PA-9115 Rule filtering (#63)

* PA-9115 Rule filtering

* added new param to readme

* PA-9150 Clean up of hook params / fix auth with fullscan

* removed code from next pr

* final clenaup

* add version

* added note

* Update helpers/constants.py

Co-authored-by: SOOS-GSteen <gsteen@soos.io>

---------

Co-authored-by: SOOS-GSteen <gsteen@soos.io>

README.md

@@ -80,7 +80,8 @@ The basic command to run a baseline scan would look like:
 | `--sarifDestination` | None | SARIF destination to upload report in the form of <repo_owner>/<repo_name> |
 | `--sarif` | None | DEPRECATED - SARIF parameter is currently deprecated, please use --outputFormat='sarif' instead |
 | `--oauthTokenUrl` | None | The authentication URL that grants the access_token. |
-| `--oauthParameters` | None | Parameters to be added to the oauth token request. (eg --oauthParameters="client_id:clientID, client_secret:clientSecret, grant_type:client_credentials") |
+| `--oauthParameters` | None | Parameters to be added to the oauth token request. (eg --oauthParameters="client_id:clientID, client_secret:clientSecret, grant_type:client_credentials")
+| `--disableRules` | None | Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/ |
 
 #### Config File Definition
 ``` yaml

VERSION.txt

@@ -1 +1 @@
-1.0.25
+1.0.26

helpers/configuration.py

@@ -33,6 +33,7 @@ class DASTConfig:
     header: Optional[str] = None
     oauth_token_url: Optional[str] = None
     oauth_parameters: Optional[str] = None
+    disable_rules: Optional[str] = None
 
     def __init__(self):
         self.extra_zap_params = None
@@ -67,6 +68,7 @@ def load_config(self, extra_zap_params):
             self.header = os.environ.get('CUSTOM_HEADER') or EMPTY_STRING
             self.oauth_token_url = os.environ.get('OAUTH_TOKEN_URL') or EMPTY_STRING
             self.oauth_parameters = self._get_hook_param_list(os.environ.get('OAUTH_PARAMETERS')) or EMPTY_STRING
+            self.disable_rules = self._get_hook_param_list(os.environ.get('DISABLE_RULES')) or EMPTY_STRING
 
         except Exception as error:
             log(f"error in start_docker_zap: {traceback.print_exc()}", log_level=LogLevel.ERROR)

helpers/constants.py

@@ -55,6 +55,8 @@
 ZAP_JSON_REPORT_OPTION = "-J"
 ZAP_OTHER_OPTIONS = "-z"
 ZAP_HOOK_OPTION = "--hook"
+# NOTE: ZAP, when performing a 'fullscan', creates a policy called "Default Policy" - it's needed to specify that name in order to change the scan rules.
+ZAP_ACTIVE_SCAN_POLICY_NAME = "Default Policy"
 URI_START_DAST_ANALYSIS_TEMPLATE = (
     "{soos_base_uri}clients/{soos_client_id}/dast-tools/{soos_dast_tool}/analysis"
 )

hooks/soos_dast_hook.py

@@ -2,6 +2,7 @@
 from helpers.configuration import DASTConfig
 import helpers.custom_cookies as cookies
 import helpers.custom_headers as headers
+import helpers.constants as Constants
 import sys
 import traceback
 from helpers.utils import log, exit_app
@@ -27,12 +28,13 @@ def zap_started(zap, target):
             # The url can include a valid path, but always reset to spider the host
             target = target[0:target.index('/', 8) + 1]
 
-        scan_policy = 'Default Policy'
-        zap.ascan.update_scan_policy(scanpolicyname=scan_policy, attackstrength="LOW")
+        zap.ascan.update_scan_policy(scanpolicyname=Constants.ZAP_ACTIVE_SCAN_POLICY_NAME, attackstrength="LOW")
+        log(f"disabled rules: {config.disable_rules}")
+        zap.pscan.disable_scanners(','.join(config.disable_rules))
+        zap.ascan.disable_scanners(','.join(config.disable_rules), Constants.ZAP_ACTIVE_SCAN_POLICY_NAME)
 
         auth = DASTAuth(config)
         auth.authenticate(zap, target)
-        log(f"checking cookies request")
         cookies.load(config, zap)
         headers.load(config, zap)
     except Exception:

main.py

@@ -110,6 +110,7 @@ def __init__(self):
         self.github_pat: Optional[str] = None
         self.checkout_dir: Optional[str] = None
         self.sarif_destination: Optional[str] = None
+        self.disable_rules: Optional[str] = None
 
         self.scan_mode_map: Dict = {
             Constants.BASELINE: self.baseline_scan,
@@ -266,6 +267,8 @@ def parse_configuration(self, configuration: Dict, target_url: str):
                 sys.exit(1)
             elif key == "updateAddons":
                 self.update_addons = True if str.lower(value) == "true" else False
+            elif key == "disableRules":
+                self.disable_rules = array_to_str(value)
 
     def __add_target_url_option__(self, args: List[str]) -> NoReturn:
         if has_value(self.target_url):
@@ -347,6 +350,8 @@ def __add_hook_params__(self) -> None:
             os.environ['OAUTH_TOKEN_URL'] = self.oauth_token_url
         if self.oauth_parameters is not None:
             os.environ['OAUTH_PARAMETERS'] = self.oauth_parameters
+        if self.disable_rules is not None:
+            os.environ['DISABLE_RULES'] = self.disable_rules
 
     def __add_hook_option__(self, args: List[str]) -> None:
         args.append(Constants.ZAP_HOOK_OPTION)
@@ -365,7 +370,7 @@ def __generate_command__(self, args: List[str]) -> str:
         log(f"Github PAT: {str(self.github_pat)}")
         if (self.auth_login_url or self.zap_options or self.request_cookies is not None or
             self.request_header is not None or self.auth_bearer_token is not None or
-            self.oauth_token_url is not None):
+            self.oauth_token_url is not None or self.disable_rules is not None):
             self.__add_hook_params__()
 
         self.__add_hook_option__(args)
@@ -953,6 +958,13 @@ def parse_args(self) -> None:
             default="False",
             required=False
         )
+        parser.add_argument(
+            "--disableRules",
+            help="Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/",
+            nargs="*",
+            default=None,
+            required=False
+        )
 
         # parse help argument
         if "-hf" in sys.argv or "--helpFormatted" in sys.argv: