Help Needed! Configuring Risk Levels in ZAP CLI

[Zap BotStan]

A question on Risk Levels, is there any way one can change the default risk levels of a vulnerability?

For example,

Name                                                                             Risk Level         New level
Content Security Policy (CSP) Header Not Set      Medium              High
Multiple X-Frame-Options Header Entries              Medium               Low
Application Error Disclosure                                     Low                      Medium
Cookie Without SameSite Attribute                         Low                      Medium

currently the zap cli can change a threshold, but can this be done for a Risk Level? Any assistance would be great!

[kingthorin+owaspzap]

Yup, checkout Alert Filters:

https://www.zaproxy.org/docs/desktop/addons/alert-filters/

[Raj Dev]

Hi owuor,

The Alert Filters add-on will work with only the older Jenkins plugin and ZAP UI. But it will not work in the Docker, Zap-Cli and openshift solution. Hopefully, a new feature comes in the new ZAP framework:

https://www.zaproxy.org/docs/desktop/addons/alert-filters/

Also,  on August 4th, the ZAP team has a webinar regarding the Automation Framework. I wish you to don't miss it.

August 4

Thanks,

Raj Dev

[kingthorin+owaspzap]

It will work with docker, if you're driving via the API. Or using custom hooks with the packaged scans.

[Zap BotStan]

Hi team, @kingthorin+owaspzap it works!!!! we were able to use curl to re-label the rule ID and change the value. Thank you!

[kingthorin+owaspzap]

No problem. Thanks for letting us know.

[Zap BotStan]

Hahaha i would not miss it for the world!!!!

On Thursday, July 29, 2021 at 8:40:19 PM UTC-4 dev4...@gmail.com wrote: