Merge pull request #5526 from kingthorin/pscan-oi

pscanrules (all): Various alert text fixes (periods and whitespace(s))
zaproxy · Jun 27, 2024 · 999929d · 999929d
2 parents 5e8dcd4 + 3b3dc76
commit 999929d
Show file tree

Hide file tree

Showing 13 changed files with 55 additions and 80 deletions.
diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
@@ -4,7 +4,11 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Changed
+- Maintenance changes.
 
+### Fixed
+- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
 
 ## [58] - 2024-05-07
 ### Changed

diff --git a/...canrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java b/...canrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java
@@ -99,7 +99,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence)
  .setDescription(getDescriptionMessage())
  .setOtherInfo(getExtraInfoMessage(url, formElement))
  .setSolution(getSolutionMessage())
- .setReference(getReferenceMessage())
  .setEvidence(evidence)
  .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information
  .setWascId(15); // WASC-15: Application Misconfiguration
@@ -118,10 +117,6 @@ private String getSolutionMessage() {
  return Constant.messages.getString(MESSAGE_PREFIX + "soln");
  }
 
- private String getReferenceMessage() {
- return Constant.messages.getString(MESSAGE_PREFIX + "refs");
- }
-
  private static String getExtraInfoMessage(String url, String formElement) {
  return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement);
  }

diff --git a/...canrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java b/...canrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java
@@ -104,7 +104,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence)
  .setDescription(getDescriptionMessage())
  .setOtherInfo(getExtraInfoMessage(url, formElement))
  .setSolution(getSolutionMessage())
- .setReference(getReferenceMessage())
  .setEvidence(evidence)
  .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information
  .setWascId(15); // WASC-15: Application Misconfiguration
@@ -115,10 +114,6 @@ public int getPluginId() {
  return 10042;
  }
 
- /*
- * Rule-associated messages
- */
-
  private String getDescriptionMessage() {
  return Constant.messages.getString(MESSAGE_PREFIX + "desc");
  }
@@ -127,10 +122,6 @@ private String getSolutionMessage() {
  return Constant.messages.getString(MESSAGE_PREFIX + "soln");
  }
 
- private String getReferenceMessage() {
- return Constant.messages.getString(MESSAGE_PREFIX + "refs");
- }
-
  private static String getExtraInfoMessage(String url, String formElement) {
  return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement);
  }

diff --git a/...les/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java b/...les/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java
@@ -199,7 +199,6 @@ private AlertBuilder buildAlert(String tag, String attr, HtmlParameter param, St
  .setParam(param.getName())
  .setOtherInfo(getExtraInfoMessage(tag, attr, param, charset))
  .setSolution(getSolutionMessage())
- .setReference(getReferenceMessage())
  .setCweId(20) // CWE-20: Improper Input Validation
  .setWascId(20); // WASC-20: Improper Input Handling
  }
@@ -226,10 +225,6 @@ private String getSolutionMessage() {
  return Constant.messages.getString(MESSAGE_PREFIX + "soln");
  }
 
- private String getReferenceMessage() {
- return Constant.messages.getString(MESSAGE_PREFIX + "refs");
- }
-
  private static String getExtraInfoMessage(
  String tag, String attr, HtmlParameter param, String charset) {
  return Constant.messages.getString(

diff --git a/...main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java b/...main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java
@@ -69,7 +69,6 @@ private AlertBuilder createAlert(String evidence) {
  .setConfidence(Alert.CONFIDENCE_MEDIUM)
  .setDescription(getDescription())
  .setSolution(getSolution())
- .setReference(getReference())
  .setEvidence(evidence)
  .setCweId(200)
  .setWascId(13);
@@ -93,10 +92,6 @@ private String getSolution() {
  return Constant.messages.getString(MESSAGE_PREFIX + "soln");
  }
 
- private String getReference() {
- return Constant.messages.getString(MESSAGE_PREFIX + "refs");
- }
-
  @Override
  public Map<String, String> getAlertTags() {
  return ALERT_TAGS;

diff --git a/...les/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties b/...les/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties
diff --git a/...test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java b/...test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java
@@ -160,7 +160,7 @@ void shouldAlertWhenCspContainsSyntaxIssues() {
  alertsRaised.get(1).getOtherInfo(),
  equalTo(
  "The following directives either allow wildcard sources (or ancestors), are not "
- + "defined, or are overly broadly defined: \nscript-src, style-src, img-src, "
+ + "defined, or are overly broadly defined:\nscript-src, style-src, img-src, "
  + "connect-src, frame-src, frame-ancestors, font-src, media-src, object-src, "
  + "manifest-src, worker-src, form-action\n\nThe directive(s): "
  + "frame-ancestors, form-action are among the directives that do not fallback "
@@ -231,7 +231,7 @@ void shouldAlertOnWildcardFrameAncestorsDirective() {
  alertsRaised.get(0).getOtherInfo(),
  equalTo(
  "The following directives either allow wildcard sources (or ancestors), are not "
- + "defined, or are overly broadly defined: \nframe-ancestors"
+ + "defined, or are overly broadly defined:\nframe-ancestors"
  + "\n\nThe directive(s): frame-ancestors are among the directives that do not "
  + "fallback to default-src, missing/excluding them is the same as allowing anything."));
  assertThat(
@@ -258,7 +258,7 @@ void shouldAlertOnWildcardConnectSourceDirective() {
  alertsRaised.get(0).getOtherInfo(),
  equalTo(
  "The following directives either allow wildcard sources (or ancestors), are not "
- + "defined, or are overly broadly defined: \nconnect-src"));
+ + "defined, or are overly broadly defined:\nconnect-src"));
  assertThat(
  alertsRaised.get(0).getEvidence(),
  equalTo(
@@ -447,7 +447,7 @@ void shouldAlertWithWildcardDirectiveWhenApplicableAndIgnoreTrustedTypesInMeta()
  assertThat(
  alert.getOtherInfo(),
  equalTo(
- "The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: \n"
+ "The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:\n"
  + "form-action\n\nThe directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."));
  assertThat(alert.getEvidence(), equalTo(policy));
  assertThat(alert.getRisk(), equalTo(Alert.RISK_MEDIUM));

diff --git a/...a/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java b/...a/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java
@@ -110,9 +110,6 @@ void shouldReturnExpectedExampleAlert() {
 
  Alert alert = alerts.get(0);
  assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
- assertThat(
- alert.getReference(),
- equalTo(Constant.messages.getString(MESSAGE_PREFIX + "refs")));
  assertThat(alert.getEvidence(), equalTo(HEADER_VALUE));
  assertThat(
  alert.getSolution(), equalTo(Constant.messages.getString(MESSAGE_PREFIX + "soln")));

diff --git a/addOns/pscanrulesAlpha/CHANGELOG.md b/addOns/pscanrulesAlpha/CHANGELOG.md
@@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Update minimum ZAP version to 2.15.0.
 
+### Fixed
+- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
+
 ## [42] - 2024-01-16
 ### Changed
 - Update minimum ZAP version to 2.14.0.

diff --git a/...rc/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties b/...rc/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties
@@ -2,16 +2,16 @@ pscanalpha.base64disclosure.desc = Base64 encoded data was disclosed by the appl
 pscanalpha.base64disclosure.name = Base64 Disclosure
 pscanalpha.base64disclosure.refs = https://projects.webappsec.org/w/page/13246936/Information%20Leakage
 pscanalpha.base64disclosure.soln = Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
-pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server
+pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server.
 pscanalpha.base64disclosure.viewstate.name = ASP.NET ViewState Disclosure
 pscanalpha.base64disclosure.viewstate.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://projects.webappsec.org/w/page/13246936/Information%20Leakage
 pscanalpha.base64disclosure.viewstate.soln = Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
-pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client
+pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client.
 pscanalpha.base64disclosure.viewstatewithoutmac.name = ASP.NET ViewState Integrity
 pscanalpha.base64disclosure.viewstatewithoutmac.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/
 pscanalpha.base64disclosure.viewstatewithoutmac.soln = Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.
 
-pscanalpha.desc = Alpha status passive scan rules
+pscanalpha.desc = Alpha status passive scan rules.
 
 pscanalpha.examplefile.desc = Add more information about the vulnerability here.
 pscanalpha.examplefile.name = An example passive scan rule which loads data from a file.

diff --git a/addOns/pscanrulesBeta/CHANGELOG.md b/addOns/pscanrulesBeta/CHANGELOG.md
@@ -9,6 +9,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Changed
 - Update minimum ZAP version to 2.15.0.
+- Maintenance changes.
+
+### Fixed
+- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
 
 ## [37] - 2024-02-12
 

diff --git a/...anrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java b/...anrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java
@@ -760,8 +760,6 @@ private AlertBuilder alertStorableNonCacheable(String evidence) {
  .setName(Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "name"))
  .setDescription(
  Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "desc"))
- .setSolution(
- Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "soln"))
  .setReference(
  Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "refs"));
  }