Skip to content

Commit

Permalink
scanpolicies: Add workflow/script to generate updates based on rule tags
Browse files Browse the repository at this point in the history
- generate-scan-policies.js > ZAP standalone script to be used by a
nightly docker image to craft the scan policies.
- generate_policies.yml > The new workflow. Triggered by cron every
Friday morning or manually via workflow_dispatch.

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
  • Loading branch information
kingthorin committed Nov 29, 2024
1 parent 0f34317 commit c228432
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 0 deletions.
70 changes: 70 additions & 0 deletions .github/scripts/generate-scan-policies.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
// This is a ZAP standalone script - it will only run in ZAP.
// It generates the scan policies for https://github.com/zaproxy/zap-extensions/tree/main/addOns/scanpolicies etc
// The policies are created after starting a ZAP weekly release with the '-addoninstall ascanrulesAlpha' option.

var FileWriter = Java.type("java.io.FileWriter");
var PrintWriter = Java.type("java.io.PrintWriter");
var PolicyTag = Java.type("org.zaproxy.addon.commonlib.PolicyTag");
var activeScanScript = Java.type(
"org.zaproxy.zap.extension.scripts.scanrules.ScriptsActiveScanner"
);
var extAscan = control
.getExtensionLoader()
.getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME);

var plugins = extAscan
.getPolicyManager()
.getDefaultScanPolicy()
.getPluginFactory()
.getAllPlugin()
.toArray()
.sort(function (a, b) {
return a.getId() - b.getId();
});

var INDENT = " ";
for (var idx = 0; idx < PolicyTag.values().length; idx++) {
var currentTag = PolicyTag.values()[idx];
var policyFilePath =
"/zap/wrk/zap-extensions/addOns/XXXXX/src/main/zapHomeFiles/policies/".replace(
"XXXXX",
currentTag.getAddonId()
) + currentTag.getFileName();
print(policyFilePath);
// Create the policy
var fw = new FileWriter(policyFilePath);
var pw = new PrintWriter(fw);
pw.println('<?xml version="1.0" encoding="UTF-8" standalone="no"?>');
pw.println("<configuration>");
pw.println(INDENT + "<policy>" + currentTag.getPolicyName() + "</policy>");
pw.println(INDENT + "<scanner>");
pw.println(INDENT.repeat(2) + "<level>OFF</level>");
pw.println(INDENT.repeat(2) + "<strength>MEDIUM</strength>");
pw.println(INDENT + "</scanner>");
pw.println(INDENT + "<plugins>");

for (var i = 0; i < plugins.length; i++) {
try {
if (
plugins[i].getAlertTags() != null &&
plugins[i]
.getAlertTags()
.keySet()
.contains(currentTag.getTag())
) {
pw.println(INDENT.repeat(2) + "<p" + plugins[i].getId() + ">");
pw.println(
INDENT.repeat(3) + "<name>" + plugins[i].getName() + "</name>"
);
pw.println(INDENT.repeat(3) + "<enabled>true</enabled>");
pw.println(INDENT.repeat(3) + "<level>MEDIUM</level>");
pw.println(INDENT.repeat(2) + "</p" + plugins[i].getId() + ">");
}
} catch (e) {
print(e);
}
}
pw.println(INDENT + "</plugins>");
pw.println("</configuration>");
pw.close();
}
56 changes: 56 additions & 0 deletions .github/workflows/generate_policies.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Generate Scan Policies from Policy Tags
on:
schedule: # The start of every Friday
- cron: '0 0 * * 5'
workflow_dispatch:

permissions:
contents: write
pull-requests: write

jobs:
update-policies:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
path: zap-extensions
fetch-depth: 0
- name: Create Policies
run: |
# Run the ZAP script
docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -silent -script /zap/wrk/zap-extensions/.github/scripts/generate-scan-policies.js -cmd
- name: Attach Policies
uses: actions/upload-artifact@v4
with:
name: Policies
path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy'
- name: Update Scan Policies
run: |
export BASE=$(pwd)
# Setup git details
export GITHUB_USER=zapbot
git config --global user.email "12745184+zapbot@users.noreply.github.com"
git config --global user.name $GITHUB_USER
BRANCH=scan-policies-updt
cd zap-extensions
git remote remove origin
git remote add origin https://github.com/zapbot/zap-extensions.git
git remote add upstream https://github.com/zaproxy/zap-extensions.git
SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h)
export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }}
git checkout -b $BRANCH
# Update the index to be sure git is aware of changes
git update-index -q --refresh
git add .
## If there are changes: comment, commit, PR
if ! git diff-index --quiet HEAD --; then
./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments."
git remote set-url origin https://$GITHUB_USER:$GITHUB_TOKEN@github.com/$GITHUB_USER/zap-extensions.git
git add .
git commit -m " Update scan policies based on Tags" -m "Updates based on $SRC_BASE" --signoff
git push --set-upstream origin $BRANCH --force
gh pr create -R zaproxy/zap-extensions --fill
fi

0 comments on commit c228432

Please sign in to comment.