" a passive scan rule then it will still be run but the results will be ignored, hence the "IGNORE" line.

So ones an active rule and ones a passive rule.

We could not stop ignored passive scan rules from being run .. but I dont think that feature was available when the packaged scans were written.

So your configuration file is being used as expected.

Cheers,

Simon

[Salam Elias]

HI, thanks for the explanation. I thought using ignore will not write in the output about ignored items, that was my initial understanding.

I use Zap inside CI/CD Azure Devops pipeline and would like those ignored items not to show in the test report in order not make Project managers panic

[Simon Bennetts]

I'm wary about changing the packaged scan output as we don't know how many people depend on then working the way they do now.

However you can use the Automation Framework which will give you much more control over what ZAP does.

Cheers,

Simon