zap-extensions icon indicating copy to clipboard operation
zap-extensions copied to clipboard

Published 20 hours ago verified publisher icon zaproxy

reports: add SARIF reporting

Open de-jcup opened this issue 3 years ago • 4 comments

  • initial SARIF report implementation ( all parts of the implementation are in own folders/packages, no changes on other reporting parts)
  • added tests
  • automated shrinking of web response and request body when necessary (currently 8k webrequest or 32k webresponse are allowed before shrinking)
  • automated binary/text detection
  • hiding authorization header information in SARIF Report with asterisks
  • using MITRE CWE 4.8 taxonomy

Fix zaproxy/zaproxy#6875

de-jcup avatar Sep 29 '22 15:09 de-jcup

I added currently only the minimum help files (templates.html + reporting-sarif-json.html) and updated the change log.

Had some issues with the java help files:

  • It is clear that we are talking about the "java help " (https://github.com/javaee/javahelp/)
  • But while inspecting some of the different help i18n folders i saw that they just contain the exact content like the default help folder (e.g. help_de_DE does contain nothing in german). It is a little bit irritating that there is so much duplicated content. Does a developer need to copy all the stuff into the folders manually - or is there a special gradle task available for this?
  • Looking at https://www.zaproxy.org/docs/developer/dev-rules-and-guidelines/ I found no additional info about the help structure/ special build commands for the help files.

de-jcup avatar Oct 05 '22 05:10 de-jcup

https://github.com/zaproxy/zap-extensions/blob/main/CONTRIBUTING.md#help

thc202 avatar Oct 05 '22 06:10 thc202

FYI the help is now good 😁

psiinon avatar Oct 05 '22 08:10 psiinon

@psiinon :

It generates valid JSON, not sure if its valid SARIF or not wink

https://sarifweb.azurewebsites.net/Validation is a way to check easily if SARIF is valid or not. It also explains problems and has a link to the corresponding OASIS documentation.

Because the "Dev Build" ZAP version will result currently in non semantic version, I will improve the report here as well, so that reports created by dev builds have a semantic version (fallback to "0.0.0")

de-jcup avatar Oct 07 '22 10:10 de-jcup

https://sarifweb.azurewebsites.net/Validation does accept the SARIF reports from ZAP without any validation failures.

  • Via the online validator It's now relative easy to check if the output report is valid SARIF
  • In case of "Dev Build" Zap versions, the report does now contain "0.0.0-Dev Build" as version and also as "semantic version". For real versions, the origin ZAP version will be used
  • When start line is invalid (not >=1) in a text region (because of snippet parse problems) there will always be a fallback to 1 and and an additional property "startLineFailure" inside the region with a detailed desription in this case. This also ensures, that even in such an odd situation (should not happen) the SARIF output is still valid.
  • Also following bugfix: the taxonomy version is now no longer a static value (4.4) but the real one

de-jcup avatar Oct 20 '22 14:10 de-jcup

@psiinon @kingthorin is there anything specific pending before we can merge this?

joubin avatar Nov 21 '22 14:11 joubin

Thank you!

thc202 avatar Nov 21 '22 15:11 thc202