Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide example alerts in Cookie scan rules #2532

Merged
merged 4 commits into from
Sep 7, 2020
Merged

Provide example alerts in Cookie scan rules #2532

merged 4 commits into from
Sep 7, 2020

Conversation

martinspielmann
Copy link
Contributor

@martinspielmann martinspielmann commented Sep 3, 2020
edited by thc202
Loading

The CWE id was already managed for these Alerts/ScanRules and within ZAP they were already presented to the user.
However, when visiting the alert detail pages online (https://www.zaproxy.org/docs/alerts/), CWE (and WASC) links were not generated correctly.

The reason is, that the id values were set inline to the alert.
For the script which generates the detail pages however, the getter methods for the ids have to be added publicly to the class.

Note: if this solves the issue, I'll vote for another follow up issue to add this change to the PluginPassiveScanner parent class,
so that the docs will be generated consistently over all Passive Scan Rules.

Fixes zaproxy/zaproxy#6140.

@thc202 thc202 changed the title Expose getCweId and getWascId method for Cookie scan rules. Fixes #6140 Expose getCweId and getWascId method for Cookie scan rules Sep 3, 2020
@thc202
Copy link
Member

thc202 commented Sep 3, 2020
edited
Loading

Note: if this solves the issue, I'll vote for another follow up issue to add this change to the PluginPassiveScanner parent class, so that the docs will be generated consistently over all Passive Scan Rules.

It does, but there's a new way to provide the alert data, more details in zaproxy/zaproxy#6119 (this could be changed to do that if you want).

@kingthorin
Copy link
Member

To address the DCO requirement you'll need to sign-off the commit(s):

@kingthorin
Copy link
Member

Also needs a spotlessApply: ./gradlew :addOns:pscanrules:spotlessApply

@martinspielmann
Copy link
Contributor Author

Thanks @kingthorin and @thc202 for the hints, sorry saw that too late 🐒 Will update PR asap

@martinspielmann
Expose getCweId and getWascId method for Cookie scan rules.
e8cf83b 
The CWE id was already managed for these Alerts/ScanRules and within ZAP they were already presented to the user.
However, when visiting the alert detail pages online (https://www.zaproxy.org/docs/alerts/), CWE (and WASC) links were not generated correctly.

The reason is, that the id values were set inline to the alert.
For the script which generates the detail pages however, the getter methods for the ids have to be added publicly to the class.

Note: if this solves the issue, I'll vote for another follow up issue to add this change to the PluginPassiveScanner parent class,
so that the docs will be generated consistently over all Passive Scan Rules.

Fixes zaproxy/zaproxy#6140.

Signed-off-by: Martin Spielmann <[email protected]>
@martinspielmann martinspielmann force-pushed the 6140-expose-cwe-id-for-cookie-alerts branch from 06e2f7e to e8cf83b Compare September 3, 2020 14:08
@kingthorin
Copy link
Member

kingthorin commented Sep 3, 2020
edited
Loading

No worries. Every project/contribution is a new adventure 😀

@martinspielmann
Copy link
Contributor Author

Regarding the comment:

It does, but there's a new way to provide the alert data, more details in zaproxy/zaproxy#6119 (this could be changed to do that if you want).

After reading through, I think it would indeed be cleaner to go for the new List<Alert> getExampleAlerts() method. Should I add that here already or would it be preferable to have that in another PR clearly referencing to the introduction of getExampleAlerts

@kingthorin
Copy link
Member

I'm fine with it being here. You can always squash this.

@martinspielmann
Add new common getExampleAlerts() method
d4ac01d 
To comply with zaproxy/zaproxy#6140, the affected ScanRules have been provided with a getExampeAlerts method.
It allows maintenance scripts to generate documentation pages in a common way.

Signed-off-by: Martin Spielmann <[email protected]>
@martinspielmann
Copy link
Contributor Author

I'm fine with it being here. You can always squash this.

Ok ready :)

@thc202 thc202 changed the title Expose getCweId and getWascId method for Cookie scan rules Provide example alerts in Cookie scan rules Sep 7, 2020
kingthorin
kingthorin reviewed Sep 7, 2020
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing, and it’s an existing issue

@martinspielmann
Cleanup methods
16cfbf8 
Signed-off-by: Martin Spielmann <[email protected]>
kingthorin
kingthorin approved these changes Sep 7, 2020
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@thc202 thc202 merged commit b69b2d9 into zaproxy:master Sep 7, 2020
@thc202
Copy link
Member

thc202 commented Sep 7, 2020

Thank you!

@kingthorin kingthorin mentioned this pull request Sep 19, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expose CWE Ids for cookie alerts
3 participants
@martinspielmann @thc202 @kingthorin