ascanrules: add example alerts to Spring Actuator

anaaroch · LucasBergholz · thc202 · commit 70e75c79620b · 2024-09-16T13:45:38.000+01:00
Signed-off-by: Ana Rocha &lt;sqscamposuni@gmail.com&gt;
Co-authored-by: Lucas Bergholz &lt;lucas.bergholz@gmail.com&gt;
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Maintenance changes.
+- The Spring Actuator Scan Rule now includes example alert functionality for documentation generation purposes (Issue 6119).
 
 ## [67] - 2024-07-22
 
diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java
@@ -20,6 +20,7 @@
 package org.zaproxy.zap.extension.ascanrules;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 import org.apache.commons.httpclient.URI;
@@ -140,7 +141,9 @@ public void scan() {
                             CONTENT_TYPE.matcher(contentType).find()
                                     && JSON_PAYLOAD.matcher(responseBody).find();
                     if (matches) {
-                        raiseAlert(testMsg, Alert.CONFIDENCE_MEDIUM, getRisk());
+                        createAlert(testMsg.getResponseBody().toString())
+                                .setMessage(testMsg)
+                                .raise();
                         break;
                     }
                 }
@@ -196,15 +199,17 @@ private HttpMessage sendActuatorRequest(String encodingType, String actuatorEndp
         return null;
     }
 
-    private void raiseAlert(HttpMessage msg, int confidence, int risk) {
-        newAlert()
-                .setRisk(risk)
-                .setConfidence(confidence)
+    private AlertBuilder createAlert(String evidence) {
+        return newAlert()
+                .setRisk(getRisk())
+                .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setName(getAlertName())
-                .setEvidence(msg.getResponseHeader().getPrimeHeader())
                 .setReference(getReference())
-                .setMessage(msg)
-                .setEvidence(StringUtils.left(msg.getResponseBody().toString(), 100))
-                .raise();
+                .setEvidence(StringUtils.left(evidence, 100));
+    }
+
+    @Override
+    public List<Alert> getExampleAlerts() {
+        return List.of(createAlert("{\"status\" : \"UP\"}").build());
     }
 }
diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java
@@ -22,12 +22,14 @@
 import static fi.iki.elonen.NanoHTTPD.newFixedLengthResponse;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import fi.iki.elonen.NanoHTTPD;
 import fi.iki.elonen.NanoHTTPD.Response;
+import java.util.List;
 import java.util.Map;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -343,6 +345,10 @@ void shouldReturnExpectedMappings() {
         assertThat(cwe, is(equalTo(215)));
         assertThat(wasc, is(equalTo(13)));
         assertThat(tags.size(), is(equalTo(3)));
+        assertBaseTags(tags);
+    }
+
+    private static void assertBaseTags(Map<String, String> tags) {
         assertThat(
                 tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()),
                 is(equalTo(true)));
@@ -362,4 +368,21 @@ void shouldReturnExpectedMappings() {
                 tags.get(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()),
                 is(equalTo(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getValue())));
     }
+
+    @Test
+    void shouldReturnExpectedExampleAlert() {
+        // Given / When
+        List<Alert> alerts = rule.getExampleAlerts();
+
+        // Then
+        assertThat(alerts.size(), is(equalTo(1)));
+
+        Alert alert = alerts.get(0);
+        assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
+        assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM)));
+        Map<String, String> tags = alert.getTags();
+        assertThat(tags.size(), is(equalTo(4)));
+        assertBaseTags(tags);
+        assertThat(tags, hasKey("CWE-215"));
+    }
 }
