Skip to content

Commit

Permalink
automation & sequence: Revise scan policy handling & try to use defaults
Browse files Browse the repository at this point in the history 
Signed-off-by: kingthorin <[email protected]>
  • Loading branch information
@kingthorin
kingthorin committed Nov 7, 2024
1 parent 3679bc0 commit 5d954f9
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 13 deletions.
2 changes: 1 addition & 1 deletion addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanJob.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ public void verifyParameters(AutomationProgress progress) {
break;
case "policyDefinition":
// Parse the policy defn
PolicyDefinition.parsePolicyDefinition(
policyDefinition.parsePolicyDefinition(
jobData.get(key), policyDefinition, this.getName(), progress);
break;
case "name":
Expand Down
2 changes: 1 addition & 1 deletion addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanPolicyJob.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ public void verifyParameters(AutomationProgress progress) {
break;
case "policyDefinition":
// Parse the policy defn
PolicyDefinition.parsePolicyDefinition(
policyDefinition.parsePolicyDefinition(
jobData.get(key), policyDefinition, this.getName(), progress);
break;
case "name":
Expand Down
19 changes: 14 additions & 5 deletions addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/PolicyDefinition.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@
import org.parosproxy.paros.core.scanner.PluginFactory;
import org.zaproxy.addon.automation.AutomationData;
import org.zaproxy.addon.automation.AutomationProgress;
import org.zaproxy.addon.automation.jobs.PolicyDefinition.Rule;
import org.zaproxy.zap.extension.ascan.ScanPolicy;

@Getter
Expand All @@ -44,7 +43,7 @@ public class PolicyDefinition extends AutomationData {
private String defaultThreshold = JobUtils.thresholdToI18n(AlertThreshold.MEDIUM.name());
private List<Rule> rules = new ArrayList<>();

public static void parsePolicyDefinition(
public void parsePolicyDefinition(
Object policyDefnObj,
PolicyDefinition policyDefinition,
String jobName,
Expand All @@ -53,6 +52,11 @@ public static void parsePolicyDefinition(
if (policyDefnObj instanceof LinkedHashMap<?, ?>) {
LinkedHashMap<?, ?> policyDefnData = (LinkedHashMap<?, ?>) policyDefnObj;

if (policyDefnData.isEmpty()) {
policyDefinition.setDefaultStrength(null);
return;
}

JobUtils.applyParamsToObject(
policyDefnData,
policyDefinition,
Expand All @@ -65,6 +69,7 @@ public static void parsePolicyDefinition(
PluginFactory pluginFactory = scanPolicy.getPluginFactory();

Object o = policyDefnData.get(RULES_ELEMENT_NAME);

if (o instanceof ArrayList<?>) {
ArrayList<?> ruleData = (ArrayList<?>) o;
for (Object ruleObj : ruleData) {
Expand Down Expand Up @@ -118,7 +123,13 @@ public static void parsePolicyDefinition(
}

public ScanPolicy getScanPolicy(String jobName, AutomationProgress progress) {
if (getDefaultStrength() == null) {
// Nothing defined
return null;
}

ScanPolicy scanPolicy = new ScanPolicy();
scanPolicy.getPluginFactory().setAllPluginEnabled(false);

// Set default strength
AttackStrength st = JobUtils.parseAttackStrength(getDefaultStrength(), jobName, progress);
Expand All @@ -135,9 +146,7 @@ public ScanPolicy getScanPolicy(String jobName, AutomationProgress progress) {
if (th != null) {
scanPolicy.setDefaultThreshold(th);
if (th == AlertThreshold.OFF) {
for (Plugin plugin : pluginFactory.getAllPlugin()) {
plugin.setEnabled(false);
}
scanPolicy.getPluginFactory().setAllPluginEnabled(false);
} else {
scanPolicy.setDefaultThreshold(th);
}
Expand Down
8 changes: 4 additions & 4 deletions .../automation/src/test/java/org/zaproxy/addon/automation/jobs/PolicyDefinitionUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ void shouldParseValidDefinition() {
Object data = yaml.load(yamlStr);

// When
PolicyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);
policyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);

// Then
assertThat(progress.hasErrors(), is(equalTo(false)));
Expand Down Expand Up @@ -223,7 +223,7 @@ void shouldWarnIfUnknownRule() {
Object data = yaml.load(yamlStr);

// When
PolicyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);
policyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);

// Then
assertThat(progress.hasErrors(), is(equalTo(false)));
Expand All @@ -250,7 +250,7 @@ void shouldWarnIfDefnNotList() {
Object data = yaml.load(yamlStr);

// When
PolicyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);
policyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);

// Then
assertThat(progress.hasErrors(), is(equalTo(false)));
Expand All @@ -270,7 +270,7 @@ void shouldWarnIfRulesNotList() {
Object data = yaml.load(yamlStr);

// When
PolicyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);
policyDefinition.parsePolicyDefinition(data, policyDefinition, "test", progress);

// Then
assertThat(progress.hasErrors(), is(equalTo(false)));
Expand Down
18 changes: 16 additions & 2 deletions ...ce/src/main/java/org/zaproxy/zap/extension/sequence/automation/SequenceActiveScanJob.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ public class SequenceActiveScanJob extends AutomationJob {
private static final String PARAM_SEQUENCE = "sequence";
private static final String PARAM_USER = "user";

private static final String DEFAULT_SEQ_POLICY = "Sequence";
private static final String DEFAULT_SEQ_POLICY_FILE = "Sequence.policy";

private final ExtensionActiveScan extAScan;
private final ExtensionScript extScript;

Expand Down Expand Up @@ -116,7 +119,7 @@ public void verifyParameters(AutomationProgress progress) {
break;
case "policyDefinition":
// Parse the policy defn
PolicyDefinition.parsePolicyDefinition(
policyDefinition.parsePolicyDefinition(
jobData.get(key), policyDefinition, this.getName(), progress);
break;
case "name":
Expand Down Expand Up @@ -199,6 +202,17 @@ public void runJob(AutomationEnvironment env, AutomationProgress progress) {
if (scanPolicy != null) {
contextSpecificObjects.add(scanPolicy);
}
LOGGER.info(
"No policy or policyDefinition, attempting to use bundled {}",
DEFAULT_SEQ_POLICY_FILE);
try {
scanPolicy = extAScan.getPolicyManager().getPolicy(DEFAULT_SEQ_POLICY);
} catch (ConfigurationException e) {
// TODO i18n
progress.error("Could not establish a scan policy to use");
return;
}
contextSpecificObjects.add(scanPolicy);

Stream<ZestScriptWrapper> sequenceZestScripts =
extScript.getScripts(ExtensionSequence.TYPE_SEQUENCE).stream()
Expand Down Expand Up @@ -341,6 +355,6 @@ public static class Parameters extends AutomationData {
private String sequence = "";
private String context = "";
private String user = "";
private String policy = "";
private String policy = DEFAULT_SEQ_POLICY;
}
}

0 comments on commit 5d954f9

Please sign in to comment.