diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 5375a59666b..b61c8d72e2f 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules: - Hidden File Finder - User Agent Fuzzer +- Now depends on minimum Common Library version 1.29.0. + +### Added +- Standardized Scan Policy related alert tags on the rule. ## [69] - 2024-10-23 ### Changed diff --git a/addOns/ascanrules/ascanrules.gradle.kts b/addOns/ascanrules/ascanrules.gradle.kts index 8e0e66c799f..ccb755602ea 100644 --- a/addOns/ascanrules/ascanrules.gradle.kts +++ b/addOns/ascanrules/ascanrules.gradle.kts @@ -13,7 +13,7 @@ zapAddOn { dependencies { addOns { register("commonlib") { - version.set(">= 1.21.0 & < 2.0.0") + version.set(">= 1.29.0 & < 2.0.0") } register("network") { version.set(">= 0.3.0") diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java index 9092934fe8d..dc2e529d652 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java @@ -24,6 +24,8 @@ import java.io.IOException; import java.net.UnknownHostException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.httpclient.URIException; @@ -36,6 +38,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpResponseHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -45,10 +48,18 @@ public class BufferOverflowScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.bufferoverflow."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION)); + alertTags.put(PolicyTag.API.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } + private static final String CONNECTION_CLOSED = "Connection: close"; private static final int PLUGIN_ID = 30001; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java index c1eb9fcaddc..aa37ff7c7f4 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java @@ -21,6 +21,7 @@ import java.util.Arrays; import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.logging.log4j.LogManager; @@ -31,6 +32,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** * Attempts to retrieve cloud metadata by forging the host header and requesting a specific URL. See @@ -48,10 +50,18 @@ public class CloudMetadataScanRule extends AbstractHostPlugin implements CommonA "169.254.169.254", "aws.zaproxy.org", "100.100.100.200", "alibaba.zaproxy.org"); private static final Logger LOGGER = LogManager.getLogger(CloudMetadataScanRule.class); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } @Override public int getId() { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java index 6da16e6644a..bd1908c541a 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.text.MessageFormat; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Random; @@ -32,6 +34,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -47,11 +50,22 @@ public class CodeInjectionScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.codeinjection."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // PHP control Token used to verify the vulnerability private static final String PHP_CONTROL_TOKEN = "zap_token"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 9442f8200d0..0896ba48d4d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -23,6 +23,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.LinkedHashMap; import java.util.LinkedList; @@ -42,6 +44,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -87,11 +90,24 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin private static final Map WIN_OS_PAYLOADS = new LinkedHashMap<>(); private static final Map PS_PAYLOADS = new LinkedHashMap<>(); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } static { // No quote payloads diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRule.java index 0c8365ae909..785bc07ad62 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRule.java @@ -30,6 +30,8 @@ // ZAP: 2020/07/24 Normalise scan rule class names. package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.UUID; @@ -41,6 +43,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; public class CrlfInjectionScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { @@ -48,11 +51,21 @@ public class CrlfInjectionScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.crlfinjection."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_15_HTTP_SPLITTING); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_15_HTTP_SPLITTING)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private String randomString = "Tamper=" + UUID.randomUUID().toString(); private String cookieTamper1 = "Set-cookie: " + randomString; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java index 47e8c2dae57..4bd3a7038b1 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java @@ -23,6 +23,8 @@ import java.net.UnknownHostException; import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.httpclient.URIException; @@ -38,6 +40,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -50,11 +53,23 @@ public class CrossSiteScriptingScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.crosssitescripting."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A07_XSS, - CommonAlertTag.WSTG_V42_INPV_01_REFLECTED_XSS); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A07_XSS, + CommonAlertTag.WSTG_V42_INPV_01_REFLECTED_XSS)); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } protected static final String GENERIC_SCRIPT_ALERT = ""; protected static final String GENERIC_ONERROR_ALERT = ""; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java index 5bc72d6f7d0..6365a8f6442 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java @@ -29,6 +29,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; @@ -40,6 +42,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; public class DirectoryBrowsingScanRule extends AbstractAppPlugin @@ -48,10 +51,19 @@ public class DirectoryBrowsingScanRule extends AbstractAppPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.directorybrowsing."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A01_BROKEN_AC, - CommonAlertTag.OWASP_2017_A05_BROKEN_AC); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A01_BROKEN_AC, + CommonAlertTag.OWASP_2017_A05_BROKEN_AC)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final Pattern patternIIS = Pattern.compile("Parent Directory", PATTERN_PARAM); private static final Pattern patternApache = diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java index 66f1b415c7e..00b320bc585 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java @@ -19,10 +19,13 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.Map; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractHostFilePlugin; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -35,11 +38,18 @@ public class ElmahScanRule extends AbstractHostFilePlugin implements CommonActiv private static final String MESSAGE_PREFIX = "ascanrules.elmah."; private static final int PLUGIN_ID = 40028; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } public ElmahScanRule() { super("/elmah.axd", MESSAGE_PREFIX); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRule.java index 444c291be47..bdbf8bd5325 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRule.java @@ -19,11 +19,14 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.Map; import java.util.regex.Pattern; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePlugin; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; public class EnvFileScanRule extends AbstractAppFilePlugin implements CommonActiveScanRuleInfo { @@ -35,11 +38,18 @@ public class EnvFileScanRule extends AbstractAppFilePlugin implements CommonActi private static final Pattern COMMENT_PATTERN = Pattern.compile("^#\\s{0,10}\\w+", Pattern.MULTILINE); private static final Pattern KEYVAL_PATTERN = Pattern.compile("^\\w+=\\w+", Pattern.MULTILINE); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } public EnvFileScanRule() { super(".env", MESSAGE_PREFIX); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java index 292036d408b..dffcb783894 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.UUID; @@ -41,6 +43,7 @@ import org.parosproxy.paros.network.HttpHeader; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -56,11 +59,24 @@ public class ExternalRedirectScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.externalredirect."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_CLNT_04_OPEN_REDIR); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_CLNT_04_OPEN_REDIR)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final int PLUGIN_ID = 20019; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java index fdeb28aad5f..a96a4281af9 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java @@ -41,6 +41,8 @@ import java.io.IOException; import java.net.UnknownHostException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.httpclient.URIException; @@ -52,6 +54,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.network.HttpResponseBody; @@ -62,10 +65,18 @@ public class FormatStringScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.formatstring."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final int PLUGIN_ID = 30002; private static final Logger LOGGER = LogManager.getLogger(FormatStringScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java index 41231f4c911..83216e17c60 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.TreeSet; @@ -33,6 +35,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.ComparableResponse; /** @@ -47,11 +50,19 @@ public class GetForPostScanRule extends AbstractAppPlugin implements CommonActiv // The required similarity ratio to consider GET and POST responses to be the same. private static final double REQUIRED_SIMILARITY = 0.95; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_06_HTTP_METHODS); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_06_HTTP_METHODS)); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } @Override public int getId() { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java index 61ce9715c99..f4c16153644 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java @@ -26,6 +26,7 @@ import java.net.Socket; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -37,6 +38,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.core.scanner.Category; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** * A class to actively check if the web server is vulnerable to the HeartBleed OpenSSL vulnerability @@ -58,15 +60,18 @@ public class HeartBleedActiveScanRule extends AbstractHostPlugin private static final String MESSAGE_PREFIX = "ascanrules.heartbleed."; private static final String CVE = "CVE-2014-0160"; - private static final Map ALERT_TAGS = new HashMap<>(); + private static final Map ALERT_TAGS; static { - ALERT_TAGS.putAll( - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A06_VULN_COMP, - CommonAlertTag.OWASP_2017_A09_VULN_COMP, - CommonAlertTag.WSTG_V42_CRYP_01_TLS)); - CommonAlertTag.putCve(ALERT_TAGS, CVE); + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A06_VULN_COMP, + CommonAlertTag.OWASP_2017_A09_VULN_COMP, + CommonAlertTag.WSTG_V42_CRYP_01_TLS)); + CommonAlertTag.putCve(alertTags, CVE); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); } static final byte handShakeClientHello = 0x01; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java index ed3014b2173..2e7b6e467ac 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java @@ -26,6 +26,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.function.Supplier; @@ -46,6 +47,7 @@ import org.parosproxy.paros.network.HttpRequestHeader; import org.parosproxy.paros.network.HttpStatusCode; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; /** @@ -64,11 +66,19 @@ public class HiddenFilesScanRule extends AbstractHostPlugin implements CommonAct private static final String MESSAGE_PREFIX = "ascanrules.hidden.files."; private static final int PLUGIN_ID = 40035; private static final Logger LOGGER = LogManager.getLogger(HiddenFilesScanRule.class); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } + static final String PAYLOADS_FILE_PATH = "json/hidden_files.json"; static final String DEFAULT_PAYLOAD_PATH = Constant.getZapHome() + File.separator + PAYLOADS_FILE_PATH; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java index ebb11a2d7e7..05e145cbccb 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java @@ -19,6 +19,8 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; @@ -27,6 +29,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePlugin; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -35,11 +38,18 @@ public class HtAccessScanRule extends AbstractAppFilePlugin implements CommonAct private static final String MESSAGE_PREFIX = "ascanrules.htaccess."; private static final int PLUGIN_ID = 40032; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final int TEN_K = 10 * 1024; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java index c81ee84adc0..fb7507dce6f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -33,6 +34,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.oast.ExtensionOast; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -43,6 +45,24 @@ public class Log4ShellScanRule extends AbstractAppParamPlugin implements CommonA private static final String PREFIX = "ascanrules.log4shell."; private static final String PREFIX_CVE44228 = PREFIX + "cve44228."; private static final String PREFIX_CVE45046 = PREFIX + "cve45046."; + protected static final String CVE_44228 = "CVE-2021-44228"; + protected static final String CVE_45046 = "CVE-2021-45046"; + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A06_VULN_COMP, + CommonAlertTag.OWASP_2017_A09_VULN_COMP, + CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ)); + alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE); + CommonAlertTag.putCve(alertTags, CVE_44228); + CommonAlertTag.putCve(alertTags, CVE_45046); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } + private static final String[] ATTACK_PATTERNS_CVE44228 = { "${jndi:ldap://{0}/abc}", "${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://{0}/abc}", @@ -62,8 +82,6 @@ public class Log4ShellScanRule extends AbstractAppParamPlugin implements CommonA }; protected static final int ATTACK_PATTERN_COUNT = ATTACK_PATTERNS_CVE44228.length + ATTACK_PATTERNS_CVE45046.length; - private static final String CVE_44228 = "CVE-2021-44228"; - private static final String CVE_45046 = "CVE-2021-45046"; @Override public int getId() { @@ -107,16 +125,7 @@ public int getRisk() { @Override public Map getAlertTags() { - Map alertTags = - new HashMap<>( - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A06_VULN_COMP, - CommonAlertTag.OWASP_2017_A09_VULN_COMP, - CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ)); - alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE); - CommonAlertTag.putCve(alertTags, CVE_44228); - CommonAlertTag.putCve(alertTags, CVE_45046); - return alertTags; + return ALERT_TAGS; } @Override @@ -169,6 +178,7 @@ private void scanWithPayloads(String param, String[] attackPatterns, String aler } private AlertBuilder newCustomAlert(String alertPrefix) { + Map alertTags = new HashMap<>(getAlertTags()); return newAlert() .setName(Constant.messages.getString(alertPrefix + "name")) .setDescription(Constant.messages.getString(alertPrefix + "desc")) @@ -176,7 +186,7 @@ private AlertBuilder newCustomAlert(String alertPrefix) { .setReference(Constant.messages.getString(alertPrefix + "refs")) .setConfidence(Alert.CONFIDENCE_MEDIUM) .setAlertRef(PREFIX_CVE44228.equals(alertPrefix) ? getId() + "-1" : getId() + "-2") - .setTags(getAlertTags()) + .setTags(alertTags) .removeTag(PREFIX_CVE44228.equals(alertPrefix) ? CVE_45046 : CVE_44228); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java index 2cda7d20c4c..d12db465b14 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; @@ -34,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** * @author yhawke (2014) @@ -51,11 +54,18 @@ public class PaddingOracleScanRule extends AbstractAppParamPlugin "cryptographicexception", "crypto" }; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A02_CRYPO_FAIL, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CRYP_02_PADDING_ORACLE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A02_CRYPO_FAIL, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CRYP_02_PADDING_ORACLE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // Logger object private static final Logger LOGGER = LogManager.getLogger(PaddingOracleScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRule.java index 8c12d1a942f..91b4db9d5a8 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRule.java @@ -33,6 +33,8 @@ import java.net.SocketException; import java.net.UnknownHostException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; @@ -46,6 +48,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; public class ParameterTamperScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { @@ -53,10 +56,19 @@ public class ParameterTamperScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.parametertamper."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN, - CommonAlertTag.OWASP_2017_A01_INJECTION); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN, + CommonAlertTag.OWASP_2017_A01_INJECTION)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // private static final String[] PARAM_LIST = {"", "@", "+", "%A", "%1Z", "%", "%00", "|"}; // problem sending "%A", "%1Z" to server - assume server can handle properly on this. diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java index 18888009c67..99f8eea49e4 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java @@ -25,6 +25,8 @@ import java.net.SocketException; import java.net.UnknownHostException; import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Matcher; @@ -40,6 +42,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; import org.zaproxy.addon.network.common.ZapSocketTimeoutException; @@ -54,11 +57,22 @@ public class PathTraversalScanRule extends AbstractAppParamPlugin */ private static final String MESSAGE_PREFIX = "ascanrules.pathtraversal."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A01_BROKEN_AC, - CommonAlertTag.OWASP_2017_A05_BROKEN_AC, - CommonAlertTag.WSTG_V42_ATHZ_01_DIR_TRAVERSAL); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A01_BROKEN_AC, + CommonAlertTag.OWASP_2017_A05_BROKEN_AC, + CommonAlertTag.WSTG_V42_ATHZ_01_DIR_TRAVERSAL)); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final String NON_EXISTANT_FILENAME = "thishouldnotexistandhopefullyitwillnot"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java index ebeba265180..5d6ff09b957 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java @@ -19,6 +19,9 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.parosproxy.paros.Constant; @@ -26,6 +29,8 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; +import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.SourceSinkUtils; public class PersistentXssPrimeScanRule extends AbstractAppParamPlugin @@ -35,6 +40,20 @@ public class PersistentXssPrimeScanRule extends AbstractAppParamPlugin private static final String MESSAGE_PREFIX = "ascanrules.persistentxssprime."; private static final Logger LOGGER = LogManager.getLogger(PersistentXssPrimeScanRule.class); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A07_XSS, + CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } @Override public int getId() { @@ -97,4 +116,9 @@ public int getWascId() { public String getHelpLink() { return getHelpLink(40014); } + + @Override + public Map getAlertTags() { + return ALERT_TAGS; + } } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java index 0bbd572b771..15797aca0c7 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -35,6 +37,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.SourceSinkUtils; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; @@ -48,11 +51,20 @@ public class PersistentXssScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.persistentxssattack."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A07_XSS, - CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A07_XSS, + CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final String GENERIC_SCRIPT_ALERT = ""; private static final List GET_POST_TYPES = diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java index 34e9a6b9ac0..9d1708baf75 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java @@ -19,6 +19,9 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.parosproxy.paros.Constant; @@ -26,6 +29,8 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; +import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.SourceSinkUtils; public class PersistentXssSpiderScanRule extends AbstractAppPlugin @@ -35,6 +40,20 @@ public class PersistentXssSpiderScanRule extends AbstractAppPlugin private static final String MESSAGE_PREFIX = "ascanrules.persistentxssspider."; private static final Logger LOGGER = LogManager.getLogger(PersistentXssSpiderScanRule.class); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A07_XSS, + CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } @Override public int getId() { @@ -104,4 +123,9 @@ public int getWascId() { public String getHelpLink() { return getHelpLink(40014); } + + @Override + public Map getAlertTags() { + return ALERT_TAGS; + } } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java index 3fa1fc6c51b..9ad0fd2e24a 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java @@ -19,6 +19,7 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -34,6 +35,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; import org.zaproxy.zap.model.Tech; @@ -72,15 +74,18 @@ public class RemoteCodeExecutionCve20121823ScanRule extends AbstractAppPlugin private static final String NIX_PAYLOAD = PAYLOAD_BOILERPLATE.replace("<<<>>>", "echo " + RANDOM_STRING); private static final String CVE = "CVE-2012-1823"; - private static final Map ALERT_TAGS = new HashMap<>(); + private static final Map ALERT_TAGS; static { - ALERT_TAGS.putAll( - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A06_VULN_COMP, - CommonAlertTag.OWASP_2017_A09_VULN_COMP, - CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); - CommonAlertTag.putCve(ALERT_TAGS, CVE); + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A06_VULN_COMP, + CommonAlertTag.OWASP_2017_A09_VULN_COMP, + CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); + CommonAlertTag.putCve(alertTags, CVE); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); } @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java index 65636b12624..60ac34b7d70 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java @@ -22,6 +22,8 @@ import static org.zaproxy.zap.extension.ascanrules.utils.Constants.NULL_BYTE_CHARACTER; import java.net.UnknownHostException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Matcher; @@ -34,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -44,11 +47,23 @@ public class RemoteFileIncludeScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.remotefileinclude."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** the various prefixes to try, for each of the remote file targets below */ private static final String[] REMOTE_FILE_TARGET_PREFIXES = { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java index 274e94b7f46..ce932922b4f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java @@ -30,6 +30,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; @@ -41,6 +43,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -49,11 +52,22 @@ public class ServerSideIncludeScanRule extends AbstractAppParamPlugin private static final Logger LOGGER = LogManager.getLogger(ServerSideIncludeScanRule.class); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.serversideinclude."; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java index 7825cd8a154..dd078f244d2 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java @@ -19,6 +19,7 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -35,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.ResourceIdentificationUtils; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -60,14 +62,17 @@ public class SourceCodeDisclosureCve20121823ScanRule extends AbstractAppPlugin ".*(<\\?=.+?\\?>).*", Pattern.MULTILINE | Pattern.DOTALL); // PHP "echo short tag" private static final String CVE = "CVE-2012-1823"; - private static final Map ALERT_TAGS = new HashMap<>(); + private static final Map ALERT_TAGS; static { - ALERT_TAGS.putAll( - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A06_VULN_COMP, - CommonAlertTag.OWASP_2017_A09_VULN_COMP)); - CommonAlertTag.putCve(ALERT_TAGS, CVE); + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A06_VULN_COMP, + CommonAlertTag.OWASP_2017_A09_VULN_COMP)); + CommonAlertTag.putCve(alertTags, CVE); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); } /** diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java index 97c5c05b964..2d545c4550b 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java @@ -26,6 +26,8 @@ import java.io.FileOutputStream; import java.io.OutputStream; import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -42,6 +44,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -55,11 +58,18 @@ public class SourceCodeDisclosureWebInfScanRule extends AbstractHostPlugin implements CommonActiveScanRuleInfo { - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // TODO: for imported classes that we do not find in the classes folder, map to jar file names, // which we might find in WEB-INF/lib/ ? diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java index 8999dd7130f..b29e4da1203 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java @@ -20,6 +20,7 @@ package org.zaproxy.zap.extension.ascanrules; import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -34,6 +35,7 @@ import org.parosproxy.paros.network.HttpHeader; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -48,17 +50,20 @@ public class Spring4ShellScanRule extends AbstractAppPlugin implements CommonAct private static final Logger LOGGER = LogManager.getLogger(Spring4ShellScanRule.class); private static final String CVE = "CVE-2022-22965"; - private static final Map ALERT_TAGS = new HashMap<>(); + private static final Map ALERT_TAGS; static { - ALERT_TAGS.putAll( - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2021_A06_VULN_COMP, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.OWASP_2017_A09_VULN_COMP, - CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); - CommonAlertTag.putCve(ALERT_TAGS, CVE); + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2021_A06_VULN_COMP, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.OWASP_2017_A09_VULN_COMP, + CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); + CommonAlertTag.putCve(alertTags, CVE); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); } @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java index 7fad55b874e..aa02c819143 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; @@ -34,6 +36,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -55,11 +58,19 @@ public class SpringActuatorScanRule extends AbstractHostPlugin implements Common "application\\/vnd\\.spring-boot\\.actuator\\.v[0-9]\\+json|application\\/json", Pattern.MULTILINE); private static final Pattern JSON_PAYLOAD = Pattern.compile("\\{.*\\:.*\\}", Pattern.MULTILINE); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A01_BROKEN_AC, - CommonAlertTag.OWASP_2017_A05_BROKEN_AC, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A01_BROKEN_AC, + CommonAlertTag.OWASP_2017_A05_BROKEN_AC, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } @Override public boolean targets(TechSet technologies) { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java index c688e1d7c71..2b4bffa24b9 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.LinkedHashMap; import java.util.List; @@ -35,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; import org.zaproxy.zap.model.Tech; @@ -188,11 +191,21 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin private static final double TIME_CORRELATION_ERROR_RANGE = 0.15; private static final double TIME_SLOPE_ERROR_RANGE = 0.30; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionHypersonicScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java index 55e404a1ae1..f1e1b494265 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -35,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; import org.zaproxy.zap.model.Tech; @@ -133,11 +136,21 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMsSqlScanRule.class); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** The number of seconds used in time-based attacks (i.e. sleep commands). */ private int timeSleepSeconds = DEFAULT_SLEEP_TIME; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java index 300aa5bba42..16a96d8dc1d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.LinkedHashMap; import java.util.List; @@ -35,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; import org.zaproxy.zap.model.Tech; @@ -207,11 +210,21 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin private static final double TIME_CORRELATION_ERROR_RANGE = 0.15; private static final double TIME_SLOPE_ERROR_RANGE = 0.30; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMySqlScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java index d5d229c44f0..cc93ea4f28f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java @@ -19,6 +19,8 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; import org.apache.logging.log4j.LogManager; @@ -29,6 +31,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -143,11 +146,21 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere }; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionOracleScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java index 41177f4d952..415d5e2ab77 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; import java.util.concurrent.atomic.AtomicReference; @@ -33,6 +35,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; import org.zaproxy.zap.model.Tech; @@ -185,11 +188,21 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin + SQL_ONE_LINE_COMMENT, // Param in WHERE clause. }; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionPostgreScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java index 51133b921c3..0e6a3d843ae 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java @@ -28,6 +28,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.LinkedList; import java.util.List; @@ -45,6 +46,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.extension.authentication.ExtensionAuthentication; import org.zaproxy.zap.model.Context; import org.zaproxy.zap.model.Tech; @@ -70,11 +72,24 @@ public class SqlInjectionScanRule extends AbstractAppParamPlugin /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.sqlinjection."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** Did SQLInjection get found yet? */ private boolean sqlInjectionFoundForUrl = false; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java index 04d334d3ca3..100a21f52c3 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.net.UnknownHostException; +import java.util.Collections; +import java.util.HashMap; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -33,6 +35,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -210,11 +213,18 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin private long incrementalDelayIncreasesForAlert = 0; private char[] RANDOM_PARAMETER_CHARS = "abcdefghijklmnopqrstuvwxyz0123456789".toCharArray(); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionSqLiteScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java index 39dfad519d1..53d389942b5 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.net.SocketException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.concurrent.atomic.AtomicReference; @@ -35,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Plugin; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.timing.TimingUtils; import org.zaproxy.addon.oast.ExtensionOast; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; @@ -50,11 +53,21 @@ public class SstiBlindScanRule extends AbstractAppParamPlugin implements CommonA /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.sstiblind."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_18_SSTI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_18_SSTI)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } private static final String SECONDS_PLACEHOLDER = "X_SECONDS_X"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java index de624609cc8..a635bc6068d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java @@ -22,6 +22,8 @@ import java.io.IOException; import java.net.SocketException; import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -35,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Plugin; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.SourceSinkUtils; import org.zaproxy.zap.extension.ascanrules.ssti.DjangoTemplateFormat; import org.zaproxy.zap.extension.ascanrules.ssti.GoTemplateFormat; @@ -54,11 +57,24 @@ public class SstiScanRule extends AbstractAppParamPlugin implements CommonActive /** Prefix for internationalised messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanrules.ssti."; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_18_SSTI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_18_SSTI)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } static final String DELIMITER = "zj"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRule.java index f7089c5e9db..d1d13f29da9 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRule.java @@ -19,10 +19,13 @@ */ package org.zaproxy.zap.extension.ascanrules; +import java.util.Collections; +import java.util.HashMap; import java.util.Map; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePlugin; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -34,11 +37,18 @@ public class TraceAxdScanRule extends AbstractAppFilePlugin implements CommonAct private static final String MESSAGE_PREFIX = "ascanrules.traceaxd."; private static final int PLUGIN_ID = 40029; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, - CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, - CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, + CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG, + CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE)); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } public TraceAxdScanRule() { super("trace.axd", MESSAGE_PREFIX); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java index 4243adbb93e..da2bebd6cd4 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java @@ -20,6 +20,8 @@ package org.zaproxy.zap.extension.ascanrules; import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.logging.log4j.LogManager; @@ -30,6 +32,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -85,11 +88,25 @@ public class XpathInjectionScanRule extends AbstractAppParamPlugin "xmlXPathEval: evaluation failed", "Expression must evaluate to a node-set." }; - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_09_XPATH); + + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.WSTG_V42_INPV_09_XPATH)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // Get WASC Vulnerability description private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_39"); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java index 292198ec54b..9344c602479 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java @@ -21,7 +21,9 @@ import java.io.IOException; import java.util.Arrays; +import java.util.Collections; import java.util.EnumMap; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.function.Predicate; @@ -34,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** * Active scan rule which checks for signs of XSLT injection vulnerabilities with requests @@ -125,10 +128,23 @@ private String getResourceIdentifier() { } private static final Logger LOGGER = LogManager.getLogger(XsltInjectionScanRule.class); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A01_INJECTION)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // used to check against the attack strength private int requestsSent = 0; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java index 57d2aed6448..9bb56c34518 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.text.MessageFormat; +import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Matcher; @@ -34,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Category; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; @@ -51,11 +54,24 @@ public class XxeScanRule extends AbstractAppPlugin implements CommonActiveScanRu // Get the correct vulnerability description from WASC private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_43"); - private static final Map ALERT_TAGS = - CommonAlertTag.toMap( - CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A04_XXE, - CommonAlertTag.WSTG_V42_INPV_07_XMLI); + private static final Map ALERT_TAGS; + + static { + Map alertTags = + new HashMap<>( + CommonAlertTag.toMap( + CommonAlertTag.OWASP_2021_A03_INJECTION, + CommonAlertTag.OWASP_2017_A04_XXE, + CommonAlertTag.WSTG_V42_INPV_07_XMLI)); + alertTags.put(PolicyTag.API.getTag(), ""); + alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); + alertTags.put(PolicyTag.DEV_STD.getTag(), ""); + alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); + alertTags.put(PolicyTag.QA_STD.getTag(), ""); + alertTags.put(PolicyTag.QA_FULL.getTag(), ""); + alertTags.put(PolicyTag.SEQUENCE.getTag(), ""); + ALERT_TAGS = Collections.unmodifiableMap(alertTags); + } // Payload built on examples retrieved in: // https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRuleUnitTest.java index 33466a9b861..9017b956e43 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRuleUnitTest.java @@ -32,6 +32,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -53,13 +54,14 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(120))); assertThat(wasc, is(equalTo(7))); - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java index 97d74e75e98..f8d1a49ce4a 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java @@ -39,6 +39,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -96,13 +97,15 @@ void shouldReturnExpectedMappings() { // Given / When Map tags = rule.getAlertTags(); // Then - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRuleUnitTest.java index 102149ab50a..757488064e0 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRuleUnitTest.java @@ -36,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Plugin.AttackStrength; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -73,7 +74,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(94))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -83,6 +84,11 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java index 0ed2fd919f1..611f17e31b5 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java @@ -53,6 +53,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -94,7 +95,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(78))); assertThat(wasc, is(equalTo(31))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -104,6 +105,13 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_CICD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRuleUnitTest.java index 296991b17da..0b9ad87a573 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrlfInjectionScanRuleUnitTest.java @@ -34,6 +34,7 @@ import org.parosproxy.paros.core.scanner.Plugin.AttackStrength; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; /** Unit test for {@link CrlfInjectionScanRule}. */ @@ -88,7 +89,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(113))); assertThat(wasc, is(equalTo(25))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -98,6 +99,10 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_15_HTTP_SPLITTING.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java index 6c3a614c349..9dcd832453d 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java @@ -51,6 +51,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.testutils.NanoServerHandler; import org.zaproxy.zap.utils.ZapXmlConfiguration; @@ -75,7 +76,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(79))); assertThat(wasc, is(equalTo(8))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(9))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -83,6 +84,11 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_01_REFLECTED_XSS.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java index 4caab38bdb8..86ed219c5da 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java @@ -32,6 +32,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; /** Unit test for {@link DirectoryBrowsingScanRule}. */ @@ -53,13 +54,16 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(548))); assertThat(wasc, is(equalTo(48))); - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A05_BROKEN_AC.