PA-9115 disable rules specifically for each mode (#65)

soos-io · Apr 17, 2023 · 6239526 · 6239526
1 parent 52d8ca5
commit 6239526
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.0.26
+1.0.27
diff --git a/helpers/configuration.py b/helpers/configuration.py
@@ -68,7 +68,7 @@ def load_config(self, extra_zap_params):
             self.header = os.environ.get('CUSTOM_HEADER') or EMPTY_STRING
             self.oauth_token_url = os.environ.get('OAUTH_TOKEN_URL') or EMPTY_STRING
             self.oauth_parameters = self._get_hook_param_list(os.environ.get('OAUTH_PARAMETERS')) or EMPTY_STRING
-            self.disable_rules = self._get_hook_param_list(os.environ.get('DISABLE_RULES')) or EMPTY_STRING
+            self.disable_rules = self._get_hook_param_list(os.environ.get('DISABLE_RULES')) or None
 
         except Exception as error:
             log(f"error in start_docker_zap: {traceback.print_exc()}", log_level=LogLevel.ERROR)

diff --git a/hooks/soos_dast_hook.py b/hooks/soos_dast_hook.py
@@ -6,6 +6,7 @@
 import sys
 import traceback
 from helpers.utils import log, exit_app
+from typing import List
 
 config = DASTConfig()
 
@@ -29,9 +30,13 @@ def zap_started(zap, target):
             target = target[0:target.index('/', 8) + 1]
 
         zap.ascan.update_scan_policy(scanpolicyname=Constants.ZAP_ACTIVE_SCAN_POLICY_NAME, attackstrength="LOW")
-        log(f"disabled rules: {config.disable_rules}")
-        zap.pscan.disable_scanners(','.join(config.disable_rules))
-        zap.ascan.disable_scanners(','.join(config.disable_rules), Constants.ZAP_ACTIVE_SCAN_POLICY_NAME)
+
+        if config.disable_rules:
+            pscan_disabled_rules = set(config.disable_rules).intersection(set(_all_passive_scanner_rules(zap)))
+            ascan_disabled_rules = set(config.disable_rules).intersection(set(_all_active_scanner_rules(zap, Constants.ZAP_ACTIVE_SCAN_POLICY_NAME)))
+            zap.pscan.disable_scanners(','.join(pscan_disabled_rules))
+            zap.ascan.disable_scanners(','.join(ascan_disabled_rules), Constants.ZAP_ACTIVE_SCAN_POLICY_NAME)
+            log(f"disabled rules: {config.disable_rules}")
 
         auth = DASTAuth(config)
         auth.authenticate(zap, target)
@@ -43,10 +48,13 @@ def zap_started(zap, target):
 
     return zap, target
 
-
 def zap_pre_shutdown(zap):
     log("Overview of spidered URL's:")
     with open('spidered_urls.txt', 'w') as f:
         for url in zap.spider.all_urls:
             f.write(f"{url}\n")
-            log(f"found: {url}")
+            log(f"found: {url}")
+
+def _all_active_scanner_rules(zap, policy_name) -> List[str]: return [scanner['id'] for scanner in zap.ascan.scanners(policy_name)]
+
+def _all_passive_scanner_rules(zap) -> List[str]: return [scanner['id'] for scanner in zap.pscan.scanners]