tech detection & retire: Replace usage of CWE-200

- CHANGELOGs > Add note. - Rules > Changed or dropped CWE. - Unit Tests > Updated for the new or removed CWEs. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
zaproxy · Dec 13, 2024 · dbeea20 · dbeea20
1 parent e89f506
commit dbeea20
Show file tree

Hide file tree

Showing 6 changed files with 5 additions and 6 deletions.
diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Update minimum ZAP version to 2.16.0.
+- The scan rule now uses a more specific CWE (Issue 8732).
 
 ## [0.42.0] - 2024-11-25
 ### Changed

diff --git a/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java b/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java
@@ -109,7 +109,7 @@ private AlertBuilder buildAlert(Result result, String otherInfo) {
                 .setReference(getDetails(result.getInformation().getInfo()))
                 .setSolution(Constant.messages.getString("retire.rule.soln", result.getFilename()))
                 .setEvidence(result.getEvidence().trim())
-                .setCweId(829); // CWE-829: Inclusion of Functionality from Untrusted Control Sphere
+                .setCweId(1395); // CWE-1395: Dependency on Vulnerable Third-Party Component
     }
 
     @Override

diff --git a/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java b/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java
@@ -225,7 +225,9 @@ void shouldNotRaiseAlertOnDontCheckUrl() {
     void shouldReturnExpectedMappings() {
         // Given / When
         Map<String, String> tags = rule.getAlertTags();
+        int cweId = rule.getExampleAlerts().get(0).getCweId();
         // Then
+        assertThat(cweId, is(equalTo(1395)));
         assertThat(tags.size(), is(equalTo(2)));
         assertThat(
                 tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()),

diff --git a/addOns/wappalyzer/CHANGELOG.md b/addOns/wappalyzer/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Update minimum ZAP version to 2.16.0.
 - Depend on Passive Scanner add-on (Issue 7959).
+- The scan rule no longer sets a CWE for alerts (Issue 8733).
 
 ## [21.43.0] - 2024-11-25
 ### Changed

diff --git a/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java b/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java
@@ -433,7 +433,6 @@ Builder createAlert(String url, ApplicationMatch appMatch) {
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setUri(url)
                 .setDescription(getDesc(app))
-                .setCweId(200)
                 .setWascId(13);
         if (!appMatch.getEvidences().isEmpty()) {
             builder.setEvidence(appMatch.getEvidences().stream().findFirst().get());

diff --git a/...alyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java b/...alyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java
@@ -635,7 +635,6 @@ void shouldHaveCpeAndVersionInAlertIfAvailable() throws HttpMalformedHeaderExcep
                                     "The following CPE is associated with the identified tech: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\n"
                                             + "The following version(s) is/are associated with the identified tech: 2.4.7")));
             assertThat(alert.getWascId(), is(equalTo(13)));
-            assertThat(alert.getCweId(), is(equalTo(200)));
         }
 
         @Test
@@ -654,7 +653,6 @@ void shouldNotHaveCpeAndVersionInAlertIfNotAvailablet()
             assertThat(alert.getOtherInfo(), is(equalTo("")));
             assertThat(alert.getReference(), is(equalTo("")));
             assertThat(alert.getWascId(), is(equalTo(13)));
-            assertThat(alert.getCweId(), is(equalTo(200)));
         }
 
         @Test
@@ -673,7 +671,6 @@ void shouldHaveRefInAlertIfWebsiteAvailable() throws HttpMalformedHeaderExceptio
             assertThat(alert.getOtherInfo(), is(equalTo("")));
             assertThat(alert.getReference(), is(equalTo("https://httpd.apache.org")));
             assertThat(alert.getWascId(), is(equalTo(13)));
-            assertThat(alert.getCweId(), is(equalTo(200)));
         }
 
         @Test
@@ -699,7 +696,6 @@ void shouldHaveExpectedExampleAlert() {
                                     "The following CPE is associated with the identified tech: cpe:2.3:a:example_vendor:example_software:55.4.3:*:*:*:*:*:*:*\n"
                                             + "The following version(s) is/are associated with the identified tech: 55.4.3")));
             assertThat(alert.getWascId(), is(equalTo(13)));
-            assertThat(alert.getCweId(), is(equalTo(200)));
         }
     }
 }