Update codebase to ZAP 2.15

Change all add-ons and `testutils` to use 2.15 (SNAPSHOT). Update code accordingly (e.g. address deprecations). Signed-off-by: thc202 <thc202@gmail.com>
zaproxy · May 7, 2024 · 6bfaef0 · 6bfaef0
1 parent 7457b4b
commit 6bfaef0
Show file tree

Hide file tree

Showing 163 changed files with 338 additions and 413 deletions.
diff --git a/addOns/accessControl/CHANGELOG.md b/addOns/accessControl/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.15.0.
 
 ## [10] - 2024-03-25
 ### Changed

diff --git a/...st/java/org/zaproxy/zap/extension/accessControl/AccessControlAlertsProcessorUnitTest.java b/...st/java/org/zaproxy/zap/extension/accessControl/AccessControlAlertsProcessorUnitTest.java
@@ -69,10 +69,12 @@ private static void assertAlert(
         assertThat(alert.getCweId(), is(equalTo(cweId)));
         assertThat(alert.getWascId(), is(equalTo(wascId)));
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(2)));
         assertThat(
                 tags,
                 allOf(
+                        hasEntry(
+                                "CWE-" + cweId,
+                                "https://cwe.mitre.org/data/definitions/" + cweId + ".html"),
                         hasEntry(
                                 CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag(),
                                 CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getValue()),

diff --git a/addOns/addOns.gradle.kts b/addOns/addOns.gradle.kts
@@ -148,7 +148,7 @@ subprojects {
         }
     }
 
-    val zapGav = "org.zaproxy:zap:2.14.0"
+    val zapGav = "org.zaproxy:zap:2.15.0-SNAPSHOT"
     dependencies {
         "zap"(zapGav)
     }
@@ -159,7 +159,7 @@ subprojects {
         releaseLink.set(project.provider { "https://github.com/zaproxy/zap-extensions/releases/${zapAddOn.addOnId.get()}-v@CURRENT_VERSION@" })
 
         manifest {
-            zapVersion.set("2.14.0")
+            zapVersion.set("2.15.0")
 
             changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
             repo.set("https://github.com/zaproxy/zap-extensions/")

diff --git a/addOns/alertFilters/CHANGELOG.md b/addOns/alertFilters/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.15.0.
 
 ## [20] - 2024-04-02
 ### Added

diff --git a/addOns/allinonenotes/CHANGELOG.md b/addOns/allinonenotes/CHANGELOG.md
@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.14.0.
+- Update minimum ZAP version to 2.15.0.
 - Maintenance changes.
 
 ### Fixed

diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.15.0.
 
 ## [65] - 2024-03-28
 ### Changed

diff --git a/.../ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java b/.../ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java
@@ -30,10 +30,7 @@
 import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.core.scanner.Category;
 import org.parosproxy.paros.network.HttpMessage;
-import org.parosproxy.paros.network.HttpStatusCode;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
-import org.zaproxy.zap.extension.custompages.CustomPage;
-import org.zaproxy.zap.model.Context;
 
 /**
  * Attempts to retrieve cloud metadata by forging the host header and requesting a specific URL. See
@@ -104,22 +101,6 @@ public AlertBuilder createAlert(HttpMessage newRequest, String host) {
                 .setMessage(newRequest);
     }
 
-    /** FIXME Remove this call after 2.15.0 to call the fixed version in the parent. */
-    @Override
-    public boolean isSuccess(HttpMessage msg) {
-        Context context = getParent().getContext();
-        if (context != null) {
-            if (context.isCustomPage(msg, CustomPage.Type.NOTFOUND_404)
-                    || context.isCustomPage(msg, CustomPage.Type.ERROR_500)) {
-                return false;
-            }
-            if (context.isCustomPage(msg, CustomPage.Type.OK_200)) {
-                return true;
-            }
-        }
-        return HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode());
-    }
-
     @Override
     public void scan() {
         HttpMessage newRequest = getNewMsg();

diff --git a/...ns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java b/...ns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java
@@ -47,8 +47,6 @@
 import org.parosproxy.paros.network.HttpStatusCode;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
 import org.zaproxy.addon.commonlib.http.HttpFieldsNames;
-import org.zaproxy.zap.extension.custompages.CustomPage;
-import org.zaproxy.zap.model.Context;
 