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getValue()))); @@ -76,7 +80,7 @@ void shouldReturnExpectedExampleAlert() { assertThat(alerts.size(), is(equalTo(1))); Alert alert = alerts.get(0); Map tags = alert.getTags(); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(6))); assertThat(tags, hasKey("CWE-548")); assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag())); assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A05_BROKEN_AC.getTag())); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRuleUnitTest.java index 1afb29984f7..d333fb08fce 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRuleUnitTest.java @@ -38,6 +38,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractHostFilePluginUnitTest; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; /** Unit test for {@link ElmahScanRule}. */ @@ -80,7 +81,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(94))); assertThat(wasc, is(equalTo(14))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -90,6 +91,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRuleUnitTest.java index c4d297fc09d..f479dd62ee7 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/EnvFileScanRuleUnitTest.java @@ -39,6 +39,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePluginUnitTest; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** Unit test for {@link EnvFileScanRule}. */ class EnvFileScanRuleUnitTest extends AbstractAppFilePluginUnitTest { @@ -227,7 +228,7 @@ void shouldReturnExpectedMappings() { // Given / When Map tags = ((EnvFileScanRule) rule).getAlertTags(); // Then - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -237,6 +238,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java index 24daf07ef57..8a4957a098a 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java @@ -38,6 +38,7 @@ import org.parosproxy.paros.network.HttpHeader; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -134,7 +135,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(601))); assertThat(wasc, is(equalTo(38))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -144,6 +145,12 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CLNT_04_OPEN_REDIR.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java index 575c4a39d0a..34335f7215c 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java @@ -29,6 +29,7 @@ import org.junit.jupiter.api.Test; import org.parosproxy.paros.core.scanner.Alert; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -49,13 +50,15 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(134))); assertThat(wasc, is(equalTo(6))); - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); @@ -91,7 +94,7 @@ void shouldReturnExpectedExampleAlert() { assertThat(alerts.size(), is(equalTo(1))); Alert alert = alerts.get(0); Map tags = alert.getTags(); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(5))); assertThat(tags, hasKey("CWE-134")); assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag())); assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag())); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRuleUnitTest.java index 64cd3aa10fb..179b3cd43c6 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRuleUnitTest.java @@ -36,6 +36,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -55,7 +56,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(16))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()), is(equalTo(true))); @@ -65,6 +66,8 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_06_HTTP_METHODS.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRuleUnitTest.java index 04bd69114d0..8ce2676b872 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRuleUnitTest.java @@ -28,6 +28,7 @@ import org.junit.jupiter.api.Test; import org.parosproxy.paros.core.scanner.Alert; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; class HeartBleedActiveScanRuleUnitTest extends ActiveScannerTest { @@ -45,7 +46,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(119))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(4))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(true))); @@ -55,6 +56,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CRYP_01_TLS.getTag()), is(equalTo(true))); assertThat(tags.containsKey("CVE-2014-0160"), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java index 861c1a3021e..8f7bb079085 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java @@ -51,6 +51,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.extension.ascanrules.HiddenFilesScanRule.HiddenFile; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -713,7 +714,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(538))); assertThat(wasc, is(equalTo(13))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -723,6 +724,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); @@ -742,7 +744,7 @@ void shouldReturnExpectedExampleAlert() { Map tags = alert.getTags(); // Then assertThat(alerts.size(), is(equalTo(1))); - assertThat(tags.size(), is(equalTo(5))); + assertThat(tags.size(), is(equalTo(6))); assertThat(tags, hasKey("CWE-538")); assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag())); assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag())); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRuleUnitTest.java index 1e0c953d9bc..cc5da7153b1 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRuleUnitTest.java @@ -38,6 +38,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePluginUnitTest; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -79,7 +80,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(94))); assertThat(wasc, is(equalTo(14))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -89,6 +90,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java index 1ef5caa233d..f6b514ce49e 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java @@ -40,6 +40,8 @@ import org.parosproxy.paros.extension.ExtensionLoader; import org.parosproxy.paros.model.Model; import org.parosproxy.paros.network.HttpMessage; +import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.oast.ExtensionOast; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -118,11 +120,41 @@ void shouldStopSendingPayloadsOnNonIoException() throws Exception { } @Test - void shouldReturnExpectedNumberOfAlertTags() { + void shouldReturnExpectedMappings() { // Given / When - Map alertTags = rule.getAlertTags(); + int cwe = rule.getCweId(); + int wasc = rule.getWascId(); + Map tags = rule.getAlertTags(); // Then - assertThat(alertTags.size(), is(equalTo(6))); + assertThat(cwe, is(equalTo(117))); + assertThat(wasc, is(equalTo(20))); + assertThat(tags.size(), is(equalTo(7))); + + assertThat( + tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), + is(equalTo(true))); + assertThat( + tags.containsKey(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getTag()), + is(equalTo(true))); + assertThat( + tags.containsKey(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getTag()), + is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(ExtensionOast.OAST_ALERT_TAG_KEY), is(equalTo(true))); + assertThat(tags.containsKey(Log4ShellScanRule.CVE_44228), is(equalTo(true))); + assertThat(tags.containsKey(Log4ShellScanRule.CVE_45046), is(equalTo(true))); + assertThat( + tags.get(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), + is(equalTo(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getValue()))); + assertThat( + tags.get(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getTag()), + is(equalTo(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getValue()))); + assertThat( + tags.get(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getTag()), + is(equalTo(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getValue()))); + assertThat( + tags.get(ExtensionOast.OAST_ALERT_TAG_KEY), + is(equalTo(ExtensionOast.OAST_ALERT_TAG_VALUE))); } @Test @@ -134,13 +166,13 @@ void shouldReturnExpectedExampleAlerts() { // Then assertThat(alerts.size(), is(equalTo(2))); assertThat(alert1.getAlertRef(), is(equalTo("40043-1"))); - assertThat(alert1.getTags().size(), is(equalTo(6))); + assertThat(alert1.getTags().size(), is(equalTo(7))); assertThat(alert1.getTags(), hasKey("CWE-117")); assertThat(alert1.getTags().containsKey("CVE-2021-44228"), is(equalTo(true))); assertThat(alert1.getName(), is(equalTo("Log4Shell (CVE-2021-44228)"))); assertThat(alert2.getAlertRef(), is(equalTo("40043-2"))); assertThat(alert2.getTags().containsKey("CVE-2021-45046"), is(equalTo(true))); - assertThat(alert2.getTags().size(), is(equalTo(6))); + assertThat(alert2.getTags().size(), is(equalTo(7))); assertThat(alert2.getTags(), hasKey("CWE-117")); assertThat(alert2.getName(), is(equalTo("Log4Shell (CVE-2021-45046)"))); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRuleUnitTest.java index a3f63f29073..50014bd9758 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRuleUnitTest.java @@ -37,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; class PaddingOracleScanRuleUnitTest extends ActiveScannerTest { @@ -59,7 +60,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(209))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A02_CRYPO_FAIL.getTag()), is(equalTo(true))); @@ -69,6 +70,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CRYP_02_PADDING_ORACLE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A02_CRYPO_FAIL.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A02_CRYPO_FAIL.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java index e6f9e226a1b..4b2a856707d 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java @@ -37,6 +37,7 @@ import org.junit.jupiter.params.provider.ValueSource; import org.parosproxy.paros.core.scanner.Alert; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; /** Unit test for {@link ParameterTamperScanRule}. */ @@ -56,13 +57,16 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(472))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getValue()))); @@ -260,7 +264,7 @@ void shouldReturnExpectedExampleAlert() { Alert alert = alerts.get(0); Map tags1 = alert.getTags(); - assertThat(tags1.size(), is(equalTo(3))); + assertThat(tags1.size(), is(equalTo(6))); assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM))); assertThat(tags1, hasKey("CWE-472")); assertThat( diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRuleUnitTest.java index 8babcb13726..c5caf9c24b8 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRuleUnitTest.java @@ -43,6 +43,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.testutils.NanoServerHandler; import org.zaproxy.zap.utils.ZapXmlConfiguration; @@ -82,7 +83,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(22))); assertThat(wasc, is(equalTo(33))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), is(equalTo(true))); @@ -92,6 +93,11 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_ATHZ_01_DIR_TRAVERSAL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRuleUnitTest.java index 1822d370d28..5d10c7ac4a8 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRuleUnitTest.java @@ -19,7 +19,14 @@ */ package org.zaproxy.zap.extension.ascanrules; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; + +import java.util.Map; import org.junit.jupiter.api.Test; +import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** Unit test for {@link PersistentXssPrimeScanRule}. */ class PersistentXssPrimeScanRuleUnitTest extends ActiveScannerTest { @@ -34,4 +41,35 @@ protected PersistentXssPrimeScanRule createScanner() { public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } + + @Test + void shouldReturnExpectedMappings() { + // Given / When + int cwe = rule.getCweId(); + int wasc = rule.getWascId(); + Map tags = rule.getAlertTags(); + // Then + assertThat(cwe, is(equalTo(79))); + assertThat(wasc, is(equalTo(8))); + assertThat(tags.size(), is(equalTo(6))); + assertThat( + tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), + is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.OWASP_2017_A07_XSS.getTag()), is(equalTo(true))); + assertThat( + tags.containsKey(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), + is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat( + tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), + is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); + assertThat( + tags.get(CommonAlertTag.OWASP_2017_A07_XSS.getTag()), + is(equalTo(CommonAlertTag.OWASP_2017_A07_XSS.getValue()))); + assertThat( + tags.get(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), + is(equalTo(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getValue()))); + } } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java index 284bf659f02..b1334abc8b5 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java @@ -26,6 +26,7 @@ import java.util.Map; import org.junit.jupiter.api.Test; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** Unit test for {@link PersistentXssScanRule}. */ class PersistentXssScanRuleUnitTest extends ActiveScannerTest { @@ -44,7 +45,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(79))); assertThat(wasc, is(equalTo(8))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(6))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -52,6 +53,9 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRuleUnitTest.java index 8b59d79b41f..428b98f078f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRuleUnitTest.java @@ -19,7 +19,14 @@ */ package org.zaproxy.zap.extension.ascanrules; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.is; + +import java.util.Map; import org.junit.jupiter.api.Test; +import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** Unit test for {@link PersistentXssSpiderScanRule}. */ class PersistentXssSpiderScanRuleUnitTest extends ActiveScannerTest { @@ -34,4 +41,35 @@ protected PersistentXssSpiderScanRule createScanner() { public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } + + @Test + void shouldReturnExpectedMappings() { + // Given / When + int cwe = rule.getCweId(); + int wasc = rule.getWascId(); + Map tags = rule.getAlertTags(); + // Then + assertThat(cwe, is(equalTo(79))); + assertThat(wasc, is(equalTo(8))); + assertThat(tags.size(), is(equalTo(6))); + assertThat( + tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), + is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.OWASP_2017_A07_XSS.getTag()), is(equalTo(true))); + assertThat( + tags.containsKey(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), + is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat( + tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), + is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); + assertThat( + tags.get(CommonAlertTag.OWASP_2017_A07_XSS.getTag()), + is(equalTo(CommonAlertTag.OWASP_2017_A07_XSS.getValue()))); + assertThat( + tags.get(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), + is(equalTo(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getValue()))); + } } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRuleUnitTest.java index 47723d4c2ca..5e9f86ae629 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRuleUnitTest.java @@ -33,6 +33,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -257,7 +258,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(20))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(4))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(true))); @@ -268,6 +269,7 @@ void shouldReturnExpectedMappings() { tags.containsKey(CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ.getTag()), is(equalTo(true))); assertThat(tags.containsKey("CVE-2012-1823"), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRuleUnitTest.java index d46dcc50e48..29cc3ac96d9 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRuleUnitTest.java @@ -38,6 +38,7 @@ import org.parosproxy.paros.core.scanner.Plugin.AttackStrength; import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -62,7 +63,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(98))); assertThat(wasc, is(equalTo(5))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(9))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -72,6 +73,12 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRuleUnitTest.java index 40e8208b120..d7a701648c9 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRuleUnitTest.java @@ -28,6 +28,7 @@ import org.junit.jupiter.api.Test; import org.parosproxy.paros.core.scanner.Alert; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -48,7 +49,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(97))); assertThat(wasc, is(equalTo(31))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -58,6 +59,11 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_11_CODE_INJ.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRuleUnitTest.java index 7d26407e81b..deb62212571 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRuleUnitTest.java @@ -38,6 +38,7 @@ import org.parosproxy.paros.core.scanner.Plugin.AttackStrength; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -407,7 +408,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(20))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(true))); @@ -415,6 +416,7 @@ void shouldReturnExpectedMappings() { tags.containsKey(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getTag()), is(equalTo(true))); assertThat(tags.containsKey("CVE-2012-1823"), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebinfScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebinfScanRuleUnitTest.java index 17b1850f2fa..862f1ccfcbd 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebinfScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebinfScanRuleUnitTest.java @@ -37,6 +37,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; /** Unit test for {@link SourceCodeDisclosureWebInfScanRule}. */ @@ -59,7 +60,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(541))); assertThat(wasc, is(equalTo(34))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -69,6 +70,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRuleUnitTest.java index 6a7ead2e377..bedbf6e4619 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRuleUnitTest.java @@ -34,6 +34,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -233,7 +234,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(78))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(6))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -250,6 +251,7 @@ void shouldReturnExpectedMappings() { tags.containsKey(CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ.getTag()), is(equalTo(true))); assertThat(tags.containsKey("CVE-2022-22965"), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java index 855c06728a5..d96c8c86817 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java @@ -40,6 +40,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpRequestHeader; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; @@ -344,7 +345,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(215))); assertThat(wasc, is(equalTo(13))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(5))); assertBaseTags(tags); } @@ -358,6 +359,8 @@ private static void assertBaseTags(Map tags) { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getValue()))); @@ -381,7 +384,7 @@ void shouldReturnExpectedExampleAlert() { assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM))); assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM))); Map tags = alert.getTags(); - assertThat(tags.size(), is(equalTo(4))); + assertThat(tags.size(), is(equalTo(6))); assertBaseTags(tags); assertThat(tags, hasKey("CWE-215")); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java index e28c8c92e30..80d1cfd829f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java @@ -33,6 +33,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -154,7 +155,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -163,6 +164,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java index c3b854b0bae..3ca0ac36de6 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java @@ -33,6 +33,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -149,7 +150,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -158,6 +159,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java index d7b951da97f..1d8dd0fe8da 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java @@ -33,6 +33,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -148,7 +149,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -157,6 +158,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java index ba2a379757a..d5a9103e241 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java @@ -31,6 +31,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -144,7 +145,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -153,6 +154,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java index 9ea5f3c0332..f893bc46bc0 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java @@ -36,6 +36,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -157,7 +158,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -166,6 +167,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java index 4dd5cc7e2df..a25ec55d3f5 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java @@ -33,6 +33,7 @@ import org.parosproxy.paros.core.scanner.Plugin; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -196,7 +197,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -205,6 +206,7 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java index bd343731e8a..2f7ea308272 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java @@ -35,6 +35,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.core.scanner.Plugin.AttackStrength; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.model.Tech; import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -73,7 +74,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -82,6 +83,12 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java index a1e87b460e5..bd387fdaf13 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java @@ -35,6 +35,7 @@ import org.parosproxy.paros.core.scanner.Plugin; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; class SstiBlindScanRuleUnitTest extends ActiveScannerTest { @@ -141,7 +142,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(1336))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(7))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -150,6 +151,10 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_18_SSTI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java index 8846bbd76b8..2d344b71fbf 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java @@ -47,6 +47,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.NanoServerHandler; import org.zaproxy.zap.utils.ZapXmlConfiguration; @@ -245,7 +246,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(1336))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -254,6 +255,12 @@ void shouldReturnExpectedMappings() { is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_18_SSTI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRuleUnitTest.java index b5c55a0d135..74bba515edc 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/TraceAxdScanRuleUnitTest.java @@ -36,6 +36,7 @@ import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.AbstractAppFilePluginUnitTest; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; /** Unit test for {@link TraceAxdScanRule}. */ class TraceAxdScanRuleUnitTest extends AbstractAppFilePluginUnitTest { @@ -120,9 +121,14 @@ void shouldNotAlertWhenRequestIsSuccessfulButContentNotRelevant() throws Excepti @Test void shouldReturnExpectedMappings() { // Given / When + int cwe = rule.getCweId(); + int wasc = rule.getWascId(); Map tags = ((TraceAxdScanRule) rule).getAlertTags(); // Then - assertThat(tags.size(), is(equalTo(3))); + assertThat(cwe, is(equalTo(215))); + assertThat(wasc, is(equalTo(13))); + // Then + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(true))); @@ -132,6 +138,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRuleUnitTest.java index d6bbd335020..cebc63474bd 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRuleUnitTest.java @@ -29,6 +29,7 @@ import org.junit.jupiter.api.Test; import org.parosproxy.paros.core.scanner.Alert; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; class XpathInjectionScanRuleUnitTest extends ActiveScannerTest { @@ -46,7 +47,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(643))); assertThat(wasc, is(equalTo(39))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -56,6 +57,12 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_09_XPATH.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRuleUnitTest.java index 32c933d55b4..5b2770acbb8 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRuleUnitTest.java @@ -31,6 +31,7 @@ import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.zap.testutils.StaticContentServerHandler; /** Unit test for {@link XsltInjectionScanRule}. */ @@ -150,13 +151,19 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(91))); assertThat(wasc, is(equalTo(23))); - assertThat(tags.size(), is(equalTo(2))); + assertThat(tags.size(), is(equalTo(9))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java index cb6bae65ef3..2e3cba5cd43 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java @@ -47,6 +47,7 @@ import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.zaproxy.addon.commonlib.PolicyTag; import org.zaproxy.addon.commonlib.http.HttpFieldsNames; import org.zaproxy.zap.testutils.NanoServerHandler; @@ -349,13 +350,19 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(611))); assertThat(wasc, is(equalTo(43))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(10))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); assertThat(tags.containsKey(CommonAlertTag.OWASP_2017_A04_XXE.getTag()), is(equalTo(true))); assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_07_XMLI.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));