pscanrules: Set AlertRef property on MissingCSP alerts

David Hall · David Hall · commit cd4f6f591c99 · 2023-02-14T18:44:20.000-05:00
Signed-off-by: David Hall &lt;David.Hall@sas.com&gt;
diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
@@ -13,6 +13,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Maintenance changes.
 - The HeartBleed scan rule alert now includes a CVE tag.
 
+### Fixed
+- The CSP Missing scan rule now alerts when the Content-Security-Policy header is missing, and when the obsolete X-Content-Security-Policy or X-WebKit-CSP are found (Issue 7653).
+
 ## [45] - 2023-01-03
 ### Changed
 - The Private Address Disclosure and Session ID in URL Rewrite scan rules now include example alert functionality for documentation generation purposes (Issue 6119 and 7100).
@@ -23,7 +26,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - The Modern App Detection scan rule now ignores non-HTML files (Issue 7617).
-- The CSP Missing scan rule now alerts when the Content-Security-Policy header is missing, and when the obsolete X-Content-Security-Policy or X-WebKit-CSP are found (Issue 7653).
 
 ## [44] - 2022-10-27
 ### Added
diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
@@ -122,35 +122,31 @@ private static boolean hasCspReportOnlyHeader(HttpMessage msg) {
                 .isEmpty();
     }
 
-    private AlertBuilder buildAlert(int risk) {
+    private AlertBuilder buildAlert(int risk, int alertnum) {
         return newAlert()
                 .setRisk(risk)
                 .setConfidence(Alert.CONFIDENCE_HIGH)
                 .setCweId(693) // CWE-693: Protection Mechanism Failure
-                .setWascId(15); // WASC-15: Application Misconfiguration
+                .setWascId(15) // WASC-15: Application Misconfiguration
+                .setSolution(getAlertAttribute("soln"))
+                .setReference(getAlertAttribute("refs"))
+                .setAlertRef(PLUGIN_ID + "-" + alertnum);
     }
 
     private AlertBuilder alertMissingCspHeader() {
-        return buildAlert(Alert.RISK_MEDIUM)
-                .setName(getAlertAttribute("name"))
-                .setDescription(getAlertAttribute("desc"))
-                .setSolution(getAlertAttribute("soln"))
-                .setReference(getAlertAttribute("refs"));
+        return buildAlert(Alert.RISK_MEDIUM, 1).setDescription(getAlertAttribute("desc"));
     }
 
     private AlertBuilder alertObsoleteCspHeader() {
-        return buildAlert(Alert.RISK_INFO)
+        return buildAlert(Alert.RISK_INFO, 2)
                 .setName(getAlertAttribute("obs.name"))
-                .setDescription(getAlertAttribute("obs.desc"))
-                .setSolution(getAlertAttribute("soln"))
-                .setReference(getAlertAttribute("refs"));
+                .setDescription(getAlertAttribute("obs.desc"));
     }
 
     private AlertBuilder alertCspReportOnlyHeader() {
-        return buildAlert(Alert.RISK_INFO)
+        return buildAlert(Alert.RISK_INFO, 3)
                 .setName(getAlertAttribute("ro.name"))
                 .setDescription(getAlertAttribute("ro.desc"))
-                .setSolution(getAlertAttribute("soln"))
                 .setReference(getAlertAttribute("ro.refs"));
     }
 }
diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRuleUnitTest.java
@@ -131,8 +131,8 @@ void givenWebKitThenTwoAlertsRaised() throws Exception {
 
         // Then
         assertThat(alertsRaised.size(), is(2));
-        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM);
-        assertCSPAlertAttributes(alertsRaised.get(1), "obs.", Alert.RISK_INFO);
+        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM, "10038-1");
+        assertCSPAlertAttributes(alertsRaised.get(1), "obs.", Alert.RISK_INFO, "10038-2");
     }
 
     @Test
@@ -145,8 +145,8 @@ void givenXCspThenTwoAlertsRaised() throws Exception {
 
         // Then
         assertThat(alertsRaised.size(), is(2));
-        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM);
-        assertCSPAlertAttributes(alertsRaised.get(1), "obs.", Alert.RISK_INFO);
+        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM, "10038-1");
+        assertCSPAlertAttributes(alertsRaised.get(1), "obs.", Alert.RISK_INFO, "10038-2");
     }
 
     @Test
@@ -256,8 +256,8 @@ void givenReportOnlyCspThenInfoAlertRaised() throws Exception {
 
         // Then
         assertThat(alertsRaised.size(), is(2));
-        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM);
-        assertCSPAlertAttributes(alertsRaised.get(1), "ro.", Alert.RISK_INFO);
+        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM, "10038-1");
+        assertCSPAlertAttributes(alertsRaised.get(1), "ro.", Alert.RISK_INFO, "10038-3");
         assertThat(alertsRaised.get(1).getReference(), is(getLocalisedString("ro.refs")));
     }
 
@@ -272,7 +272,7 @@ void givenReportOnlyAndCspHeadersThenInfoAlertRaised() throws Exception {
 
         // Then
         assertThat(alertsRaised.size(), is(1));
-        assertCSPAlertAttributes(alertsRaised.get(0), "ro.", Alert.RISK_INFO);
+        assertCSPAlertAttributes(alertsRaised.get(0), "ro.", Alert.RISK_INFO, "10038-3");
         assertThat(alertsRaised.get(0).getReference(), is(getLocalisedString("ro.refs")));
     }
 
@@ -316,15 +316,16 @@ void shouldReturnExampleAlerts() {
 
     private void assertContentSecurityPolicyAlertRaised() {
         assertThat(alertsRaised.size(), is(1));
-        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM);
+        assertCSPAlertAttributes(alertsRaised.get(0), "", Alert.RISK_MEDIUM, "10038-1");
     }
 
     private void assertObsoleteSecurityPolicyAlertRaised() {
         assertThat(alertsRaised.size(), is(1));
-        assertCSPAlertAttributes(alertsRaised.get(0), "obs.", Alert.RISK_INFO);
+        assertCSPAlertAttributes(alertsRaised.get(0), "obs.", Alert.RISK_INFO, "10038-2");
     }
 
-    private static void assertCSPAlertAttributes(Alert alert, String key, int expectedRisk) {
+    private static void assertCSPAlertAttributes(
+            Alert alert, String key, int expectedRisk, String alertRef) {
         assertThat(alert.getRisk(), is(expectedRisk));
         assertThat(alert.getName(), is(getLocalisedString(key + "name")));
         assertThat(alert.getDescription(), is(getLocalisedString(key + "desc")));
@@ -333,6 +334,7 @@ private static void assertCSPAlertAttributes(Alert alert, String key, int expect
         assertThat(alert.getCweId(), is(693));
         assertThat(alert.getWascId(), is(15));
         assertThat(alert.getUri(), is(URI));
+        assertThat(alert.getAlertRef(), is(alertRef));
     }
 
     private static String getLocalisedString(String key) {
