Skip to content

Commit

Permalink
Merge pull request #5865 from psiinon/sequence/ascan-std
Browse files Browse the repository at this point in the history 
Sequence: Initial seq ascan job implementation
  • Loading branch information
@thc202
thc202 authored Oct 31, 2024
2 parents d19d7d0 + 461000e commit aa39afe
Show file tree
Hide file tree
Showing 11 changed files with 574 additions and 89 deletions.
80 changes: 2 additions & 78 deletions addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanJob.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,13 @@
import org.apache.commons.lang3.StringUtils;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.control.Control;
import org.parosproxy.paros.core.scanner.Plugin;
import org.parosproxy.paros.core.scanner.Plugin.AlertThreshold;
import org.parosproxy.paros.core.scanner.Plugin.AttackStrength;
import org.parosproxy.paros.core.scanner.PluginFactory;
import org.zaproxy.addon.automation.AutomationData;
import org.zaproxy.addon.automation.AutomationEnvironment;
import org.zaproxy.addon.automation.AutomationJob;
import org.zaproxy.addon.automation.AutomationProgress;
import org.zaproxy.addon.automation.ContextWrapper;
import org.zaproxy.addon.automation.JobResultData;
import org.zaproxy.addon.automation.gui.ActiveScanJobDialog;
import org.zaproxy.addon.automation.jobs.PolicyDefinition.Rule;
import org.zaproxy.addon.commonlib.Constants;
import org.zaproxy.zap.extension.ascan.ActiveScan;
import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
Expand Down Expand Up @@ -182,7 +177,8 @@ public void runJob(AutomationEnvironment env, AutomationProgress progress) {
// Error already raised above
}
} else {
scanPolicy = this.getScanPolicy(progress);
scanPolicy =
this.getData().getPolicyDefinition().getScanPolicy(this.getName(), progress);
}
if (scanPolicy != null) {
contextSpecificObjects.add(scanPolicy);
Expand Down Expand Up @@ -240,78 +236,6 @@ private List<JobResultData> createJobResultData(int scanId) {
return list;
}

protected ScanPolicy getScanPolicy(AutomationProgress progress) {
ScanPolicy scanPolicy = new ScanPolicy();

// Set default strength
AttackStrength st =
JobUtils.parseAttackStrength(
this.getData().getPolicyDefinition().getDefaultStrength(),
this.getName(),
progress);
if (st != null) {
scanPolicy.setDefaultStrength(st);
progress.info(
Constant.messages.getString(
"automation.info.ascan.setdefstrength", this.getName(), st.name()));
}

// Set default threshold
PluginFactory pluginFactory = scanPolicy.getPluginFactory();
AlertThreshold th =
JobUtils.parseAlertThreshold(
this.getData().getPolicyDefinition().getDefaultThreshold(),
this.getName(),
progress);
if (th != null) {
scanPolicy.setDefaultThreshold(th);
if (th == AlertThreshold.OFF) {
for (Plugin plugin : pluginFactory.getAllPlugin()) {
plugin.setEnabled(false);
}
} else {
scanPolicy.setDefaultThreshold(th);
}
progress.info(
Constant.messages.getString(
"automation.info.ascan.setdefthreshold", this.getName(), th.name()));
}

// Configure any rules
for (Rule rule : this.getData().getPolicyDefinition().getRules()) {
Plugin plugin = pluginFactory.getPlugin(rule.getId());
if (plugin == null) {
// Will have already warned about this
continue;
}
AttackStrength pluginSt =
JobUtils.parseAttackStrength(rule.getStrength(), this.getName(), progress);
if (pluginSt != null) {
plugin.setAttackStrength(pluginSt);
plugin.setEnabled(true);
progress.info(
Constant.messages.getString(
"automation.info.ascan.rule.setstrength",
this.getName(),
rule.getId(),
pluginSt.name()));
}
AlertThreshold pluginTh =
JobUtils.parseAlertThreshold(rule.getThreshold(), this.getName(), progress);
if (pluginTh != null) {
plugin.setAlertThreshold(pluginTh);
plugin.setEnabled(!AlertThreshold.OFF.equals(pluginTh));
progress.info(
Constant.messages.getString(
"automation.info.ascan.rule.setthreshold",
this.getName(),
rule.getId(),
pluginTh.name()));
}
}
return scanPolicy;
}

@Override
public boolean isExcludeParam(String param) {
switch (param) {
Expand Down
67 changes: 66 additions & 1 deletion addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/PolicyDefinition.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.parosproxy.paros.core.scanner.PluginFactory;
import org.zaproxy.addon.automation.AutomationData;
import org.zaproxy.addon.automation.AutomationProgress;
import org.zaproxy.addon.automation.jobs.PolicyDefinition.Rule;
import org.zaproxy.zap.extension.ascan.ScanPolicy;

@Getter
Expand All @@ -43,7 +44,7 @@ public class PolicyDefinition extends AutomationData {
private String defaultThreshold = JobUtils.thresholdToI18n(AlertThreshold.MEDIUM.name());
private List<Rule> rules = new ArrayList<>();

protected static void parsePolicyDefinition(
public static void parsePolicyDefinition(
Object policyDefnObj,
PolicyDefinition policyDefinition,
String jobName,
Expand Down Expand Up @@ -116,6 +117,70 @@ protected static void parsePolicyDefinition(
}
}

public ScanPolicy getScanPolicy(String jobName, AutomationProgress progress) {
ScanPolicy scanPolicy = new ScanPolicy();

// Set default strength
AttackStrength st = JobUtils.parseAttackStrength(getDefaultStrength(), jobName, progress);
if (st != null) {
scanPolicy.setDefaultStrength(st);
progress.info(
Constant.messages.getString(
"automation.info.ascan.setdefstrength", jobName, st.name()));
}

// Set default threshold
PluginFactory pluginFactory = scanPolicy.getPluginFactory();
AlertThreshold th = JobUtils.parseAlertThreshold(getDefaultThreshold(), jobName, progress);
if (th != null) {
scanPolicy.setDefaultThreshold(th);
if (th == AlertThreshold.OFF) {
for (Plugin plugin : pluginFactory.getAllPlugin()) {
plugin.setEnabled(false);
}
} else {
scanPolicy.setDefaultThreshold(th);
}
progress.info(
Constant.messages.getString(
"automation.info.ascan.setdefthreshold", jobName, th.name()));
}

// Configure any rules
for (Rule rule : getRules()) {
Plugin plugin = pluginFactory.getPlugin(rule.getId());
if (plugin == null) {
// Will have already warned about this
continue;
}
AttackStrength pluginSt =
JobUtils.parseAttackStrength(rule.getStrength(), jobName, progress);
if (pluginSt != null) {
plugin.setAttackStrength(pluginSt);
plugin.setEnabled(true);
progress.info(
Constant.messages.getString(
"automation.info.ascan.rule.setstrength",
jobName,
rule.getId(),
pluginSt.name()));
}
AlertThreshold pluginTh =
JobUtils.parseAlertThreshold(rule.getThreshold(), jobName, progress);
if (pluginTh != null) {
plugin.setAlertThreshold(pluginTh);
plugin.setEnabled(!AlertThreshold.OFF.equals(pluginTh));
progress.info(
Constant.messages.getString(
"automation.info.ascan.rule.setthreshold",
jobName,
rule.getId(),
pluginTh.name()));
}
}
return scanPolicy;
}

public void addRule(Rule rule) {
this.rules.add(rule);
}
Expand Down
12 changes: 6 additions & 6 deletions addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanJobUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,7 +445,7 @@ void shouldReturnScanPolicyForDefaultData() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
ScanPolicy policy = job.getScanPolicy(progress);
ScanPolicy policy = job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(policy, is(notNullValue()));
Expand All @@ -469,7 +469,7 @@ void shouldSetScanPolicyDefaults() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
ScanPolicy policy = job.getScanPolicy(progress);
ScanPolicy policy = job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(policy, is(notNullValue()));
Expand All @@ -492,7 +492,7 @@ void shouldDisableAllRulesWithString() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
ScanPolicy policy = job.getScanPolicy(progress);
ScanPolicy policy = job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(policy, is(notNullValue()));
Expand Down Expand Up @@ -528,7 +528,7 @@ void shouldSetSpecifiedRuleConfigs() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
ScanPolicy policy = job.getScanPolicy(progress);
ScanPolicy policy = job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(policy, is(notNullValue()));
Expand Down Expand Up @@ -571,7 +571,7 @@ void shouldTurnOffSpecifiedRule() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
ScanPolicy policy = job.getScanPolicy(progress);
ScanPolicy policy = job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(policy, is(notNullValue()));
Expand Down Expand Up @@ -613,7 +613,7 @@ void shouldWarnOnUnknownRule() throws MalformedURLException {
// When
job.setJobData(data);
job.verifyParameters(progress);
job.getScanPolicy(progress);
job.getData().getPolicyDefinition().getScanPolicy(null, progress);

// Then
assertThat(progress.hasWarnings(), is(equalTo(true)));
Expand Down
2 changes: 2 additions & 0 deletions addOns/sequence/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Added
- Initial sequence-activeScan implementation.
### Changed
- Update minimum ZAP version to 2.15.0.
- Maintenance changes.
Expand Down
6 changes: 5 additions & 1 deletion addOns/sequence/sequence.gradle.kts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ zapAddOn {
url.set("https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/")
dependencies {
addOns {
register("network")
register("zest") {
version.set("48.*")
}
Expand All @@ -20,7 +21,9 @@ zapAddOn {
}
dependencies {
addOns {
register("automation")
register("automation") {
version.set(">= 0.44")
}
register("exim") {
version.set(">= 0.13")
}
Expand All @@ -35,6 +38,7 @@ dependencies {
zapAddOn("automation")
zapAddOn("commonlib")
zapAddOn("exim")
zapAddOn("network")
zapAddOn("zest")

testImplementation(project(":testutils"))
Expand Down
5 changes: 3 additions & 2 deletions addOns/sequence/src/main/java/org/zaproxy/zap/extension/sequence/ExtensionSequence.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import org.parosproxy.paros.extension.ExtensionHook;
import org.parosproxy.paros.extension.ViewDelegate;
import org.parosproxy.paros.network.HttpMessage;
import org.zaproxy.addon.network.ExtensionNetwork;
import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
import org.zaproxy.zap.extension.script.ExtensionScript;
import org.zaproxy.zap.extension.script.ScriptCollection;
Expand All @@ -45,7 +46,7 @@
public class ExtensionSequence extends ExtensionAdaptor implements ScannerHook {

private static final List<Class<? extends Extension>> DEPENDENCIES =
List.of(ExtensionScript.class, ExtensionZest.class);
List.of(ExtensionNetwork.class, ExtensionScript.class, ExtensionZest.class);

private ExtensionScript extScript;
private ExtensionActiveScan extActiveScan;
Expand Down Expand Up @@ -225,7 +226,7 @@ private ExtensionScript getExtScript() {
return extScript;
}

private ExtensionActiveScan getExtActiveScan() {
protected ExtensionActiveScan getExtActiveScan() {
if (extActiveScan == null) {
extActiveScan =
Control.getSingleton()
Expand Down
Loading

0 comments on commit aa39afe

Please sign in to comment.