From 069d64bc260a1a3d35a3808667e7fc4a5f323dab Mon Sep 17 00:00:00 2001 From: kingthorin Date: Fri, 29 Nov 2024 06:18:39 -0500 Subject: [PATCH] scanpolicies: Add workflow/script to generate updates based on rule tags - generate-scan-policies.js > ZAP standalone script to be used by a nightly docker image to craft the scan policies. - generate_policies.yml > The new workflow. Triggered by cron every Friday morning or manually via workflow_dispatch. Signed-off-by: kingthorin --- .github/scripts/generate-scan-policies.js | 77 +++++++++++++++++++++++ .github/workflows/generate_policies.yml | 56 +++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 .github/scripts/generate-scan-policies.js create mode 100644 .github/workflows/generate_policies.yml diff --git a/.github/scripts/generate-scan-policies.js b/.github/scripts/generate-scan-policies.js new file mode 100644 index 00000000000..aa10707d723 --- /dev/null +++ b/.github/scripts/generate-scan-policies.js @@ -0,0 +1,77 @@ +// This is a ZAP standalone script - it will only run in ZAP. +// It generates the scan policies for https://github.com/zaproxy/zap-extensions/tree/main/addOns/scanpolicies etc +// The policies are created after starting a ZAP weekly release with the '-addoninstall ascanrulesAlpha' option. + +var FileWriter = Java.type("java.io.FileWriter"); +var PrintWriter = Java.type("java.io.PrintWriter"); +var PolicyTag = Java.type("org.zaproxy.addon.commonlib.PolicyTag"); +var activeScanScript = Java.type( + "org.zaproxy.zap.extension.scripts.scanrules.ScriptsActiveScanner" +); +var StringEscapeUtils = Java.type("org.apache.commons.text.StringEscapeUtils"); + +var extAscan = control + .getExtensionLoader() + .getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME); + +var plugins = extAscan + .getPolicyManager() + .getDefaultScanPolicy() + .getPluginFactory() + .getAllPlugin() + .toArray() + .sort(function (a, b) { + return a.getId() - b.getId(); + }); + +var INDENT = " "; +for (var idx = 0; idx < PolicyTag.values().length; idx++) { + var currentTag = PolicyTag.values()[idx]; + var policyFilePath = + "/zap/wrk/zap-extensions/addOns/XXXXX/src/main/zapHomeFiles/policies/".replace( + "XXXXX", + currentTag.getAddonId() + ) + currentTag.getFileName(); + print(policyFilePath); + // Create the policy + var fw = new FileWriter(policyFilePath); + var pw = new PrintWriter(fw); + pw.println(''); + pw.println(""); + pw.println( + INDENT + + "" + + StringEscapeUtils.escapeXml11(currentTag.getPolicyName()) + + "" + ); + pw.println(INDENT + ""); + pw.println(INDENT.repeat(2) + "OFF"); + pw.println(INDENT.repeat(2) + "MEDIUM"); + pw.println(INDENT + ""); + pw.println(INDENT + ""); + + for (var i = 0; i < plugins.length; i++) { + try { + if ( + plugins[i].getAlertTags() != null && + plugins[i].getAlertTags().keySet().contains(currentTag.getTag()) + ) { + pw.println(INDENT.repeat(2) + ""); + pw.println( + INDENT.repeat(3) + + "" + + StringEscapeUtils.escapeXml11(plugins[i].getName()) + + "" + ); + pw.println(INDENT.repeat(3) + "true"); + pw.println(INDENT.repeat(3) + "MEDIUM"); + pw.println(INDENT.repeat(2) + ""); + } + } catch (e) { + print(e); + } + } + pw.println(INDENT + ""); + pw.println(""); + pw.close(); +} diff --git a/.github/workflows/generate_policies.yml b/.github/workflows/generate_policies.yml new file mode 100644 index 00000000000..4fc4c54c991 --- /dev/null +++ b/.github/workflows/generate_policies.yml @@ -0,0 +1,56 @@ +name: Generate Scan Policies from Policy Tags +on: + schedule: # The start of every Friday + - cron: '0 0 * * 5' + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + update-policies: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + path: zap-extensions + fetch-depth: 0 + - name: Create Policies + run: | + # Run the ZAP script + docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -silent -script /zap/wrk/zap-extensions/.github/scripts/generate-scan-policies.js -cmd + - name: Attach Policies + uses: actions/upload-artifact@v4 + with: + name: Policies + path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy' + - name: Update Scan Policies + run: | + export BASE=$(pwd) + # Setup git details + export GITHUB_USER=zapbot + git config --global user.email "12745184+zapbot@users.noreply.github.com" + git config --global user.name $GITHUB_USER + BRANCH=scan-policies-updt + cd zap-extensions + git remote remove origin + git remote add origin https://github.com/zapbot/zap-extensions.git + git remote add upstream https://github.com/zaproxy/zap-extensions.git + SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h) + export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }} + git checkout -b $BRANCH + # Update the index to be sure git is aware of changes + git update-index -q --refresh + git add . + ## If there are changes: comment, commit, PR + if ! git diff-index --quiet HEAD --; then + ./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments." + git remote set-url origin https://$GITHUB_USER:$GITHUB_TOKEN@github.com/$GITHUB_USER/zap-extensions.git + git add . + git commit -m " Update scan policies based on Tags" -m "Updates based on $SRC_BASE" --signoff + git push --set-upstream origin $BRANCH --force + gh pr create -R zaproxy/zap-extensions --fill + fi