Alert.xml missing code 30002

[jukkaharkki]

When running Sonar after ZAProxy run there is a warning:
WARNING] The rule ZAProxy:30002 doesn't exist.

There is discussion over this alert in another issue #1558 but probably maintaining alerts has been forgotten since the last alert currently is 30001.

[psiinon]

Thats not an error reported by ZAP, so it could be a Sonar issue.
The latest ZAP alerts file is here https://github.com/zaproxy/zaproxy/blob/develop/src/doc/alerts.xml#L138
That does include 30002
Having said that I couldnt find that number when grepping the ZAP extensions source code.

[thc202]

It's being used by scanner Format String Error.

[jukkaharkki]

Hmm, looking at the alert.xml it definitely is in the header comment but this is the last one as xml definition:
<alertitem> <id>30001</id> <alert>Format string buffer overflow</alert> <desc>By sending a long (over 8192) random string the server appeared to close the connection and causes a 500 error. Manual check this again.</desc> <solution>Check if format string was correctly handled. Restrict maximum field length.</solution> </alertitem>

[psiinon]

Ok, so I failed a grepping :P
I'll be honest - we dont tend to update the XML in that file because we dont use it. And I wasnt aware that anyone else did either!
I expect that there are lots of other alerts that are not in there either.
We should decide whether we want/need to maintain this file and if so how....

[jukkaharkki]

To be honest I'm not too familiar with zaproxy and zaproxy-sonar co-operation to say if that description is essential. Just figured out 1+1 when the warning was there and that description was missing. I assumed that Sonar is getting description of the issue from there.

[psiinon]

It could well be :)
I'll get in touch with Sonar.
Thanks for reporting this.

[psiinon]

Oh, quick question - how are you integrating ZAP in Sonar?
Is it via either of these tools:

• https://github.com/stevespringett/zap-sonar-plugin
• https://github.com/pdsoftplan/sonar-zap

or ??

[jukkaharkki]

Jenkins is running the analyze and storing results to a file using plugin https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin. Sonar picks up the file using plugin https://github.com/stevespringett/zap-sonar-plugin

[thc202]

It seems the Sonar plugin uses other file:
https://github.com/stevespringett/zap-sonar-plugin/blob/e0645220ecf0c62ff1fe341b2ed09b301ba64397/sonar-zap-plugin/src/main/resources/org/sonar/zaproxy/rules.xml

Worth trying with a custom file that has the missing plugin:
https://github.com/stevespringett/zap-sonar-plugin#plugin-configuration

[jukkaharkki]

Thank you for your support! I modifed rules.xml in sonar-zap-plugin adding description for 30002, compiled and installed it. Now the warning is gone. I'll let sonar-zap-plugin project to know this issue

[thc202]

Great! Thanks for letting us know.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.