 /**
  * Active scan rule which checks whether various URL paths are exposed.
@@ -143,22 +141,6 @@ && doesMatch(responseBody, file.getContent())
         }
     }
 
-    /** FIXME Remove this call after 2.15.0 to call the fixed version in the parent. */
-    @Override
-    protected boolean isPage200(HttpMessage msg) {
-        Context context = getParent().getContext();
-        if (context != null) {
-            if (context.isCustomPage(msg, CustomPage.Type.NOTFOUND_404)
-                    || context.isCustomPage(msg, CustomPage.Type.ERROR_500)) {
-                return false;
-            }
-            if (context.isCustomPage(msg, CustomPage.Type.OK_200)) {
-                return true;
-            }
-        }
-        return HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode());
-    }
-
     private static String generatePath(String baseUriPath, String hiddenFile) {
         String newPath = "";
         if (baseUriPath == null) {

diff --git a/...src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java b/...src/test/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRuleUnitTest.java
@@ -76,7 +76,8 @@ void shouldReturnExpectedExampleAlert() {
         assertThat(alerts.size(), is(equalTo(1)));
         Alert alert = alerts.get(0);
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(2)));
+        assertThat(tags.size(), is(equalTo(3)));
+        assertThat(tags, hasKey("CWE-548"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A05_BROKEN_AC.getTag()));
         assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM)));

diff --git a/...ules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java b/...ules/src/test/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRuleUnitTest.java
@@ -91,7 +91,8 @@ void shouldReturnExpectedExampleAlert() {
         assertThat(alerts.size(), is(equalTo(1)));
         Alert alert = alerts.get(0);
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(2)));
+        assertThat(tags.size(), is(equalTo(3)));
+        assertThat(tags, hasKey("CWE-134"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()));
         assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM)));

diff --git a/...rules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/...rules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java
@@ -742,7 +742,8 @@ void shouldReturnExpectedExampleAlert() {
         Map<String, String> tags = alert.getTags();
         // Then
         assertThat(alerts.size(), is(equalTo(1)));
-        assertThat(tags.size(), is(equalTo(4)));
+        assertThat(tags.size(), is(equalTo(5)));
+        assertThat(tags, hasKey("CWE-538"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.WSTG_V42_CONF_05_ENUMERATE_INFRASTRUCTURE.getTag()));

diff --git a/...anrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java b/...anrules/src/test/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRuleUnitTest.java
@@ -22,6 +22,7 @@
 import static fi.iki.elonen.NanoHTTPD.newFixedLengthResponse;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.ArgumentMatchers.any;
@@ -133,12 +134,14 @@ void shouldReturnExpectedExampleAlerts() {
         // Then
         assertThat(alerts.size(), is(equalTo(2)));
         assertThat(alert1.getAlertRef(), is(equalTo("40043-1")));
-        assertThat(alert1.getTags().size(), is(equalTo(5)));
+        assertThat(alert1.getTags().size(), is(equalTo(6)));
+        assertThat(alert1.getTags(), hasKey("CWE-117"));
         assertThat(alert1.getTags().containsKey("CVE-2021-44228"), is(equalTo(true)));
         assertThat(alert1.getName(), is(equalTo("Log4Shell (CVE-2021-44228)")));
         assertThat(alert2.getAlertRef(), is(equalTo("40043-2")));
         assertThat(alert2.getTags().containsKey("CVE-2021-45046"), is(equalTo(true)));
-        assertThat(alert2.getTags().size(), is(equalTo(5)));
+        assertThat(alert2.getTags().size(), is(equalTo(6)));
+        assertThat(alert2.getTags(), hasKey("CWE-117"));
         assertThat(alert2.getName(), is(equalTo("Log4Shell (CVE-2021-45046)")));
     }
 

diff --git a/...s/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java b/...s/src/test/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRuleUnitTest.java
@@ -23,6 +23,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 
@@ -259,8 +260,9 @@ void shouldReturnExpectedExampleAlert() {
 
         Alert alert = alerts.get(0);
         Map<String, String> tags1 = alert.getTags();
-        assertThat(tags1.size(), is(equalTo(2)));
+        assertThat(tags1.size(), is(equalTo(3)));
         assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
+        assertThat(tags1, hasKey("CWE-472"));
         assertThat(
                 tags1.containsKey(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()),
                 is(equalTo(true)));

diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.15.0.
 
