Merge pull request #5661 from anaaroch/main

zaproxy · Sep 16, 2024 · 3a36b4b · 3a36b4b
2 parents fc9f6dd + 70e75c7
commit 3a36b4b
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 9 deletions.
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Maintenance changes.
+- The Spring Actuator Scan Rule now includes example alert functionality for documentation generation purposes (Issue 6119).
 
 ## [67] - 2024-07-22
 

diff --git a/...ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java b/...ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java
@@ -20,6 +20,7 @@
 package org.zaproxy.zap.extension.ascanrules;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 import org.apache.commons.httpclient.URI;
@@ -140,7 +141,9 @@ public void scan() {
  CONTENT_TYPE.matcher(contentType).find()
  && JSON_PAYLOAD.matcher(responseBody).find();
  if (matches) {
- raiseAlert(testMsg, Alert.CONFIDENCE_MEDIUM, getRisk());
+ createAlert(testMsg.getResponseBody().toString())
+ .setMessage(testMsg)
+ .raise();
  break;
  }
  }
@@ -196,15 +199,17 @@ private HttpMessage sendActuatorRequest(String encodingType, String actuatorEndp
  return null;
  }
 
- private void raiseAlert(HttpMessage msg, int confidence, int risk) {
- newAlert()
- .setRisk(risk)
- .setConfidence(confidence)
+ private AlertBuilder createAlert(String evidence) {
+ return newAlert()
+ .setRisk(getRisk())
+ .setConfidence(Alert.CONFIDENCE_MEDIUM)
  .setName(getAlertName())
- .setEvidence(msg.getResponseHeader().getPrimeHeader())
  .setReference(getReference())
- .setMessage(msg)
- .setEvidence(StringUtils.left(msg.getResponseBody().toString(), 100))
- .raise();
+ .setEvidence(StringUtils.left(evidence, 100));
+ }
+
+ @Override
+ public List<Alert> getExampleAlerts() {
+ return List.of(createAlert("{\"status\" : \"UP\"}").build());
  }
 }
diff --git a/...es/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java b/...es/src/test/java/org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRuleUnitTest.java
@@ -22,12 +22,14 @@
 import static fi.iki.elonen.NanoHTTPD.newFixedLengthResponse;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import fi.iki.elonen.NanoHTTPD;
 import fi.iki.elonen.NanoHTTPD.Response;
+import java.util.List;
 import java.util.Map;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -343,6 +345,10 @@ void shouldReturnExpectedMappings() {
  assertThat(cwe, is(equalTo(215)));
  assertThat(wasc, is(equalTo(13)));
  assertThat(tags.size(), is(equalTo(3)));
+ assertBaseTags(tags);
+ }
+
+ private static void assertBaseTags(Map<String, String> tags) {
  assertThat(
  tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()),
  is(equalTo(true)));
@@ -362,4 +368,21 @@ void shouldReturnExpectedMappings() {
  tags.get(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()),
  is(equalTo(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getValue())));
  }
+
+ @Test
+ void shouldReturnExpectedExampleAlert() {
+ // Given / When
+ List<Alert> alerts = rule.getExampleAlerts();
+
+ // Then
+ assertThat(alerts.size(), is(equalTo(1)));
+
+ Alert alert = alerts.get(0);
+ assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
+ assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM)));
+ Map<String, String> tags = alert.getTags();
+ assertThat(tags.size(), is(equalTo(4)));
+ assertBaseTags(tags);
+ assertThat(tags, hasKey("CWE-215"));
+ }
 }