diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 6b29066e29c..8f9c8a143cb 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - The following rules now includes example alert functionality for documentation generation purposes (Issue 6119), as well as now including Alert Tags (OWASP Top 10, WSTG, and updated CWE): - Server Side Template Injection - Server Side Template Injection (Blind) +- Maintenance changes. ### Fixed - False positives in the Path Traversal rule. diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java index c193ccea6dc..a6c2b590a00 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java @@ -101,7 +101,7 @@ public String getOther() { public void scan(HttpMessage msg, String param, String value) { if (this.isStop()) { // Check if the user stopped things - LOGGER.debug("Scanner {} Stopping.", this.getName()); + LOGGER.debug("Scan rule {} Stopping.", this.getName()); return; // Stop! } if (isPage500(getBaseMsg())) // Check to see if the page closed initially @@ -169,7 +169,7 @@ public int getWascId() { return 7; } - private String randomCharacterString(int length) { + private static String randomCharacterString(int length) { StringBuilder sb1 = new StringBuilder(length + 1); int counter = 0; int character = 0; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 0c09e878408..572dc53b271 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -282,7 +282,6 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin NIX_BLIND_OS_PAYLOADS.add("|" + insertedCMD + "#"); } - // Logger instance private static final Logger LOGGER = LogManager.getLogger(CommandInjectionScanRule.class); // Get WASC Vulnerability description @@ -366,7 +365,7 @@ public int getRisk() { return Alert.RISK_HIGH; } - private String getOtherInfo(TestType testType, String testValue) { + private static String getOtherInfo(TestType testType, String testValue) { return Constant.messages.getString( MESSAGE_PREFIX + "otherinfo." + testType.getNameKey(), testValue); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java index 92cfeff183d..5bc72d6f7d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java @@ -95,7 +95,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private void checkIfDirectory(HttpMessage msg) throws URIException { + private static void checkIfDirectory(HttpMessage msg) throws URIException { URI uri = msg.getRequestHeader().getURI(); uri.setQuery(null); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java index da5c9d1add9..157e06fecc6 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java @@ -147,13 +147,6 @@ public String getReference() { return VULN.getReferencesAsString(); } - /** - * Scan for External Redirect vulnerabilities - * - * @param msg a request only copy of the original message (the response isn't copied) - * @param param the parameter name that need to be exploited - * @param value the original parameter value - */ @Override public void scan(HttpMessage msg, String param, String value) { @@ -342,7 +335,7 @@ private static boolean isRedirectHost(String value, boolean escaped) throws URIE * @param msg the current message where reflected redirection should be check into * @return get back the redirection type if exists */ - private int isRedirected(String payload, HttpMessage msg) { + private static int isRedirected(String payload, HttpMessage msg) { // (1) Check if redirection by "Location" header // http://en.wikipedia.org/wiki/HTTP_location @@ -471,7 +464,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) { * @param type the redirection type * @return a string representing the reason of this redirection */ - private String getRedirectionReason(int type) { + private static String getRedirectionReason(int type) { switch (type) { case REDIRECT_LOCATION_HEADER: return Constant.messages.getString(MESSAGE_PREFIX + "reason.location.header"); @@ -493,11 +486,6 @@ private String getRedirectionReason(int type) { } } - /** - * Give back the risk associated to this vulnerability (high) - * - * @return the risk according to the Alert enum - */ @Override public int getRisk() { return Alert.RISK_HIGH; @@ -508,24 +496,14 @@ public Map getAlertTags() { return ALERT_TAGS; } - /** - * http://cwe.mitre.org/data/definitions/601.html - * - * @return the official CWE id - */ @Override public int getCweId() { - return 601; + return 601; // http://cwe.mitre.org/data/definitions/601.html } - /** - * http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse - * - * @return the official WASC id - */ @Override public int getWascId() { - return 38; + return 38; // http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse } @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java index 352b6926f6e..2df6d0ed22f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java @@ -105,19 +105,15 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } - /* - * This method is called by the active scanner for each GET and POST parameter for every page - * @see org.parosproxy.paros.core.scanner.AbstractAppParamPlugin#scan(org.parosproxy.paros.network.HttpMessage, java.lang.String, java.lang.String) - */ @Override public void scan(HttpMessage msg, String param, String value) { if (this.isStop()) { // Check if the user stopped things - LOGGER.debug("Scanner {} Stopping.", getName()); + LOGGER.debug("Scan rule {} Stopping.", getName()); return; // Stop! } @@ -223,7 +219,7 @@ && isPage200(verificationMsg)) { // errors. It is only // used if the GNU and generic C compiler check fails to find a vulnerability. if (this.isStop()) { // Check if the user stopped things - LOGGER.debug("Scanner {} Stopping.", getName()); + LOGGER.debug("Scan rule {} Stopping.", getName()); return; // Stop! } StringBuilder sb2 = new StringBuilder(); @@ -276,13 +272,11 @@ public Map getAlertTags() { @Override public int getCweId() { - // The CWE id return 134; } @Override public int getWascId() { - // The WASC ID return 6; } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java index 61ce9715c99..dbd541ae276 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java @@ -51,7 +51,6 @@ public class HeartBleedActiveScanRule extends AbstractHostPlugin /** the timeout, which is controlled by the Attack Strength */ private int timeoutMs = 0; - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(HeartBleedActiveScanRule.class); /** Prefix for internationalized messages used by this rule */ @@ -868,7 +867,6 @@ public class HeartBleedActiveScanRule extends AbstractHostPlugin 0x40, 0x00 // payload length to be sent back by the server. 0x40 0x00 = 16384 in decimal // Note: No actual payload sent! - // Note: No actual padding sent! }; @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java index e68a1949d73..2cda7d20c4c 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java @@ -267,7 +267,7 @@ private String getEmptyValueResponse(String paramName) throws IOException { * @param value the value that need to be checked * @return true if it seems to be encrypted */ - private boolean isEncrypted(byte[] value) { + private static boolean isEncrypted(byte[] value) { // Make sure we have a reasonable sized string // (encrypted strings tend to be long, and short strings tend to break our numbers) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java index 1c9365068ff..5bb62f87849 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java @@ -49,9 +49,7 @@ public class PathTraversalScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { - /* - * Prefix for internationalised messages used by this rule - */ + // Prefix for internationalised messages used by this rule private static final String MESSAGE_PREFIX = "ascanrules.pathtraversal."; private static final Map ALERT_TAGS = @@ -608,7 +606,7 @@ private boolean sendAndCheckPayload( return false; } - private String getContentsToMatch(HttpMessage message) { + private static String getContentsToMatch(HttpMessage message) { return message.getResponseHeader().isHtml() ? StringEscapeUtils.unescapeHtml4(message.getResponseBody().toString()) : message.getResponseHeader().toString() + message.getResponseBody().toString(); @@ -700,7 +698,7 @@ public String match(String contents) { return matchWinDirectories(contents); } - private String matchNixDirectories(String contents) { + private static String matchNixDirectories(String contents) { Pattern procPattern = Pattern.compile("(?:^|\\W)proc(?:\\W|$)", Pattern.CASE_INSENSITIVE); Pattern etcPattern = Pattern.compile("(?:^|\\W)etc(?:\\W|$)", Pattern.CASE_INSENSITIVE); @@ -727,7 +725,7 @@ private String matchNixDirectories(String contents) { return null; } - private String matchWinDirectories(String contents) { + private static String matchWinDirectories(String contents) { if (contents.contains("Windows") && Pattern.compile("Program\\sFiles").matcher(contents).find()) { return "Windows"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java index 3fa1fc6c51b..05991eea12b 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java @@ -54,7 +54,6 @@ public class RemoteCodeExecutionCve20121823ScanRule extends AbstractAppPlugin */ private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_20"); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(RemoteCodeExecutionCve20121823ScanRule.class); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java index cb70228d851..5bde2286d5d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java @@ -37,7 +37,7 @@ import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; -/** a scanner that looks for Remote File Include vulnerabilities */ +/** a scan rule that looks for Remote File Include vulnerabilities */ public class RemoteFileIncludeScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java index a4405761998..3bac0c6f97a 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java @@ -46,8 +46,8 @@ import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; /** - * a scanner that looks for Java classes disclosed via the WEB-INF folder and that decompiles them - * to give the Java source code. The scanner also looks for easy pickings in the form of properties + * a scan rule that looks for Java classes disclosed via the WEB-INF folder and that decompiles them + * to give the Java source code. The rule also looks for easy pickings in the form of properties * files loaded by the Java class. * * @author 70pointer @@ -270,14 +270,8 @@ private HttpMessage createHttpMessage(URI uri) throws HttpMalformedHeaderExcepti return msg; } - /** - * gets a candidate URI for a given class path. - * - * @param classname - * @return - * @throws URIException - */ - private URI getClassURI(URI hostURI, String classname) throws URIException { + /** gets a candidate URI for a given class path. */ + private static URI getClassURI(URI hostURI, String classname) throws URIException { return new URI( hostURI.getScheme() + "://" @@ -288,7 +282,7 @@ private URI getClassURI(URI hostURI, String classname) throws URIException { false); } - private URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { + private static URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { return new URI( hostURI.getScheme() + "://" diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java index e93dad2bf66..8999dd7130f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java @@ -76,11 +76,11 @@ public String getDescription() { return Constant.messages.getString("ascanrules.spring4shell.desc"); } - private boolean is400Response(HttpMessage msg) { + private static boolean is400Response(HttpMessage msg) { return !msg.getResponseHeader().isEmpty() && msg.getResponseHeader().getStatusCode() == 400; } - private void setGetPayload(HttpMessage msg, String payload) throws URIException { + private static void setGetPayload(HttpMessage msg, String payload) throws URIException { msg.getRequestHeader().setMethod("GET"); URI uri = msg.getRequestHeader().getURI(); String query = uri.getEscapedQuery(); @@ -92,7 +92,7 @@ private void setGetPayload(HttpMessage msg, String payload) throws URIException uri.setEscapedQuery(query); } - private void setPostPayload(HttpMessage msg, String payload) { + private static void setPostPayload(HttpMessage msg, String payload) { msg.getRequestHeader().setMethod("POST"); String body = msg.getRequestBody().toString(); if (body.isEmpty() diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java index c688e1d7c71..a55892dd7f0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java @@ -194,7 +194,6 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin CommonAlertTag.OWASP_2017_A01_INJECTION, CommonAlertTag.WSTG_V42_INPV_05_SQLI); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionHypersonicScanRule.class); /** The number of seconds used in time-based attacks (i.e. sleep commands). */ diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java index 55e404a1ae1..112c9c402a1 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java @@ -130,7 +130,6 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin private static final double TIME_CORRELATION_ERROR_RANGE = 0.15; private static final double TIME_SLOPE_ERROR_RANGE = 0.30; - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMsSqlScanRule.class); private static final Map ALERT_TAGS = diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java index 300aa5bba42..2fd52ade362 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java @@ -213,7 +213,6 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin CommonAlertTag.OWASP_2017_A01_INJECTION, CommonAlertTag.WSTG_V42_INPV_05_SQLI); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMySqlScanRule.class); private int timeSleepSeconds = DEFAULT_SLEEP_TIME; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java index d5d229c44f0..f17113fae0c 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java @@ -149,7 +149,6 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin CommonAlertTag.OWASP_2017_A01_INJECTION, CommonAlertTag.WSTG_V42_INPV_05_SQLI); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionOracleScanRule.class); @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java index 41177f4d952..a769ed318fb 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java @@ -191,7 +191,6 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin CommonAlertTag.OWASP_2017_A01_INJECTION, CommonAlertTag.WSTG_V42_INPV_05_SQLI); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionPostgreScanRule.class); @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java index 6cfa31a8e43..557533897bb 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java @@ -138,7 +138,7 @@ private enum RDBMS { // TODO: add other specific UNION based error messages for Union here: PostgreSQL, Sybase, // DB2, Informix, etc - // DONE: we have implemented a MySQL specific scanner. See SQLInjectionMySQL + // DONE: we have implemented a MySQL specific rule. See SQLInjectionMySQL MySQL( "MySQL", Tech.MySQL, @@ -259,7 +259,7 @@ private enum RDBMS { // vulnerabilities Interbase("Interbase", Tech.Db, "\\Qinterbase.interclient\\E"), - // DONE: we have implemented a Hypersonic specific scanner. See SQLInjectionHypersonic + // DONE: we have implemented a Hypersonic specific rule. See SQLInjectionHypersonic HypersonicSQL( "Hypersonic SQL", Tech.HypersonicSQL, @@ -540,9 +540,6 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - /* initialise - * Note that this method gets called each time the scanner is called. - */ @Override public void init() { LOGGER.debug("Initialising"); @@ -680,7 +677,7 @@ public void scan(HttpMessage msg, String param, String origParamValue) { // work through the attack using each of the following strings as a prefix: the // empty string, and the original value - // Note: this doubles the amount of work done by the scanner, but is necessary in + // Note: this doubles the amount of work done by the rule, but is necessary in // some cases String[] prefixStrings; if (origParamValue != null) { @@ -903,7 +900,7 @@ && matchBodyPattern(msg1, errorPattern, sb)) { } catch (Exception e) { LOGGER.debug("The parameter value [{}] is NOT of type Integer", origParamValue); // TODO: implement a similar check for string types? This probably needs to be - // RDBMS specific (ie, it should not live in this scanner) + // RDBMS specific (ie, it should not live in this rule) } } @@ -1995,12 +1992,7 @@ protected String stripOffOriginalAndAttackParam( return result; } - /** - * decode method that is aware of %, and will decode it as simply %, if it occurs - * - * @param msg - * @return - */ + /** decode method that is aware of %, and will decode it as simply %, if it occurs */ public static String getURLDecode(String msg) { String result = ""; try { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java index 04d334d3ca3..7246af3575a 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java @@ -216,7 +216,6 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin CommonAlertTag.OWASP_2017_A01_INJECTION, CommonAlertTag.WSTG_V42_INPV_05_SQLI); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SqlInjectionSqLiteScanRule.class); @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java index 253907c298b..012b0fa64e3 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java @@ -294,7 +294,7 @@ private boolean checkIfCausesTimeDelay(String paramName, String payloadFormat) { private void sendPayloadsToMakeCallBack(String paramName, String[] commandExecPayloads) { int allowedNumberCommands = 0; - // whe should only run this scanner when the level is High, util then + // whe should only run this rule when the level is High, util then // just time based attacks should be used because of the limitations // in requests numbers if (this.getAttackStrength() == Plugin.AttackStrength.HIGH) { diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java index de624609cc8..226cbf33363 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java @@ -169,7 +169,7 @@ public void scan(HttpMessage msg, String paramName, String value) { || AttackStrength.HIGH.equals(this.getAttackStrength())) { reliableScan(msg, paramName, value, false); } - // When the scanner can do more requests it tries less common cases. + // When the rule can do more requests it tries less common cases. else { reliableScan(msg, paramName, value, true); } @@ -185,7 +185,7 @@ public void scan(HttpMessage msg, String paramName, String value) { */ private void efficientScan(HttpMessage msg, String paramName, String value) { - // The efficient scanner detects the existence of vulnerabilities by causing + // The efficient scan detects the existence of vulnerabilities by causing // and detecting errors. To detect errors we start by looking to how the // responses change when we send different inputs. Later, with this information // we can detect which changes caused by our inputs are not normal and which diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java index 4d6516373ff..54672a52112 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java @@ -93,7 +93,6 @@ public class XpathInjectionScanRule extends AbstractAppParamPlugin // Get WASC Vulnerability description private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_39"); - // Logger instance private static final Logger LOGGER = LogManager.getLogger(XpathInjectionScanRule.class); @Override diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java index 2f4fa757924..8be92784ef8 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java @@ -103,7 +103,6 @@ public class XxeScanRule extends AbstractAppPlugin implements CommonActiveScanRu private static final Pattern xmlHeaderPattern = Pattern.compile(xmlHeaderRegex, Pattern.CASE_INSENSITIVE); - // Logger instance private static final Logger LOGGER = LogManager.getLogger(XxeScanRule.class); @Override diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java index bff7b0fbede..24daf07ef57 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java @@ -80,11 +80,11 @@ private enum PayloadHandling { CONCAT_PATH }; - private NanoServerHandler createHttpRedirectHandler(String path, String header) { + private static NanoServerHandler createHttpRedirectHandler(String path, String header) { return createHttpRedirectHandler(path, header, PayloadHandling.NEITHER); } - private NanoServerHandler createHttpRedirectHandler( + private static NanoServerHandler createHttpRedirectHandler( String path, String header, PayloadHandling payloadHandling) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java index 7757fc3ade8..861c1a3021e 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java @@ -110,7 +110,7 @@ void checkNoPathsHaveLeadingSlash() { } } - private void assertNoLeadingSlash(String message, String path) { + private