From dbeea200615ac6c86d5efbee1185e0d19aa4bf6c Mon Sep 17 00:00:00 2001 From: kingthorin Date: Mon, 9 Dec 2024 10:05:42 -0500 Subject: [PATCH] tech detection & retire: Replace usage of CWE-200 - CHANGELOGs > Add note. - Rules > Changed or dropped CWE. - Unit Tests > Updated for the new or removed CWEs. Signed-off-by: kingthorin --- addOns/retire/CHANGELOG.md | 1 + .../main/java/org/zaproxy/addon/retire/RetireScanRule.java | 2 +- .../java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java | 2 ++ addOns/wappalyzer/CHANGELOG.md | 1 + .../zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java | 1 - .../zap/extension/wappalyzer/TechPassiveScannerUnitTest.java | 4 ---- 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md index 358aa8f7e9d..d007710bf00 100644 --- a/addOns/retire/CHANGELOG.md +++ b/addOns/retire/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed - Update minimum ZAP version to 2.16.0. +- The scan rule now uses a more specific CWE (Issue 8732). ## [0.42.0] - 2024-11-25 ### Changed diff --git a/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java b/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java index a048fb9f256..95fdec64782 100644 --- a/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java +++ b/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java @@ -109,7 +109,7 @@ private AlertBuilder buildAlert(Result result, String otherInfo) { .setReference(getDetails(result.getInformation().getInfo())) .setSolution(Constant.messages.getString("retire.rule.soln", result.getFilename())) .setEvidence(result.getEvidence().trim()) - .setCweId(829); // CWE-829: Inclusion of Functionality from Untrusted Control Sphere + .setCweId(1395); // CWE-1395: Dependency on Vulnerable Third-Party Component } @Override diff --git a/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java b/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java index c49a0d20751..0e139b91a59 100644 --- a/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java +++ b/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java @@ -225,7 +225,9 @@ void shouldNotRaiseAlertOnDontCheckUrl() { void shouldReturnExpectedMappings() { // Given / When Map tags = rule.getAlertTags(); + int cweId = rule.getExampleAlerts().get(0).getCweId(); // Then + assertThat(cweId, is(equalTo(1395))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), diff --git a/addOns/wappalyzer/CHANGELOG.md b/addOns/wappalyzer/CHANGELOG.md index 871a539f952..0cd6f95eb97 100644 --- a/addOns/wappalyzer/CHANGELOG.md +++ b/addOns/wappalyzer/CHANGELOG.md @@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Update minimum ZAP version to 2.16.0. - Depend on Passive Scanner add-on (Issue 7959). +- The scan rule no longer sets a CWE for alerts (Issue 8733). ## [21.43.0] - 2024-11-25 ### Changed diff --git a/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java b/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java index 955c198fe42..8b7bbe087bc 100644 --- a/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java +++ b/addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java @@ -433,7 +433,6 @@ Builder createAlert(String url, ApplicationMatch appMatch) { .setConfidence(Alert.CONFIDENCE_MEDIUM) .setUri(url) .setDescription(getDesc(app)) - .setCweId(200) .setWascId(13); if (!appMatch.getEvidences().isEmpty()) { builder.setEvidence(appMatch.getEvidences().stream().findFirst().get()); diff --git a/addOns/wappalyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java b/addOns/wappalyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java index 7f9f6d8dcfc..3867891e780 100644 --- a/addOns/wappalyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java +++ b/addOns/wappalyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java @@ -635,7 +635,6 @@ void shouldHaveCpeAndVersionInAlertIfAvailable() throws HttpMalformedHeaderExcep "The following CPE is associated with the identified tech: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\n" + "The following version(s) is/are associated with the identified tech: 2.4.7"))); assertThat(alert.getWascId(), is(equalTo(13))); - assertThat(alert.getCweId(), is(equalTo(200))); } @Test @@ -654,7 +653,6 @@ void shouldNotHaveCpeAndVersionInAlertIfNotAvailablet() assertThat(alert.getOtherInfo(), is(equalTo(""))); assertThat(alert.getReference(), is(equalTo(""))); assertThat(alert.getWascId(), is(equalTo(13))); - assertThat(alert.getCweId(), is(equalTo(200))); } @Test @@ -673,7 +671,6 @@ void shouldHaveRefInAlertIfWebsiteAvailable() throws HttpMalformedHeaderExceptio assertThat(alert.getOtherInfo(), is(equalTo(""))); assertThat(alert.getReference(), is(equalTo("https://httpd.apache.org"))); assertThat(alert.getWascId(), is(equalTo(13))); - assertThat(alert.getCweId(), is(equalTo(200))); } @Test @@ -699,7 +696,6 @@ void shouldHaveExpectedExampleAlert() { "The following CPE is associated with the identified tech: cpe:2.3:a:example_vendor:example_software:55.4.3:*:*:*:*:*:*:*\n" + "The following version(s) is/are associated with the identified tech: 55.4.3"))); assertThat(alert.getWascId(), is(equalTo(13))); - assertThat(alert.getCweId(), is(equalTo(200))); } } }