automation & sequence: fix use of default policies and set Sequence as default sequence policy #5897

kingthorin · 2024-11-07T14:53:41Z

Overview

Modify automation and sequence to properly build and use a policy from policyDefinition if present in the plan. If neither policy nor policyDefinition are defined fall back to Default Policy or Sequence respectively.

Related Issues

n/a

Checklist

kingthorin · 2024-11-07T19:39:51Z

I had to rename one of the UnitTest classes so that Eclipse would properly find it and run it as a JUnit test.

kingthorin · 2024-11-07T20:04:52Z

Still needs changelog and help updates I guess

addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/PolicyDefinition.java

addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanJobUnitTest.java

...uence/src/main/java/org/zaproxy/zap/extension/sequence/automation/SequenceActiveScanJob.java

addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanJobUnitTest.java

addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/PolicyDefinition.java

addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanJob.java

...mation/src/main/javahelp/org/zaproxy/addon/automation/resources/help/contents/job-ascan.html

...src/main/javahelp/org/zaproxy/zap/extension/sequence/resources/help/contents/automation.html

addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanJobUnitTest.java

addOns/automation/CHANGELOG.md

kingthorin · 2024-11-08T15:43:58Z

Okay I think I'm caught up to all the feedback now 😉

thc202 · 2024-11-09T18:36:39Z

There are still two cases that don't yet use the default policy, when the policyDefinition is present but it's an empty object and when not present at all.

I'm fine if this is merged without those two cases but we should fix them before releasing the add-ons.

kingthorin · 2024-11-10T22:50:06Z

when the policyDefinition is present but it's an empty object

Handled.

when not present at all.

I'm not exactly sure where to handle this. verifyParameters if both policy and policyDefinition are missing? (For the sequenceActiveScanJob anyway, I didn't check the generic one) ... Edit: or maybe in that method if policy isn't defined set it to Sequence it can then still be overridden by policyDefinition?

psiinon · 2024-11-14T13:20:45Z

Re 2. I think the seq ascan should always default to the Sequence policy we define.
So the order is (I think):

policy
policyDefinition
The seq policy defaul theyve specified by the options
The Sequence policy

kingthorin · 2024-11-14T14:48:07Z

Agreed, that's the way we're headed with this. The question for my point 2 above is where/how it should be handled within the code 😀

thc202 · 2024-11-14T15:05:03Z

#5897 (comment)

It can be done in verifyParameters when policyDefinition is not present. (The policy should not matter for this case.) It's the same handling for both jobs. It might be better to call always the parsePolicyDefinition and keep the null strength handling internally.

thc202 · 2024-11-14T15:26:47Z

addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/PolicyDefinitionUnitTest.java

+                "  defaultStrength: \n" + "  defaultThreshold: \n" + "  rules: ",
+                "rules: \n",
+                "defaultStrength:"


I'd say in these cases we should use the defaults. The user is specifying something after all (even if not complete).

kingthorin · 2024-11-14T15:46:46Z

Call parse from verify?

kingthorin · 2024-11-14T16:59:30Z

#5897 (comment)

It can be done in verifyParameters when policyDefinition is not present. (The policy should not matter for this case.) It's the same handling for both jobs. It might be better to call always the parsePolicyDefinition and keep the null strength handling internally.

Then I believe it's already covered. Both activeScanJob and sequenceActiveScanJob call parse in verifyParameters.

Signed-off-by: kingthorin <[email protected]>

thc202 · 2024-11-14T17:49:19Z

They need to call it always, currently when not present that method is not called and the null strength is not set.

Signed-off-by: kingthorin <[email protected]>

kingthorin · 2024-11-14T18:47:34Z

Done

psiinon mentioned this pull request Nov 7, 2024

Sequence - use new seq scan in desktop #5899

Merged

8 tasks

kingthorin force-pushed the seq-policy2 branch 4 times, most recently from 5d954f9 to a4deb50 Compare November 7, 2024 19:39

kingthorin marked this pull request as ready for review November 7, 2024 20:03

thc202 reviewed Nov 7, 2024

View reviewed changes

addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/PolicyDefinition.java Outdated Show resolved Hide resolved

thc202 reviewed Nov 7, 2024

View reviewed changes

thc202 changed the title ~~automation & sequence: Revise scan policy handling & try to use defaults~~ automation & sequence: fix use of default policies and set Sequence as default sequence policy Nov 7, 2024

kingthorin force-pushed the seq-policy2 branch 2 times, most recently from ebd5ac4 to 02430c9 Compare November 7, 2024 22:27

This comment was marked as resolved.

Sign in to view