static void assertNoLeadingSlash(String message, String path) { assertThat(message.replace(REPLACE_TOKEN, path), !path.startsWith("/"), is(true)); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java index f11016f177b..4f42a45b56f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java @@ -314,7 +314,7 @@ void shouldAlertOnlyIfCertainTagValuesArePresent() assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM)); } - private NanoServerHandler createNanoHandler( + private static NanoServerHandler createNanoHandler( String path, NanoHTTPD.Response.IStatus status, String responseBody) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md index a8ddcfd2d01..6e4ef83d731 100644 --- a/addOns/ascanrulesAlpha/CHANGELOG.md +++ b/addOns/ascanrulesAlpha/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed - Update minimum ZAP version to 2.15.0. +- Maintenance changes. ### Fixed - Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java index c15d6bc3a5a..2875338bb65 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java @@ -69,9 +69,8 @@ public String getName() { @Override public boolean targets( TechSet technologies) { // This method allows the programmer or user to restrict when a - // scanner is run based on the technologies selected. For example, to restrict the scanner - // to run just when - // C language is selected + // scan rule is run based on the technologies selected. For example, to restrict the rule + // to run just when C language is selected return technologies.includes(Tech.C); } @@ -80,7 +79,7 @@ public String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "other"); } @@ -194,7 +193,7 @@ private String doesResponseContainString(HttpBody body, String str) { return null; } - private List loadFile(String file) { + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRule.java index f70b477f1b5..ab715920906 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRule.java @@ -66,9 +66,8 @@ public String getName() { @Override public boolean targets( TechSet technologies) { // This method allows the programmer or user to restrict when a - // scanner is run based on the technologies selected. For example, to restrict the scanner - // to run just when - // C language is selected + // scan rule is run based on the technologies selected. For example, to restrict the rule + // to run just when C language is selected return technologies.includes(Tech.C); } diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java index f483f70cb71..6ba21e3fb9d 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java @@ -50,7 +50,6 @@ public class LdapInjectionScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(LdapInjectionScanRule.class); private static final String I18N_PREFIX = "ascanalpha."; @@ -196,7 +195,7 @@ public void init() { public void scan(HttpMessage msg, NameValuePair originalParam) { /* * Scan everything _except_ URL path parameters. - * URL Path parameters are problematic for the matching based scanners, because changing the URL path + * URL Path parameters are problematic for the matching based rules, because changing the URL path * "parameter" generates output that is wildly different from the unmodified URL path "parameter" */ if (originalParam.getType() != NameValuePair.TYPE_URL_PATH) { @@ -647,25 +646,16 @@ private boolean checkResultsForLDAPAlert( return false; // did not throw an alert } - /** - * @return - */ @Override public int getRisk() { return Alert.RISK_HIGH; } - /** - * @return - */ @Override public int getCweId() { return 90; } - /** - * @return - */ @Override public int getWascId() { return 29; diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java index 5856650a755..104b9b072ad 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java @@ -83,7 +83,6 @@ public class MongoDbInjectionScanRule extends AbstractAppParamPlugin Pattern.CASE_INSENSITIVE), Pattern.compile("MongoResultException", Pattern.CASE_INSENSITIVE) }; - // Variables private boolean isJsonPayload; private boolean doAllDataScan; private boolean doCrashScan; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java index bd38f756cae..db8d6ff8cbd 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java @@ -426,7 +426,7 @@ public List getExampleAlerts() { .build()); } - private boolean isEmptyResponse(byte[] response) { + private static boolean isEmptyResponse(byte[] response) { return response.length == 0; } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java index 7c587a348b9..63f5f0d9345 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java @@ -136,7 +136,6 @@ public void scan() { } try { - // get the network details for the attack URI originalURI = this.getBaseMsg().getRequestHeader().getURI(); scanAdobeCrossdomainPolicyFile(originalURI); @@ -200,8 +199,7 @@ private void scanAdobeCrossdomainPolicyFile(URI originalURI) XPathExpression exprRequestHeadersFromDomain = xpath.compile( "/cross-domain-policy/allow-http-request-headers-from/@domain"); // gets - // the - // domain attributes + // the domain attributes NodeList exprRequestHeadersFromDomainNodes = (NodeList) exprRequestHeadersFromDomain.evaluate( diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitIndexEntryCache.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitIndexEntryCache.java index 09af8a4f54e..0b50c6017f5 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitIndexEntryCache.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitIndexEntryCache.java @@ -56,22 +56,12 @@ private static synchronized void createSingleton() { } } - /** - * is a Git index cached for the given Git index URI? - * - * @param uri - * @return - */ + /** is a Git index cached for the given Git index URI? */ public synchronized boolean isIndexCached(URI gitIndexUri) { return gitIndexMap.containsKey(gitIndexUri); } - /** - * is a Git index entry cached for the given Git index URI, and Git Index entry URI? - * - * @param uri - * @return - */ + /** is a Git index entry cached for the given Git index URI, and Git Index entry URI? */ public synchronized boolean isIndexEntryCached(URI gitIndexUri, URI gitIndexEntryUri) { if (!gitIndexMap.containsKey(gitIndexUri)) { return false; @@ -79,12 +69,7 @@ public synchronized boolean isIndexEntryCached(URI gitIndexUri, URI gitIndexEntr return gitIndexMap.get(gitIndexUri).containsKey(gitIndexEntryUri); } - /** - * puts the Git Index and Git Index Entry in a map - * - * @param gitIndexUri - * @param gitIndexEntryUri - */ + /** puts the Git Index and Git Index Entry in a map */ @SuppressWarnings("unchecked") public synchronized void putIndexEntry(URI gitIndexUri, URI gitIndexEntryUri, String gitSHA1) { Map indexEntryMap; @@ -99,13 +84,7 @@ public synchronized void putIndexEntry(URI gitIndexUri, URI gitIndexEntryUri, St gitIndexMap.put(gitIndexUri, indexEntryMap); } - /** - * gets the SHA1 for a Git Index and Git Index Entry - * - * @param gitIndexUri - * @param gitIndexEntryUri - * @return - */ + /** gets the SHA1 for a Git Index and Git Index Entry */ public synchronized String getIndexEntry(URI gitIndexUri, URI gitIndexEntryUri) { if (gitIndexMap.containsKey(gitIndexUri)) { return gitIndexMap.get(gitIndexUri).get(gitIndexEntryUri); diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitMetadata.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitMetadata.java index 5cf1c5f3a18..a2d78d73f40 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitMetadata.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GitMetadata.java @@ -44,7 +44,6 @@ */ public class GitMetadata { - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(GitMetadata.class); /** @@ -81,11 +80,7 @@ public class GitMetadata { private int tempbytesread; - /** - * gets the Git URIs that were successfully queried to get the Source Code Disclosure - * - * @return - */ + /** gets the Git URIs that were successfully queried to get the Source Code Disclosure */ public String getGitURIs() { return urisUsed; } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java index 80e72d88054..54ad4477d8d 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java @@ -83,10 +83,6 @@ public String getReference() { return Constant.messages.getString("ascanbeta.HTTPParamPoll.extrainfo"); } - /** - * Main method of the class. It is executed for each page. Determined whether the page in - * vulnerable to HPP or not. - */ @Override public void scan() { @@ -242,7 +238,7 @@ public TreeSet getParams(Source s, List inputTags) { * @param url found in the body of the targeted page * @return a hashmap of the query string */ - private Map> getUrlParameters(String url) { + private static Map> getUrlParameters(String url) { Map> params = new HashMap<>(); if (url != null) { diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java index cdb3e6a3fb3..c97b65ce92a 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java @@ -81,7 +81,6 @@ public class InsecureHttpMethodScanRule extends AbstractAppPlugin /** details of the vulnerability which we are attempting to find 45 = "Fingerprinting" */ private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_45"); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(InsecureHttpMethodScanRule.class); /** diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java index 1df32cea8c7..6d17f9c0546 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java @@ -18,7 +18,7 @@ /* * Integer Overflow an active scan rule * Copyright (C) 2015 Institute for Defense Analyses - * @author Mark Rader based upon the example active scanner by psiinon + * @author Mark Rader based upon the example active scan rule by psiinon */ package org.zaproxy.zap.extension.ascanrulesBeta; @@ -85,14 +85,10 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } - /* - * This method is called by the active scanner for each GET and POST parameter for every page - * @see org.parosproxy.paros.core.scanner.AbstractAppParamPlugin#scan(org.parosproxy.paros.network.HttpMessage, java.lang.String, java.lang.String) - */ @Override public void scan(HttpMessage msg, String param, String value) { @@ -145,7 +141,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String randomIntegerString(int length) { + private static String randomIntegerString(int length) { int numbercounter = 0; int character = 0; @@ -169,7 +165,7 @@ private String randomIntegerString(int length) { return sb1.toString(); } - private String singleString(int length, char c) // Single Character String + private static String singleString(int length, char c) // Single Character String { int numbercounter = 0; @@ -241,7 +237,7 @@ private AlertBuilder buildAlert( .setUri(url) .setParam(param) .setAttack(attack) - .setOtherInfo(this.getError(type)) + .setOtherInfo(IntegerOverflowScanRule.getError(type)) .setEvidence(evidence); } } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/MessageCache.