 ## [47] - 2024-03-28
 ### Changed

diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.15.0.
 - Maintenance changes.
 
 ## [53] - 2024-03-28

diff --git a/.../src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRuleUnitTest.java b/.../src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRuleUnitTest.java
@@ -160,7 +160,8 @@ void shouldReturnExpectedExampleAlert() {
         Alert alert = alerts.get(0);
 
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(3)));
+        assertThat(tags.size(), is(equalTo(4)));
+        assertThat(tags, hasKey("CWE-311"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.WSTG_V42_SESS_02_COOKIE_ATTRS.getTag()));

diff --git a/...proxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRuleUnitTest.java b/...proxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRuleUnitTest.java
@@ -75,7 +75,8 @@ void shouldReturnExpectedExampleAlert() {
         Alert alert = alerts.get(0);
 
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(2)));
+        assertThat(tags.size(), is(equalTo(3)));
+        assertThat(tags, hasKey("CWE-541"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()));
 

diff --git a/...ava/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRuleUnitTest.java b/...ava/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRuleUnitTest.java
@@ -70,7 +70,8 @@ void shouldReturnExpectedExampleAlert() {
         assertThat(alerts.size(), is(equalTo(1)));
         Alert alert = alerts.get(0);
         Map<String, String> tags = alert.getTags();
-        assertThat(tags.size(), is(equalTo(2)));
+        assertThat(tags.size(), is(equalTo(3)));
+        assertThat(tags, hasKey("CWE-541"));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()));
         assertThat(tags, hasKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()));
         assertThat(alert.getRisk(), is(equalTo(Alert.RISK_HIGH)));

diff --git a/addOns/authhelper/CHANGELOG.md b/addOns/authhelper/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.15.0.
 - Maintenance changes.
 
 ## [0.12.0] - 2024-02-06

diff --git a/addOns/authstats/CHANGELOG.md b/addOns/authstats/CHANGELOG.md
@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.14.0.
+- Update minimum ZAP version to 2.15.0.
 - Maintenance changes.
 
 ## [2] - 2021-10-07

diff --git a/addOns/automation/CHANGELOG.md b/addOns/automation/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.15.0.
 
 ## [0.39.0] - 2024-04-23
 ### Added

diff --git a/...s/automation/src/test/java/org/parosproxy/paros/core/scanner/PluginFactoryTestHelper.java b/...s/automation/src/test/java/org/parosproxy/paros/core/scanner/PluginFactoryTestHelper.java
@@ -0,0 +1,29 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.parosproxy.paros.core.scanner;
+
+public final class PluginFactoryTestHelper extends PluginFactory {
+
+    private PluginFactoryTestHelper() {}
+
+    public static void init() {
+        PluginFactory.init(false);
+    }
+}
diff --git a/addOns/automation/src/test/java/org/parosproxy/paros/core/scanner/PluginTestHelper.java b/addOns/automation/src/test/java/org/parosproxy/paros/core/scanner/PluginTestHelper.java
@@ -0,0 +1,59 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.parosproxy.paros.core.scanner;
+
+public class PluginTestHelper extends AbstractPlugin {
+
+    @Override
+    public int getId() {
+        return 50000;
+    }
+
+    @Override
+    public String getName() {
+        return "PluginTestHelper";
+    }
+
+    @Override
+    public String getDescription() {
+        return "";
+    }
+
+    @Override
+    public void scan() {}
+
+    @Override
+    public int getCategory() {
+        return 0;
+    }
+
+    @Override
+    public String getSolution() {
+        return "";
+    }
+
+    @Override
+    public String getReference() {
+        return "";
+    }
+
+    @Override
+    public void notifyPluginCompleted(HostProcess parent) {}
+}