Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tech detection & retire: Remove usage of CWE-200 and update other CWE #6001

Merged
merged 1 commit into from
Dec 13, 2024
Merged

tech detection & retire: Remove usage of CWE-200 and update other CWE #6001

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions addOns/retire/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- The scan rule now uses a more specific CWE (Issue 8732).

## [0.42.0] - 2024-11-25
### Changed
Expand Down
2 changes: 1 addition & 1 deletion addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ private AlertBuilder buildAlert(Result result, String otherInfo) {
.setReference(getDetails(result.getInformation().getInfo()))
.setSolution(Constant.messages.getString("retire.rule.soln", result.getFilename()))
.setEvidence(result.getEvidence().trim())
.setCweId(829); // CWE-829: Inclusion of Functionality from Untrusted Control Sphere
.setCweId(1395); // CWE-1395: Dependency on Vulnerable Third-Party Component
}

@Override
Expand Down
2 changes: 2 additions & 0 deletions addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,9 @@ void shouldNotRaiseAlertOnDontCheckUrl() {
void shouldReturnExpectedMappings() {
// Given / When
Map<String, String> tags = rule.getAlertTags();
int cweId = rule.getExampleAlerts().get(0).getCweId();
// Then
assertThat(cweId, is(equalTo(1395)));
assertThat(tags.size(), is(equalTo(2)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()),
Expand Down
1 change: 1 addition & 0 deletions addOns/wappalyzer/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Changed
- Update minimum ZAP version to 2.16.0.
- Depend on Passive Scanner add-on (Issue 7959).
- The scan rule no longer sets a CWE for alerts (Issue 8733).

## [21.43.0] - 2024-11-25
### Changed
Expand Down
1 change: 0 additions & 1 deletion addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScanner.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,6 @@ Builder createAlert(String url, ApplicationMatch appMatch) {
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setUri(url)
.setDescription(getDesc(app))
.setCweId(200)
.setWascId(13);
if (!appMatch.getEvidences().isEmpty()) {
builder.setEvidence(appMatch.getEvidences().stream().findFirst().get());
Expand Down
4 changes: 0 additions & 4 deletions ...alyzer/src/test/java/org/zaproxy/zap/extension/wappalyzer/TechPassiveScannerUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -635,7 +635,6 @@ void shouldHaveCpeAndVersionInAlertIfAvailable() throws HttpMalformedHeaderExcep
"The following CPE is associated with the identified tech: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\n"
+ "The following version(s) is/are associated with the identified tech: 2.4.7")));
assertThat(alert.getWascId(), is(equalTo(13)));
assertThat(alert.getCweId(), is(equalTo(200)));
}

@Test
Expand All @@ -654,7 +653,6 @@ void shouldNotHaveCpeAndVersionInAlertIfNotAvailablet()
assertThat(alert.getOtherInfo(), is(equalTo("")));
assertThat(alert.getReference(), is(equalTo("")));
assertThat(alert.getWascId(), is(equalTo(13)));
assertThat(alert.getCweId(), is(equalTo(200)));
}

@Test
Expand All @@ -673,7 +671,6 @@ void shouldHaveRefInAlertIfWebsiteAvailable() throws HttpMalformedHeaderExceptio
assertThat(alert.getOtherInfo(), is(equalTo("")));
assertThat(alert.getReference(), is(equalTo("https://httpd.apache.org")));
assertThat(alert.getWascId(), is(equalTo(13)));
assertThat(alert.getCweId(), is(equalTo(200)));
}

@Test
Expand All @@ -699,7 +696,6 @@ void shouldHaveExpectedExampleAlert() {
"The following CPE is associated with the identified tech: cpe:2.3:a:example_vendor:example_software:55.4.3:*:*:*:*:*:*:*\n"
+ "The following version(s) is/are associated with the identified tech: 55.4.3")));
assertThat(alert.getWascId(), is(equalTo(13)));
assertThat(alert.getCweId(), is(equalTo(200)));
}
}
}
Loading