-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore specific finding from command line generated report #6909
Comments
Did you try using Alert Filters? https://www.zaproxy.org/docs/desktop/addons/alert-filters/ |
We also have a FAQ that covers all of the options: https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/ |
@thc202 @psiinon I am confused on how i am supposed to use alert filters via the command line scans. Do i have to configure a context file just to do alerts? Is there an example of this? Or do i have to alter the .prop file, or the configuration file(are there examples of this)? I assume I'm supposed to configure alert filters in the context file because that is the only thing i see that has some amount of documentation. I can't find examples for any of these things in the documentation. Stack overflow has some threads on this but i didn't see any resolved examples. |
You can define the alert filters through the command line, like other options: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/ |
@thc202 where is the documentation for ignoring a previous finding? I assume this: https://www.zaproxy.org/docs/desktop/addons/alert-filters/alertfilterdialog/ but i don't know how to configure this because i have no examples and the documentation is very light |
He linked to the documentation, you'd have to configure it with config params on the CLI. |
@kingthorin do you have an example? I do not know how to configure the filtering based on that page. Some options don't even seem configurable via command line like "test filter" |
Fire up ZAP, save a filter, look at the config file. Edit: .... no I don't have one handy. You could probably search the user group. |
@thc202 @kingthorin I saved an alert filter in the context, and this is what appeared:
no idea if i did that correctly but if i did that would have been impossible to guess via reading the documentation on the alert filters page. |
Thats why our future direction is to use the Automation Framework which will (in time) make this much easier. |
You don't need to specify them in the context, the global alert filters can be set through the command line like the other options. |
@thc202 yes they can be set through the command line but how would anyone know how to do that unless you've set these options in the GUI(so you know what the inputs are), and also set other plugin properties like replacer? My guess at configuring this is: alertfilter.full_list(0).type=SQL Injection |
also, for whatever reason, if i set a context file while doing an openapi scan (the context file only has the title in it, along with scope), the scan type changes. it no longer attempts to do an openapi scan. |
@psiinon when will the automation framework be released? I think there are too many issues to do what im trying to do so it may be better for me to wait for the automation framework. |
Re #6909 (comment) the FAQ linked earlier explains how to do that. |
Its released :D https://www.zaproxy.org/docs/automate/automation-framework/ |
@psiinon so is the purpose of the automation framework to be able to configure everything in the GUI, and then export all of those configs and feed it to a headless cli scan essentially? |
Thats one of the purposes, yes :) |
@psiinon gotcha ok thanks. Looking at the project tracker and the documentation - adding a header doesn't seem to be supported at the moment right? I was essentially wanting to add this to my automation framework yml but couldn't figure out how: Or i guess I could just keept it as a zap config option? |
Authorization headers are supported across ZAP using env vars: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars We know the auth docs could be improvide - we've made a start on that here: https://www.zaproxy.org/docs/authentication/ The plan is for the AF to support all of the options people want in the yaml file, but until that happens you can still specify them via command line config options. |
@psiinon so like this? env: # The environment, mandatory
|
No, you cant put them in the yaml file. Well, you can but they will be ignored :) |
Why would i need to put them as OS environment variables? That is a key configuration need to conduct scanning. Anyway, when i specified my configuration file to conduct the scan, the job ran but then it stopped after a few seconds and didn't produce any error messages: zap@625b031e5d2e:/zap$ ./zap.sh -cmd -autorun wrk/automation-framework-template-min.yml -configfile /zap/wrk/configs.prop |
This isnt the right place to debug these sort of configuration issues - please post to the User Group: https://groups.google.com/group/zaproxy-users |
I cannot navigate to google groups because of corporate firewall policies. Most companies do not allow you to access google groups and most of your users would be corporate users. Is there any plans to change that? Using github issues would also allow better searching and issue resolution because it is right there with your project. |
That quite a serious over generalization. Let's keep the hyperbole to a minimum.
Not currently. |
so in summary there are no configuration examples, i should wait for the automation framework to be done, if I want to see the syntax of something I should do it in the GUI and then look at the configuration file, and if i want assistance i will go to the google groups |
There are plenty, just hit Google or your search engine of choice.
Could/may as well.
Depends on the circumstance, but potentially yes. Or check the docs. Or search. Chances are high you're doing something someone else has done, asked about, or blogged about.
In general that your best bet. We understand that you're displeased with these answers for some reason. However, ZAP is an Open Source project and basically everyone that contributes/supports it is a volunteer. |
@kingthorin I appreciate the help, thank you. I will keep trying and learning from all of the resources you linked. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I have come across what I believe is a false positive while doing an API scan. I do not want to exclude the finding check. I want to exclude this specific finding.
My suggestion would be to generate a hash that combines the finding ID with the Path, method, and parameter. Then you could say in a config file "ignore finding="
The text was updated successfully, but these errors were encountered: