pscanrules: Update CSPMissing for current guidance (Issue 7653) #4338
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thc202
changed the title
kingthorin
reviewed
Jan 3, 2023
Member
kingthorin
left a comment
kingthorin
left a comment
There was a problem hiding this comment.
I still need to look at the tests but here’s a quick first pass.
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
Member
|
To address the DCO requirement you'll need to sign-off the commit(s): |
thc202
reviewed
Jan 3, 2023
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
davidahall
force-pushed
the
main
branch
2 times, most recently
from
d5dfffa to
9f66f4a
Compare
thc202
reviewed
Jan 4, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
.../java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRuleUnitTest.java
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
Member
|
The branch needs to be updated and the changelog moved to the Unreleased version. |
kingthorin
reviewed
Jan 8, 2023
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
kingthorin
approved these changes
Jan 10, 2023
Contributor
Author
|
Couple of process questions, because I'm new on this project.
|
Member
|
All the workflows completed successfully. The only remaining step is for a second approving review :) So for now it's kinda on us. |
thc202
reviewed
Jan 14, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...nrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties
Outdated
Show resolved
Hide resolved
Member
|
The scan rule doesnt return any examples. Edit: Reference 👉 zaproxy/zaproxy#6119 |
kingthorin
reviewed
Feb 8, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Show resolved
Hide resolved
Member
|
Needs to be rebased to properly update the changelog. |
thc202
reviewed
Feb 8, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
Member
|
You seem to have merged, not rebased. |
Contributor
Author
apparently so; I'll figure out how to get this reset and resubmit. |
Member
|
We are happy to help. |
davidahall
force-pushed
the
main
branch
2 times, most recently
from
305c619 to
0530c81
Compare
added 6 commits
February 14, 2023 18:46
Implementations that followed current guidance with respect to which headers to use would see alerts raised at Low threshold. Now, the alerts reflect the current guidance (ie, don't use the obsolete CSP headers). Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
- Obsolete CSP header usage is always flagged, not just at LOW - General refactoring suggested by reviewers Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
added 4 commits
February 14, 2023 18:46
Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
Signed-off-by: David Hall <[email protected]>
Contributor
Author
|
in my day job, we don't really use forks, so that is new to me. I've found that the best way to learn more about git is to git yourself outta trouble. Hopefully, I didn't hammer it up too badly -- I do see your recent commits in the history on my fork, so there is some reassurance. |
thc202
reviewed
Feb 15, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
thc202
reviewed
Feb 15, 2023
...src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java
Outdated
Show resolved
Hide resolved
kingthorin
reviewed
Feb 15, 2023
.../java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRuleUnitTest.java
Show resolved
Hide resolved
Signed-off-by: David Hall <[email protected]>
kingthorin
approved these changes
Feb 17, 2023
thc202
approved these changes
Feb 23, 2023
Member
|
Thank you! |
Contributor
Author
|
Thank you both; this was an interesting experience |
3 tasks
Member
|
@davidahall how would you like to be credited (e.g. name, handle)? |
Contributor
Author
|
by name, please -- David Hall
On Friday, March 10, 2023 at 01:33:42 PM EST, thc202 ***@***.***> wrote:
@davidahall how would you like to be credited (e.g. name, handle)?
https://www.zaproxy.org/docs/desktop/credits/#zap-extended-team
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The alerts raised by the Content Security Policy Missing scan rule do not reflect the current guidance in the linked documents. The current guidance is that the X-Content-Security-Policy and X-WebKit-CSP headers are obsolete, and should not be used. However, at Low threshold, absence of these headers results in an alert being raised. I've updated the logic to more accurately reflect the OWASP guidance.
Fix zaproxy/zaproxy#7653.