Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore specific finding from command line generated report #6909

Closed
so87 opened this issue Nov 5, 2021 · 30 comments
Closed

Ignore specific finding from command line generated report #6909

so87 opened this issue Nov 5, 2021 · 30 comments
Labels

Comments

@so87
Copy link

so87 commented Nov 5, 2021

I have come across what I believe is a false positive while doing an API scan. I do not want to exclude the finding check. I want to exclude this specific finding.

My suggestion would be to generate a hash that combines the finding ID with the Path, method, and parameter. Then you could say in a config file "ignore finding="

@thc202
Copy link
Member

thc202 commented Nov 5, 2021

Did you try using Alert Filters? https://www.zaproxy.org/docs/desktop/addons/alert-filters/

@thc202 thc202 added the add-on label Nov 5, 2021
@psiinon
Copy link
Member

psiinon commented Nov 6, 2021

We also have a FAQ that covers all of the options: https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/
The Automation Framework will support alert filters (in time) so I propose we either close this now or when its supported by the AF...

@so87
Copy link
Author

so87 commented Nov 8, 2021

@thc202 @psiinon I am confused on how i am supposed to use alert filters via the command line scans. Do i have to configure a context file just to do alerts? Is there an example of this? Or do i have to alter the .prop file, or the configuration file(are there examples of this)? I assume I'm supposed to configure alert filters in the context file because that is the only thing i see that has some amount of documentation.

I can't find examples for any of these things in the documentation. Stack overflow has some threads on this but i didn't see any resolved examples.

@thc202
Copy link
Member

thc202 commented Nov 8, 2021

You can define the alert filters through the command line, like other options: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

@so87
Copy link
Author

so87 commented Nov 8, 2021

@thc202 where is the documentation for ignoring a previous finding? I assume this: https://www.zaproxy.org/docs/desktop/addons/alert-filters/alertfilterdialog/ but i don't know how to configure this because i have no examples and the documentation is very light

@kingthorin
Copy link
Member

He linked to the documentation, you'd have to configure it with config params on the CLI.

@so87
Copy link
Author

so87 commented Nov 8, 2021

@kingthorin do you have an example? I do not know how to configure the filtering based on that page. Some options don't even seem configurable via command line like "test filter"

@kingthorin
Copy link
Member

kingthorin commented Nov 8, 2021

Fire up ZAP, save a filter, look at the config file.

Edit: .... no I don't have one handy. You could probably search the user group.

@so87
Copy link
Author

so87 commented Nov 10, 2021

@thc202 @kingthorin I saved an alert filter in the context, and this is what appeared:

        <alertFilters>
            <filter>true;40018;-1;LiovQWNjb3VudHMvLiovTWVzc2FnZXM=;true;ZGF0ZVVwZGF0ZWQ=;false;;false;;false;</filter>
        </alertFilters>

no idea if i did that correctly but if i did that would have been impossible to guess via reading the documentation on the alert filters page.

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

Thats why our future direction is to use the Automation Framework which will (in time) make this much easier.

@thc202
Copy link
Member

thc202 commented Nov 10, 2021

You don't need to specify them in the context, the global alert filters can be set through the command line like the other options.

@so87
Copy link
Author

so87 commented Nov 10, 2021

@thc202 yes they can be set through the command line but how would anyone know how to do that unless you've set these options in the GUI(so you know what the inputs are), and also set other plugin properties like replacer? My guess at configuring this is:

alertfilter.full_list(0).type=SQL Injection
alertfilter.full_list(0).risk=False Positive
alertfilter.full_list(0).url=
?? i am guessing at parameter names ??

@so87
Copy link
Author

so87 commented Nov 10, 2021

also, for whatever reason, if i set a context file while doing an openapi scan (the context file only has the title in it, along with scope), the scan type changes. it no longer attempts to do an openapi scan.

@so87
Copy link
Author

so87 commented Nov 10, 2021

@psiinon when will the automation framework be released? I think there are too many issues to do what im trying to do so it may be better for me to wait for the automation framework.

@thc202
Copy link
Member

thc202 commented Nov 10, 2021

Re #6909 (comment) the FAQ linked earlier explains how to do that.

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

Its released :D https://www.zaproxy.org/docs/automate/automation-framework/
But its not complete (or will ever be complete as we'll keep on improving it)
The tracker is #6461

@so87
Copy link
Author

so87 commented Nov 10, 2021

@psiinon so is the purpose of the automation framework to be able to configure everything in the GUI, and then export all of those configs and feed it to a headless cli scan essentially?

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

Thats one of the purposes, yes :)
Its meant to be the best way for most people to automate ZAP.
We'll keep the packaged scans, but they are being migrated to use the AF - the baseline already uses it for the most common options.

@so87
Copy link
Author

so87 commented Nov 10, 2021

@psiinon gotcha ok thanks. Looking at the project tracker and the documentation - adding a header doesn't seem to be supported at the moment right? I was essentially wanting to add this to my automation framework yml but couldn't figure out how:
formhandler.fields.field(0).fieldId=accountId
formhandler.fields.field(0).value=asdfasdfasdf
formhandler.fields.field(0).enabled=true
replacer.full_list(0).description=Authorization
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Basic asdfasdf

Or i guess I could just keept it as a zap config option?

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

Authorization headers are supported across ZAP using env vars: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

We know the auth docs could be improvide - we've made a start on that here: https://www.zaproxy.org/docs/authentication/

The plan is for the AF to support all of the options people want in the yaml file, but until that happens you can still specify them via command line config options.

@so87
Copy link
Author

so87 commented Nov 10, 2021

@psiinon so like this?

env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
- https://example.com
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
vars: # List of 1 or more variables, can be used in urls and selected other parameters
- ZAP_AUTH_HEADER: Authorization
- ZAP_AUTH_HEADER_VALUE: Basic sdfasdf

what if i want more headers??

ALso, How can i use the formhandler addon? I want to replace some strings as they come up in the openapi.json file

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

No, you cant put them in the yaml file. Well, you can but they will be ignored :)
You just need to define them as OS env vars.
If you need more then one then you need to use replacer rules.
You'll have to supply the form handler via the config command line options - https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

@so87
Copy link
Author

so87 commented Nov 10, 2021

Why would i need to put them as OS environment variables? That is a key configuration need to conduct scanning.

Anyway, when i specified my configuration file to conduct the scan, the job ran but then it stopped after a few seconds and didn't produce any error messages:

zap@625b031e5d2e:/zap$ ./zap.sh -cmd -autorun wrk/automation-framework-template-min.yml -configfile /zap/wrk/configs.prop
Found Java version 11.0.11
Available memory: 3934 MB
Using JVM args: -Xmx983m
Job addOns set updateAddOns = true
Job passiveScan-config set maxAlertsPerRule = 10
Job passiveScan-config set scanOnlyInScope = true
Job openapi set apiFile = /zap/wrk/openapi.json
Job passiveScan-wait set maxDuration = 5
Job report set reportDir = /zap/wrk/
Job report set reportTitle = example-API-Scan
Job addOns started
Add-on downloaded to: /home/zap/.ZAP/plugin/webdriverlinux-release-33.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/fuzz-beta-13.5.0.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/graphql-alpha-0.7.0.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/spiderAjax-release-23.7.0.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/automation-alpha-0.8.0.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/soap-alpha-11.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/reports-release-0.9.1.zap
zap@625b031e5d2e:/zap$ ls wrk/F
ls: cannot access 'wrk/F': No such file or directory

@psiinon
Copy link
Member

psiinon commented Nov 10, 2021

This isnt the right place to debug these sort of configuration issues - please post to the User Group: https://groups.google.com/group/zaproxy-users

@so87
Copy link
Author

so87 commented Nov 10, 2021

I cannot navigate to google groups because of corporate firewall policies. Most companies do not allow you to access google groups and most of your users would be corporate users. Is there any plans to change that? Using github issues would also allow better searching and issue resolution because it is right there with your project.

@kingthorin
Copy link
Member

I cannot navigate to google groups because of corporate firewall policies. Most companies do not allow you to access google groups and most of your users would be corporate users.

That quite a serious over generalization. Let's keep the hyperbole to a minimum.

Is there any plans to change that?

Not currently.

@so87
Copy link
Author

so87 commented Nov 10, 2021

so in summary there are no configuration examples, i should wait for the automation framework to be done, if I want to see the syntax of something I should do it in the GUI and then look at the configuration file, and if i want assistance i will go to the google groups

@kingthorin
Copy link
Member

there are no configuration examples

There are plenty, just hit Google or your search engine of choice.

i should wait for the automation framework to be done

Could/may as well.

if I want to see the syntax of something I should do it in the GUI and then look at the configuration file

Depends on the circumstance, but potentially yes. Or check the docs. Or search. Chances are high you're doing something someone else has done, asked about, or blogged about.

if i want assistance i will go to the google groups

In general that your best bet.

We understand that you're displeased with these answers for some reason. However, ZAP is an Open Source project and basically everyone that contributes/supports it is a volunteer.

@so87
Copy link
Author

so87 commented Nov 11, 2021

@kingthorin I appreciate the help, thank you. I will keep trying and learning from all of the resources you linked.

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Mar 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

4 participants