diff --git a/README.md b/README.md index e0e013f..27a2fa8 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,8 @@ The basic command to run a baseline scan would look like: | `--sarifDestination` | None | SARIF destination to upload report in the form of / | | `--sarif` | None | DEPRECATED - SARIF parameter is currently deprecated, please use --outputFormat='sarif' instead | | `--oauthTokenUrl` | None | The authentication URL that grants the access_token. | -| `--oauthParameters` | None | Parameters to be added to the oauth token request. (eg --oauthParameters="client_id:clientID, client_secret:clientSecret, grant_type:client_credentials") | +| `--oauthParameters` | None | Parameters to be added to the oauth token request. (eg --oauthParameters="client_id:clientID, client_secret:clientSecret, grant_type:client_credentials") +| `--disableRules` | None | Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/ | #### Config File Definition ``` yaml diff --git a/VERSION.txt b/VERSION.txt index 4a4127c..7717884 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.0.25 +1.0.26 \ No newline at end of file diff --git a/helpers/configuration.py b/helpers/configuration.py index 6f3557b..b0daf26 100644 --- a/helpers/configuration.py +++ b/helpers/configuration.py @@ -33,6 +33,7 @@ class DASTConfig: header: Optional[str] = None oauth_token_url: Optional[str] = None oauth_parameters: Optional[str] = None + disable_rules: Optional[str] = None def __init__(self): self.extra_zap_params = None @@ -67,6 +68,7 @@ def load_config(self, extra_zap_params): self.header = os.environ.get('CUSTOM_HEADER') or EMPTY_STRING self.oauth_token_url = os.environ.get('OAUTH_TOKEN_URL') or EMPTY_STRING self.oauth_parameters = self._get_hook_param_list(os.environ.get('OAUTH_PARAMETERS')) or EMPTY_STRING + self.disable_rules = self._get_hook_param_list(os.environ.get('DISABLE_RULES')) or EMPTY_STRING except Exception as error: log(f"error in start_docker_zap: {traceback.print_exc()}", log_level=LogLevel.ERROR) diff --git a/helpers/constants.py b/helpers/constants.py index ec99676..76b6c87 100644 --- a/helpers/constants.py +++ b/helpers/constants.py @@ -55,6 +55,8 @@ ZAP_JSON_REPORT_OPTION = "-J" ZAP_OTHER_OPTIONS = "-z" ZAP_HOOK_OPTION = "--hook" +# NOTE: ZAP, when performing a 'fullscan', creates a policy called "Default Policy" - it's needed to specify that name in order to change the scan rules. +ZAP_ACTIVE_SCAN_POLICY_NAME = "Default Policy" URI_START_DAST_ANALYSIS_TEMPLATE = ( "{soos_base_uri}clients/{soos_client_id}/dast-tools/{soos_dast_tool}/analysis" ) diff --git a/hooks/soos_dast_hook.py b/hooks/soos_dast_hook.py index 93ef10e..6a6e42a 100644 --- a/hooks/soos_dast_hook.py +++ b/hooks/soos_dast_hook.py @@ -2,6 +2,7 @@ from helpers.configuration import DASTConfig import helpers.custom_cookies as cookies import helpers.custom_headers as headers +import helpers.constants as Constants import sys import traceback from helpers.utils import log, exit_app @@ -27,12 +28,13 @@ def zap_started(zap, target): # The url can include a valid path, but always reset to spider the host target = target[0:target.index('/', 8) + 1] - scan_policy = 'Default Policy' - zap.ascan.update_scan_policy(scanpolicyname=scan_policy, attackstrength="LOW") + zap.ascan.update_scan_policy(scanpolicyname=Constants.ZAP_ACTIVE_SCAN_POLICY_NAME, attackstrength="LOW") + log(f"disabled rules: {config.disable_rules}") + zap.pscan.disable_scanners(','.join(config.disable_rules)) + zap.ascan.disable_scanners(','.join(config.disable_rules), Constants.ZAP_ACTIVE_SCAN_POLICY_NAME) auth = DASTAuth(config) auth.authenticate(zap, target) - log(f"checking cookies request") cookies.load(config, zap) headers.load(config, zap) except Exception: diff --git a/main.py b/main.py index 55f0d9e..bdb44e0 100644 --- a/main.py +++ b/main.py @@ -110,6 +110,7 @@ def __init__(self): self.github_pat: Optional[str] = None self.checkout_dir: Optional[str] = None self.sarif_destination: Optional[str] = None + self.disable_rules: Optional[str] = None self.scan_mode_map: Dict = { Constants.BASELINE: self.baseline_scan, @@ -266,6 +267,8 @@ def parse_configuration(self, configuration: Dict, target_url: str): sys.exit(1) elif key == "updateAddons": self.update_addons = True if str.lower(value) == "true" else False + elif key == "disableRules": + self.disable_rules = array_to_str(value) def __add_target_url_option__(self, args: List[str]) -> NoReturn: if has_value(self.target_url): @@ -347,6 +350,8 @@ def __add_hook_params__(self) -> None: os.environ['OAUTH_TOKEN_URL'] = self.oauth_token_url if self.oauth_parameters is not None: os.environ['OAUTH_PARAMETERS'] = self.oauth_parameters + if self.disable_rules is not None: + os.environ['DISABLE_RULES'] = self.disable_rules def __add_hook_option__(self, args: List[str]) -> None: args.append(Constants.ZAP_HOOK_OPTION) @@ -365,7 +370,7 @@ def __generate_command__(self, args: List[str]) -> str: log(f"Github PAT: {str(self.github_pat)}") if (self.auth_login_url or self.zap_options or self.request_cookies is not None or self.request_header is not None or self.auth_bearer_token is not None or - self.oauth_token_url is not None): + self.oauth_token_url is not None or self.disable_rules is not None): self.__add_hook_params__() self.__add_hook_option__(args) @@ -953,6 +958,13 @@ def parse_args(self) -> None: default="False", required=False ) + parser.add_argument( + "--disableRules", + help="Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/", + nargs="*", + default=None, + required=False + ) # parse help argument if "-hf" in sys.argv or "--helpFormatted" in sys.argv: