Improved Active/Passive Rules Management

[davewichers]

I'm finding the Scan configuration manager a bit confusing. Here are some suggested improvements:

Apparently the 'Active' scan rules are managed by the Analyse->Scan Policy Manager, but the Passive rules are managed under 3 items buried under Options.

I suggest we put both the Active and Passive scan management options under the Analyse menu and label what's there now the 'Active' Scan Policy Manager, and put the other 3 under a new item 'Passive' Scan Policy Manager. The Passive Scan Policy Manager can manage the 3 passive options we have under Options currently. This will also remove 3 items from the Options list, which is REALLY long.

I think it would be good to add indications in both the Active and Passive scan policy managers that there are Beta and Alpha rules that they can import and provide buttons/links to get them. Either via the download plugin interface, or by direct file import.

I also think we should clarify how/where someone can download plugins if they are using ZAP offline and then import them via the File->Import or whatever feature is used to pull in plugins that way.

[psiinon]

Maybe just move the Passive Scan Rules, as the Tags are logically different, and the Passive Scanner pane is equivalent to the Active Scan one?
Note we also have a Active Scan Input Vectors pane.
Theres no reason why the Scan Policy Manager couldnt have (std gear) buttons for the relevant Option pages...

[benken-parasoft]

The problem is that there does not seem to be any simple way for an organization to easily define and distribute a unified scan policy. Having the active scan rules configured in a policy file only accomplishes half the goal. For the passive scan, the "policy" would need to take the form of a script (or something) to configure what rules are enabled and the alert threshold for each of them.