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/MessageCache.java index 6bd73472f5e..c3756f4a9db 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/MessageCache.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/MessageCache.java @@ -61,12 +61,7 @@ private static synchronized void createSingleton(HostProcess hostprocess) { } } - /** - * is a message cached for the given URI? - * - * @param uri - * @return - */ + /** is a message cached for the given URI? */ public synchronized boolean isMessageCached(URI uri) { return messagecache.containsKey(uri); } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/NotV1GitPackIndexFileException.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/NotV1GitPackIndexFileException.java index b339dd5255d..931c3a8ec47 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/NotV1GitPackIndexFileException.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/NotV1GitPackIndexFileException.java @@ -26,6 +26,5 @@ */ public class NotV1GitPackIndexFileException extends Exception { - /** */ private static final long serialVersionUID = 664525398598253409L; } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java index 22806d92d88..bab61b4326b 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java @@ -135,7 +135,6 @@ public class ProxyDisclosureScanRule extends AbstractAppPlugin implements Common CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(ProxyDisclosureScanRule.class); @Override @@ -151,8 +150,6 @@ public String getName() { @Override public String getDescription() { return null; - // needs a parameter! - // return Constant.messages.getString(MESSAGE_PREFIX+"desc"); } @Override @@ -765,7 +762,7 @@ public void scan() { } } - private String getPath(URI uri) { + private static String getPath(URI uri) { String path = uri.getEscapedPath(); if (path != null) { return path; @@ -773,7 +770,7 @@ private String getPath(URI uri) { return "/"; } - private String getAttack() { + private static String getAttack() { return Constant.messages.getString(MESSAGE_PREFIX + "attack"); } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java index 025ed92afe8..d779dab1030 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java @@ -55,7 +55,6 @@ public class RelativePathConfusionScanRule extends AbstractAppPlugin implements CommonActiveScanRuleInfo { - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(RelativePathConfusionScanRule.class); /** Prefix for internationalized messages used by this rule */ @@ -205,7 +204,6 @@ public String getReference() { @Override public void scan() { - // get the base message. What else did you think this line of code might do?? HttpMessage originalMsg = getBaseMsg(); LOGGER.debug("Attacking at Attack Strength: {}", this.getAttackStrength()); @@ -645,7 +643,7 @@ private AlertBuilder buildAlert(String attack, String otherInfo, String evidence .setEvidence(evidence); } - private Matcher matchStyles(String body) { + private static Matcher matchStyles(String body) { // remove all " and ' for proper matching url('somefile.png') String styleBody = body.replaceAll("['\"]", ""); return STYLE_URL_LOAD.matcher(styleBody); diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java index 921f492f022..c9a2fdbc7f7 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java @@ -72,7 +72,6 @@ public class SessionFixationScanRule extends AbstractAppPlugin implements Common CommonAlertTag.OWASP_2017_A05_BROKEN_AC, CommonAlertTag.WSTG_V42_SESS_03_SESS_FIXATION); - /** for logging. */ private static final Logger LOGGER = LogManager.getLogger(SessionFixationScanRule.class); @Override @@ -1313,11 +1312,11 @@ private static void logSessionFixation( /** * finds and returns the cookie matching the specified cookie name from the message response. * - * @param message - * @param cookieName + * @param message the message to check + * @param cookieName the cookie to look for * @return the HtmlParameter representing the cookie, or null if no matching cookie was found */ - private HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { + private static HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { TreeSet cookieBackParams = message.getResponseHeader().getCookieParams(); if (cookieBackParams.isEmpty()) { // no cookies diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java index 1594bc92296..15291e07ad7 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java @@ -47,7 +47,6 @@ public class ShellShockScanRule extends AbstractAppParamPlugin implements Common CommonAlertTag.OWASP_2017_A09_VULN_COMP, CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(ShellShockScanRule.class); /** diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java index 4b207286d91..b2d0a5af833 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java @@ -150,13 +150,7 @@ private boolean repeatRequestWithoutOneCookie( return thereAreSlackCookies; } - /** - * Looks as if one needs to manually add cookies to each synthetic GET - * - * @param cookies - * @param oneCookie - * @param baseResponseLength - */ + /** Looks as if one needs to manually add cookies to each synthetic GET */ private boolean sendOneRequest( Set cookies, HtmlParameter oneCookie, int baseResponseLength) { @@ -251,27 +245,28 @@ private int calculateRisk( return riskLevel; } - private String getSessionDestroyedText(String cookie) { + private static String getSessionDestroyedText(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.destroyed", cookie); } - private String getAffectResponseYes() { + private static String getAffectResponseYes() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.yes"); } - private String getAffectResponseNo() { + private static String getAffectResponseNo() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.no"); } - private String getSeparator() { + private static String getSeparator() { return Constant.messages.getString("ascanbeta.cookieslack.separator"); } - private String getEOL() { + private static String getEOL() { return Constant.messages.getString("ascanbeta.cookieslack.endline"); } - private void formatCookiesList(StringBuilder otherInfoBuff, Iterator cookieIterator) { + private static void formatCookiesList( + StringBuilder otherInfoBuff, Iterator cookieIterator) { otherInfoBuff.append(cookieIterator.next()); if (cookieIterator.hasNext()) { @@ -279,7 +274,7 @@ private void formatCookiesList(StringBuilder otherInfoBuff, Iterator coo } } - private String getSessionCookieWarning(String cookie) { + private static String getSessionCookieWarning(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.warning", cookie); } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java index eff4e7f98fd..6f4486f4cdf 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java @@ -109,7 +109,6 @@ public class SourceCodeDisclosureFileInclusionScanRule extends AbstractAppParamP /** details of the vulnerability which we are attempting to find 33 = "Path Traversal" */ private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_33"); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(SourceCodeDisclosureFileInclusionScanRule.class); @@ -140,13 +139,11 @@ public class SourceCodeDisclosureFileInclusionScanRule extends AbstractAppParamP CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG); - /** returns the plugin id */ @Override public int getId() { return 43; } - /** returns the name of the plugin */ @Override public String getName() { return Constant.messages.getString("ascanbeta.sourcecodedisclosure.lfibased.name"); @@ -434,14 +431,8 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) { } } - /** - * returns whether the message response content matches the specified extension - * - * @param data - * @param fileExtension - * @return - */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + /** returns whether the message response content matches the specified extension */ + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; @@ -488,14 +479,8 @@ public Map getAlertTags() { return ALERT_TAGS; } - /** - * calculate the percentage length between the 2 strings. - * - * @param a - * @param b - * @return - */ - private int calcLengthMatchPercentage(int a, int b) { + /** calculate the percentage length between the 2 strings. */ + private static int calcLengthMatchPercentage(int a, int b) { if (a == 0 && b == 0) return 100; if (a == 0 || b == 0) return 0; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java index 3d09aa0fd62..2527a0acf42 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java @@ -53,7 +53,6 @@ public class SourceCodeDisclosureGitScanRule extends AbstractAppPlugin */ private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_34"); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(SourceCodeDisclosureGitScanRule.class); @@ -107,7 +106,7 @@ public String getReference() { return VULN.getReferencesAsString(); } - private String getEvidence(String filename, String gitURIs) { + private static String getEvidence(String filename, String gitURIs) { return Constant.messages.getString( "ascanbeta.sourcecodedisclosure.gitbased.evidence", filename, gitURIs); } @@ -151,14 +150,8 @@ public void scan() { } } - /** - * returns whether the message response content matches the specified extension - * - * @param data - * @param fileExtension - * @return - */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + /** returns whether the message response content matches the specified extension */ + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureSvnScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureSvnScanRule.java index 2fd24384354..ee980103f33 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureSvnScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureSvnScanRule.java @@ -72,7 +72,6 @@ public class SourceCodeDisclosureSvnScanRule extends AbstractAppPlugin */ private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_34"); - /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(SourceCodeDisclosureSvnScanRule.class); @@ -96,13 +95,11 @@ public class SourceCodeDisclosureSvnScanRule extends AbstractAppPlugin CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG); - /** returns the plugin id */ @Override public int getId() { return 42; } - /** returns the name of the plugin */ @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); @@ -171,13 +168,7 @@ public void scan() { } } - /** - * returns whether the message response content matches the specified extension - * - * @param data - * @param fileExtension - * @return - */ + /** returns whether the message response content matches the specified extension */ private String findEvidenceForExtension(byte[] data, String fileExtension) { if (fileExtension != null) { Matcher matcher; @@ -497,7 +488,7 @@ private boolean findSourceCodeSVN(HttpMessage originalMessage) throws Exception rsSVNWCFormat = pragmaStatement.executeQuery("pragma USER_VERSION"); // get the precise internal version of SVN in use - // this will inform how the scanner should proceed in an efficient + // this will inform how the rule should proceed in an efficient // manner. int svnFormat = 0; while (rsSVNWCFormat.next()) { diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java index c02435aaf7f..db041d35f3d 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java @@ -730,7 +730,7 @@ public String longestCommonSubsequence(String a, String b) { return hirshberg.getLCS(a, b); } - private boolean shouldContinue(List contextList) { + private static boolean shouldContinue(List contextList) { boolean hasAuth = false; for (Context context : contextList) { if (context.getAuthenticationMethod() instanceof FormBasedAuthenticationMethod) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java index 371cbb2bebb..5dee57c4402 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java @@ -172,7 +172,7 @@ public int getWascId() { return 15; // WASC-15: Application Misconfiguration } - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { switch (currentVT) { case XFO_MISSING: return Constant.messages.getString(MESSAGE_PREFIX + "missing." + element); @@ -197,7 +197,7 @@ private String getAlertElement(VulnType currentVT, String element) { * {@code null}. * @see RFC 7034 Section 4 */ - private String getMetaXFOEvidence(Source source) { + private static String getMetaXFOEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java index a76ba54f8ef..a5b46d12dc7 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java @@ -100,21 +100,11 @@ private ContentMatcher getContentMatcher() { return matcher; } - /** - * Get this plugin id - * - * @return the ZAP id - */ @Override public int getPluginId() { return 90022; } - /** - * Get the plugin name - * - * @return the plugin name - */ @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); @@ -198,7 +188,6 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - // Internal service method for alert management private void raiseAlert(HttpMessage msg, int id, String evidence, int risk) { buildAlert(msg, id, evidence, risk).raise(); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java index 6b8bf77ee8d..d5fa421a02a 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java @@ -100,7 +100,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param redirectURILength the length of the URI in the redirect response Location header * @return predictedResponseSize */ - private int getPredictedResponseSize(int redirectURILength) { + private static int getPredictedResponseSize(int redirectURILength) { int predictedResponseSize = redirectURILength + 300; LOGGER.debug("Original Response Location Header URI Length: {}", redirectURILength); LOGGER.debug("Predicted Response Size: {}", predictedResponseSize); @@ -155,7 +155,7 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java index 065bc3d9d39..967db6a940e 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java @@ -213,7 +213,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // FIX: This will match Atom and RSS feeds now, which set text/html but // use <?xml> in content - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -224,12 +224,12 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(HttpMessage message, Source source) { + private static boolean isResponseXML(HttpMessage message, Source source) { // Return true if source or response is identified as XML return source.isXML() || message.getResponseHeader().isXml(); } - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -275,10 +275,6 @@ public int getPluginId() { return 90011; } - /* - * Rule-associated messages - */ - public String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } @@ -303,7 +299,7 @@ public int getWascId() { return 15; // WASC-15: Application Misconfiguration } - private String getExtraInfo( + private static String getExtraInfo( String firstCharset, String secondCharset, MismatchType mismatchType) { String extraInfo = ""; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java index c1d17f2c8cc..7a701544eae 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java @@ -87,7 +87,7 @@ public String getName() { return getAlertAttribute("name"); } - private String getAlertAttribute(String key) { + private static String getAlertAttribute(String key) { return Constant.messages.getString(MESSAGE_PREFIX + key); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java index 679f6c89aec..b942ee339f6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java @@ -376,7 +376,7 @@ private static boolean allowsUnsafeEval(Policy policy, FetchDirectiveKind source return false; } - private String getCspNoticesString(List notices) { + private static String getCspNoticesString(List notices) { if (notices.isEmpty()) { return ""; } @@ -431,7 +431,7 @@ private static List getNotices( * @param header The header field(s) to be found * @return list of the matched headers */ - private List getHeaderField(HttpMessage msg, String header) { + private static List getHeaderField(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -446,7 +446,7 @@ private List getHeaderField(HttpMessage msg, String header) { return matchedHeaders; } - private List getAllowedWildcardSources(String policyText) { + private static List getAllowedWildcardSources(String policyText) { List allowedSources = new ArrayList<>(); Policy pol = Policy.parseSerializedCSP(policyText, PolicyErrorConsumer.ignored); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java index 27c4fbdf7a1..0f289532046 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java @@ -86,7 +86,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * Determines whether the specified cookie is loosely scoped by * checking it's Domain attribute value against the host */ - private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { + private static boolean isLooselyScopedCookie(HttpCookie cookie, String host) { // preconditions assert cookie != null; assert host != null; @@ -138,7 +138,8 @@ private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { return true; } - private boolean isCookieAndHostHaveTheSameDomain(String[] cookieDomains, String[] hostDomains) { + private static boolean isCookieAndHostHaveTheSameDomain( + String[] cookieDomains, String[] hostDomains) { if (cookieDomains == null || hostDomains == null || cookieDomains[0].equalsIgnoreCase("null") diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java index ef6a7ed81a4..34cc58320bf 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java @@ -43,7 +43,6 @@ public class CrossDomainMisconfigurationScanRule extends PluginPassiveScanner implements CommonPassiveScanRuleInfo { - /** the logger. it logs stuff. */ private static final Logger LOGGER = LogManager.getLogger(CrossDomainMisconfigurationScanRule.class); @@ -55,23 +54,11 @@ public class CrossDomainMisconfigurationScanRule extends PluginPassiveScanner CommonAlertTag.OWASP_2021_A01_BROKEN_AC, CommonAlertTag.OWASP_2017_A05_BROKEN_AC); - /** - * gets the name of the scanner - * - * @return - */ @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - /** - * scans the HTTP response for cross-domain mis-configurations - * - * @param msg - * @param id - * @param source unused - */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { @@ -179,22 +166,12 @@ public int getWascId() { return 14; // WASC-14: Server Misconfiguration } - /** - * get the id of the scanner - * - * @return - */ @Override public int getPluginId() { return 10098; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java index 4e89306f279..8010f542a01 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java @@ -67,14 +67,8 @@ public class CsrfCountermeasuresScanRule extends PluginPassiveScanner private String csrfAttIgnoreList; private String csrfValIgnoreList; - /** the logger */ private static final Logger LOGGER = LogManager.getLogger(CsrfCountermeasuresScanRule.class); - /** - * gets the plugin id for this extension - * - * @return the plugin id for this extension - */ @Override public int getPluginId() { return 10202; @@ -208,12 +202,12 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { LOGGER.debug("\tScan of record {} took {} ms", id, System.currentTimeMillis() - start); } - private String getExtraInfo(String tokenNamesFlattened, String formDetails) { + private static String getExtraInfo(String tokenNamesFlattened, String formDetails) { return Constant.messages.getString( "pscanrules.noanticsrftokens.alert.extrainfo", tokenNamesFlattened, formDetails); } - private boolean formOnIgnoreList(Element formElement, List ignoreList) { + private static boolean formOnIgnoreList(Element formElement, List ignoreList) { String id = formElement.getAttributeValue("id"); String name = formElement.getAttributeValue("name"); for (String ignore : ignoreList) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java index aa3b6b703e3..fb0f3027bda 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java @@ -70,23 +70,11 @@ public class DirectoryBrowsingScanRule extends PluginPassiveScanner CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG, CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG); - /** - * gets the name of the scanner - * - * @return - */ @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - /** - * scans the HTTP response for signatures that might indicate Directory Browsing - * - * @param msg - * @param id - * @param source unused - */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // get the body contents as a String, so we can match against it @@ -130,40 +118,20 @@ public List getExampleAlerts() { return List.of(buildAlert("Apache 2", "Index of /htdocs").build()); } - /** - * get the id of the scanner - * - * @return - */ @Override public int getPluginId() { return 10033; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - /** - * get the solution for the alert - * - * @return - */ - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - /** - * gets references for the alert - * - * @return - */ - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java index 6e22ba06f25..4e6ee64053a 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java @@ -173,12 +173,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - /** - * scans the HTTP request for Hash signatures - * - * @param msg - * @param id - */ @Override public void scanHttpRequestSend(HttpMessage msg, int id) { @@ -192,13 +186,6 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { checkForHashes(requestparts); } - /** - * scans the HTTP response for Hash signatures - * - * @param msg - * @param id - * @param source unused - */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { if (ResourceIdentificationUtils.isJavaScript(msg) @@ -275,15 +262,15 @@ public int getPluginId() { return 10097; } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java index 73b09ea89b7..cdff9f64bd8 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java @@ -85,10 +85,6 @@ public String getName() { /** * scans the HTTP response for signatures that might indicate the Heartbleed OpenSSL * vulnerability - * - * @param msg - * @param id - * @param source unused */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { @@ -131,19 +127,19 @@ public int getPluginId() { return 10034; } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getExtraInfo(String opensslVersion) { + private static String getExtraInfo(String opensslVersion) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", opensslVersion); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java index caaefa8c61d..ed94af91c3b 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java @@ -134,15 +134,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java index 07098091a80..b6e8d152d00 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java @@ -85,21 +85,11 @@ public class InfoSessionIdUrlScanRule extends PluginPassiveScanner * http://www.portent.com/blog/random/session-id-parameters-list.htm */ - /** - * Get this plugin id - * - * @return the ZAP id - */ @Override public int getPluginId() { return 00003; } - /** - * Get the plugin name - * - * @return the plugin name - */ @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); @@ -247,18 +237,15 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { Pattern.compile("[=\\(]\\s*[\"']" + EXT_LINK, Pattern.CASE_INSENSITIVE) }; - // The name of this sub-alert - private String getRefererAlert() { + private static String getRefererAlert() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.alert"); } - // The description of this sub-alert - private String getRefererDescription() { + private static String getRefererDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.desc"); } - // The solution of this sub-alert - private String getRefererSolution() { + private static String getRefererSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java index 5afec2b02b8..0c147406d47 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java @@ -99,7 +99,7 @@ private String doesResponseContainsDebugErrorMessage(HttpBody body) { return null; } - private List loadFile(Path path) { + private static List loadFile(Path path) { List strings = new ArrayList<>(); BufferedReader reader = null; File f = path.toFile(); @@ -133,7 +133,7 @@ public void setDebugErrorFile(Path path) { this.errors = loadFile(path); } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } @@ -142,11 +142,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } @@ -155,11 +155,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + static int getCweId() { return 200; // CWE Id 200 - Information Exposure } - public int getWascId() { + static int getWascId() { return 13; // WASC Id - Info leakage } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java index 3c05616ae10..a6425df642d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java @@ -99,7 +99,7 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } @@ -190,17 +190,17 @@ public int getPluginId() { return PLUGIN_ID; } - private boolean isEmailAddress(String emailAddress) { + private static boolean isEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); return matcher.find(); } - private boolean isCreditCard(String creditCard) { + private static boolean isCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); return matcher.find(); } - private boolean isUsSSN(String usSSN) { + private static boolean isUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); return matcher.find(); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java index 9da73283517..1ec18c9528c 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java @@ -102,11 +102,11 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } - private boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { + private static boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { boolean result = false; if (referrerURL.startsWith("/")) { result = true; @@ -151,7 +151,7 @@ private AlertBuilder buildCcAlert(String evidence, String other, BinRecord binRe .setWascId(getWascId()); } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) @@ -175,7 +175,7 @@ private String getBinRecString(BinRecord binRec) { return recString.toString(); } - private List loadFile(String file) { + private static List loadFile(String file) { List strings = new ArrayList<>(); File f = new File(Constant.getZapHome() + File.separator + file); if (!f.exists()) { @@ -221,7 +221,7 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_INFO; } @@ -230,11 +230,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } @@ -243,15 +243,15 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 200; // CWE Id 200 - Information Exposure } - public int getWascId() { + private static int getWascId() { return 13; // WASC Id - Info leakage } - private String doesContainEmailAddress(String emailAddress) { + private static String doesContainEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); if (matcher.find()) { return matcher.group(); @@ -259,7 +259,7 @@ private String doesContainEmailAddress(String emailAddress) { return null; } - private String doesContainCreditCard(String creditCard) { + private static String doesContainCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); if (matcher.find()) { String candidate = matcher.group(); @@ -270,7 +270,7 @@ private String doesContainCreditCard(String creditCard) { return null; } - private String doesContainUsSSN(String usSSN) { + private static String doesContainUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); if (matcher.find()) { return matcher.group(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java index a512ac12823..0747cf18817 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java @@ -179,7 +179,7 @@ private static void recordAlertSummary( alertMap.computeIfAbsent(summary.getPattern(), k -> new ArrayList<>()).add(summary); } - private String truncateString(String str) { + private static String truncateString(String str) { if (str.length() > MAX_ELEMENT_CHRS_TO_REPORT) { return str.substring(0, MAX_ELEMENT_CHRS_TO_REPORT); } @@ -205,7 +205,7 @@ private List getPatterns() { return patterns; } - private List initPatterns() { + private static List initPatterns() { List targetPatterns = new ArrayList<>(); for (String payload : payloadProvider.get()) { targetPatterns.add(compilePayload(payload)); @@ -213,7 +213,7 @@ private List initPatterns() { return targetPatterns; } - private Pattern compilePayload(String payload) { + private static Pattern compilePayload(String payload) { return Pattern.compile("\\b" + payload + "\\b", Pattern.CASE_INSENSITIVE); } @@ -221,7 +221,7 @@ public static void setPayloadProvider(Supplier> provider) { payloadProvider = provider == null ? DEFAULT_PAYLOAD_PROVIDER : provider; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_INFO; } @@ -230,11 +230,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java index 03f6f7e44ad..36f781202b5 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java @@ -198,31 +198,25 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } // end of headers null check } // end of method - /** - * gets the plugin id - * - * @return - */ @Override public int getPluginId() { return 10105; } - /** gets the plugin name */ @Override public String getName() { return Constant.messages.getString("pscanrules.insecureauthentication.name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString("pscanrules.insecureauthentication.desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString("pscanrules.insecureauthentication.soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString("pscanrules.insecureauthentication.refs"); } @@ -231,11 +225,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 326; // CWE Id - Inadequate Encryption Strength } - public int getWascId() { + private static int getWascId() { return 4; // WASC Id - Insufficient Transport Layer Protection } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java index 7140919f5c5..ae744c1a721 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { return HttpHeader.HTTPS.equals(msg.getRequestHeader().getURI().getScheme()); } @@ -81,7 +81,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -109,11 +109,11 @@ public int getPluginId() { return 10041; } - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java index 995ebe573bf..2d217934bc7 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { String scheme = msg.getRequestHeader().getURI().getScheme(); if ("https".equals(scheme)) { return true; @@ -86,7 +86,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -114,11 +114,11 @@ public int getPluginId() { return 10042; } - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java index f80181c3283..6c259686b1f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java @@ -137,7 +137,6 @@ private boolean isViewStateSecure(String viewState, String charset) { return true; } - // ///////////////////////////// // Base64 decode the ViewState and decompress ViewState from gzip format (the default), // or handle it as uncompressed (which is possible). // @@ -185,7 +184,7 @@ private static byte[] decompress(byte[] value) throws IOException { return output.toByteArray(); } - private boolean isRawViewStateSecure(String viewState) { + private static boolean isRawViewStateSecure(String viewState) { if (viewState == null || viewState.equals("")) { return true; } @@ -217,7 +216,7 @@ private void raiseAlert(HttpMessage msg, int id, String viewState) { // jsf server side implementation in com.sun.faces.renderkit.ServerSideStateHelper // two id's separated by : - private boolean isViewStateStoredOnServer(String val) { + private static boolean isViewStateStoredOnServer(String val) { return val != null && val.contains(":"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java index a0749f64730..e8988b2db18 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java @@ -27,8 +27,6 @@ import net.htmlparser.jericho.Source; import org.apache.commons.httpclient.URI; import org.apache.commons.httpclient.URIException; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; import org.parosproxy.paros.Constant; import org.parosproxy.paros.core.scanner.Alert; import org.parosproxy.paros.core.scanner.Plugin; @@ -60,8 +58,6 @@ public class LinkTargetScanRule extends PluginPassiveScanner implements CommonPa private Model model = null; - private static final Logger LOGGER = LogManager.getLogger(LinkTargetScanRule.class); - @Override public int getPluginId() { return 10108; @@ -177,15 +173,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java index 9c5987f3ebf..b3d3973a92d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java @@ -143,15 +143,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } @@ -160,11 +160,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 311; // CWE Id 311 - Missing Encryption of Sensitive Data } - public int getWascId() { + private static int getWascId() { return 4; // WASC Id 4 - Insufficient Transport Layer Protection } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java index d027328f1c8..bf87924522f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java @@ -104,11 +104,11 @@ public int getPluginId() { return 10109; } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java index 6e1140cedc1..fcb096cf5d3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java @@ -180,7 +180,7 @@ private AlertBuilder createAlert(String evidence, String cardType, BinRecord bin .setWascId(13); // WASC-13: Information Leakage } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java index 91eb6de5a4b..b51a7d32d25 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java @@ -160,15 +160,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java index f9e8029e65b..932403e6929 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java @@ -193,7 +193,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { String elementValue = ""; switch (currentVT) { case HSTS_MISSING: @@ -234,7 +234,7 @@ private String getAlertElement(VulnType currentVT, String element) { return elementValue; } - private int getRisk(VulnType currentVT) { + private static int getRisk(VulnType currentVT) { switch (currentVT) { case HSTS_MISSING: case HSTS_MAX_AGE_DISABLED: @@ -259,7 +259,7 @@ private int getRisk(VulnType currentVT) { * return {@code null}. * @see RFC 6797 Section 8.5 */ - private String getMetaHSTSEvidence(Source source) { + private static String getMetaHSTSEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java index b328c3bc09a..45466df45f4 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java @@ -204,19 +204,19 @@ public int getPluginId() { return 10096; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } @@ -230,11 +230,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 200; // CWE Id 200 - Information Exposure } - public int getWascId() { + private static int getWascId() { return 13; // WASC Id - Info leakage } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java index 51e8531a6d8..e4a5974765b 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java @@ -119,7 +119,7 @@ private void checkMetaContentCharset( } // TODO: taken from CharsetMismatchScanner. Extract into helper method - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -176,7 +176,7 @@ private void checkContentTypeCharset(HttpMessage msg, int id, Set // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -187,7 +187,7 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(Source source) { + private static boolean isResponseXML(Source source) { return source.isXML(); } @@ -213,15 +213,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java index f351d641c23..f4cc2be8c5d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java @@ -99,7 +99,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // Cookies are commonly URL encoded, maybe other encodings. // TODO: apply other decodings? htmlDecode, etc. - private String decodeCookie(String cookie, String charset) { + private static String decodeCookie(String cookie, String charset) { if (charset != null) { try { return URLDecoder.decode(cookie, charset); @@ -178,23 +178,19 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { + private static String getReferenceMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { + private static String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { String introMessage = ""; if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { introMessage = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.get"); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java index e9d9a2c52f5..0c58c75c1f9 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java @@ -232,7 +232,7 @@ private void checkHtmlAttribute( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -273,23 +273,19 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { + private static String getReferenceMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getExtraInfoMessage( + private static String getExtraInfoMessage( String url, String tag, String attr, HtmlParameter param, String userControlledValue) { return Constant.messages.getString( MESSAGE_PREFIX + "extrainfo", diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java index 957e0da14d5..ef4eda94d9a 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java @@ -161,7 +161,7 @@ private void checkJavascriptEvent( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message) { + private static boolean isResponseHTML(HttpMessage message) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -196,23 +196,19 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { + private static String getReferenceMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getExtraInfoMessage( + private static String getExtraInfoMessage( String url, String attribute, String attributeValue, HtmlParameter param) { return Constant.messages.getString( MESSAGE_PREFIX + "extrainfo", url, attribute, attributeValue, param.getValue()); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java index 188c6d2f617..1d0e40fa2eb 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java @@ -157,23 +157,19 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { + private static String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolutionMessage() { + private static String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { + private static String getReferenceMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getExtraInfoMessage( + private static String getExtraInfoMessage( HttpMessage msg, String paramName, String paramValue, String responseLocation) { StringBuilder extraInfoSB = new StringBuilder(); if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java index 98994e35363..d660353804d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java @@ -144,7 +144,7 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_INFO; } @@ -153,19 +153,19 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription(String username) { + private static String getDescription(String username) { return Constant.messages.getString(MESSAGE_PREFIX + "desc", username); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getOtherinfo(String hashType, String hashValue) { + private static String getOtherinfo(String hashType, String hashValue) { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo", hashType, hashValue); } @@ -174,11 +174,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 284; // CWE-284: Improper Access Control } - public int getWascId() { + private static int getWascId() { return 2; // WASC-02: Insufficient Authorization } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java index 2815457d6a4..e7784acd08a 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java @@ -185,7 +185,7 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } @@ -202,7 +202,7 @@ public int getWascId() { return 14; // WASC-14 - Server Misconfiguration } - private Map getHiddenFields(Source source) { + private static Map getHiddenFields(Source source) { List result = source.getAllStartTags("input"); // Searching for name only tags only makes sense for Asp.Net 1.1 websites diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java index edd68463023..fe9ca470169 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java @@ -81,7 +81,7 @@ public int getPluginId() { return 10061; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } @@ -95,11 +95,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 933; // CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration } - public int getWascId() { + private static int getWascId() { return 14; // WASC-14: Server Misconfiguration } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java index be9a905b5b2..003e16df8a3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java @@ -84,11 +84,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java index fd4711a7bc5..c3bdd3d060f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java @@ -51,9 +51,7 @@ public class XChromeLoggerDataInfoLeakScanRule extends PluginPassiveScanner public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { long start = System.currentTimeMillis(); - // Get the header(s) List xcldHeader = msg.getResponseHeader().getHeaderValues("X-ChromeLogger-Data"); - // Add any header(s) using the alternate name List xcpdHeader = msg.getResponseHeader().getHeaderValues("X-ChromePhp-Data"); List loggerHeaders = new ArrayList<>(2); @@ -83,19 +81,19 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getOtherInfo(String headerValue) { + private static String getOtherInfo(String headerValue) { try { byte[] decodedByteArray = Base64.getDecoder().decode(headerValue); return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.msg") diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java index 64a231b19a7..d7c4edc69da 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java @@ -106,23 +106,23 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } @@ -131,11 +131,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 693; // CWE-693: Protection Mechanism Failure } - public int getWascId() { + private static int getWascId() { return 15; // WASC-15: Application Misconfiguration } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java index b09b7dbc543..566909f2a69 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java @@ -88,7 +88,7 @@ private AlertBuilder buildAlert(String evidence) { * @param header the name of the header field being looked for * @return boolean status of existence */ - private boolean responseHasHeader(HttpMessage msg, String header) { + private static boolean responseHasHeader(HttpMessage msg, String header) { return !msg.getResponseHeader().getHeaderValues(header).isEmpty(); } @@ -99,7 +99,7 @@ private boolean responseHasHeader(HttpMessage msg, String header) { * @param header the name of the header field(s) to be collected * @return list of the matched headers */ - private List getHeaders(HttpMessage msg, String header) { + private static List getHeaders(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -119,7 +119,7 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } @@ -128,19 +128,19 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } @@ -149,11 +149,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 200; // CWE Id 200 - Information Exposure } - public int getWascId() { + private static int getWascId() { return 13; // WASC Id - Info leakage } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java index 983d2454934..73e54441077 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java @@ -69,7 +69,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param msg Response Http message * @return boolean status of existence */ - private boolean isXPoweredByHeaderExist(HttpMessage msg) { + private static boolean isXPoweredByHeaderExist(HttpMessage msg) { return !msg.getResponseHeader().getHeaderValues(HEADER_NAME).isEmpty(); } @@ -79,7 +79,7 @@ private boolean isXPoweredByHeaderExist(HttpMessage msg) { * @param msg Response Http message * @return list of the matched headers */ - private List getXPoweredByHeaders(HttpMessage msg) { + private static List getXPoweredByHeaders(HttpMessage msg) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -123,7 +123,7 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { + private static int getRisk() { return Alert.RISK_LOW; } @@ -132,15 +132,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } @@ -149,11 +149,11 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { + private static int getCweId() { return 200; // CWE Id 200 - Information Exposure } - public int getWascId() { + private static int getWascId() { return 13; // WASC Id - Info leakage } diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java index e7dd549c311..b3e1f1fd107 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java @@ -653,15 +653,15 @@ void shouldAlertOnReasonableCspWhichIncludesPrefetchsrc() { is(equalTo("Warnings:\nThe prefetch-src directive has been deprecated\n"))); } - private HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { + private static HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { return createHttpMessage(cspHeaderName, REASONABLE_POLICY); } - private HttpMessage createHttpMessage(String cspPolicy) { + private static HttpMessage createHttpMessage(String cspPolicy) { return createHttpMessage(HttpFieldsNames.CONTENT_SECURITY_POLICY, cspPolicy); } - private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { + private static HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { HttpMessage msg = new HttpMessage(); String header = @@ -689,7 +689,7 @@ private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { return msg; } - private HttpMessage createHttpMessage() { + private static HttpMessage createHttpMessage() { HttpMessage msg = new HttpMessage(); try { msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java index 48fb837d3d1..0d5036b5517 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java @@ -40,7 +40,7 @@ protected ContentTypeMissingScanRule createScanner() { return new ContentTypeMissingScanRule(); } - private HttpMessage createMessage() throws HttpMalformedHeaderException { + private static HttpMessage createMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java index d982fcd9d06..6aeb3efcee8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java @@ -62,7 +62,7 @@ protected CookieLooselyScopedScanRule createScanner() { return rule; } - private HttpMessage createBasicMessage() throws HttpMalformedHeaderException { + private static HttpMessage createBasicMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java index 90e9e5462c7..b5e3482f203 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java @@ -461,7 +461,7 @@ void formWithoutAntiCsrfToken() { "
"); } - private HttpMessage createScopedMessage(boolean isInScope) throws URIException { + private static HttpMessage createScopedMessage(boolean isInScope) throws URIException { HttpMessage newMsg = new HttpMessage() { @Override diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java index 3666a88d064..51af0ccd859 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java @@ -37,7 +37,7 @@ class DirectoryBrowsingScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java index 278c10fca07..b32a67dcca3 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java @@ -177,7 +177,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java index a336b10c23d..9e7373a71fb 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java @@ -408,11 +408,11 @@ private static void validateAlert(String requestUri, Alert alert) { assertThat(alert.getUri(), equalTo(requestUri)); } - private HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { return createHttpMessage(URI, body); } - private HttpMessage createHttpMessage(String requestUri, String body) + private static HttpMessage createHttpMessage(String requestUri, String body) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); requestUri = requestUri.startsWith("http") ? requestUri : "http://" + requestUri; diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java index f7bf99d6a24..732469852ba 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java @@ -483,7 +483,7 @@ void ignoreExposureToBookmark() throws HttpMalformedHeaderException, URIExceptio assertEquals(1, alertsRaised.size()); } - private void setUpHttpSessionsParam() { + private static void setUpHttpSessionsParam() { OptionsParam options = Model.getSingleton().getOptionsParam(); options.load(new ZapXmlConfiguration()); HttpSessionsParam httpSessions = new HttpSessionsParam(); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java index 9cf5e394bb3..102901275df 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java @@ -92,12 +92,8 @@ protected HttpMessage createHttpMessageWithRespBody(String responseBody) @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -127,6 +123,8 @@ void shouldHaveExpectedExampleAlert() { Alert alert = alerts.get(0); assertThat(alert.getRisk(), is(equalTo(Alert.RISK_LOW))); assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM))); + assertThat(alert.getCweId(), is(equalTo(200))); + assertThat(alert.getWascId(), is(equalTo(13))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java index acdabe8ec1e..dfccf1ebea0 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java @@ -90,12 +90,8 @@ public void setUpZap() throws Exception { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -120,6 +116,8 @@ void shouldHaveExpectedExampleAlert() { Alert alert = alerts.get(0); assertThat(alert.getRisk(), is(equalTo(Alert.RISK_INFO))); assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM))); + assertThat(alert.getCweId(), is(equalTo(200))); + assertThat(alert.getWascId(), is(equalTo(13))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java index 66377f1efa7..a9800598ae8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java @@ -59,12 +59,8 @@ protected InsecureAuthenticationScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(326))); - assertThat(wasc, is(equalTo(4))); assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -106,8 +102,12 @@ void shouldHaveExpectedExampleAlerts() { assertThat(alerts.size(), is(equalTo(2))); Alert capturedAlert = alerts.get(0); assertThat(capturedAlert.getAlertRef(), is(equalTo("10105-1"))); + assertThat(capturedAlert.getCweId(), is(equalTo(287))); + assertThat(capturedAlert.getWascId(), is(equalTo(1))); Alert weakAlert = alerts.get(1); assertThat(weakAlert.getAlertRef(), is(equalTo("10105-2"))); + assertThat(weakAlert.getCweId(), is(equalTo(326))); + assertThat(weakAlert.getWascId(), is(equalTo(4))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java index b01a4d3ee6a..74ee4f81b6a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormLoadScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java index 2015f5b042c..e161e9be743 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormPostScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("https://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java index ae86dd38ee2..ef0894c5bf1 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java @@ -264,7 +264,8 @@ private static byte[] gzipCompress(byte[] value) throws IOException { return output.toByteArray(); } - private void setTextHtmlResponseHeader(HttpMessage msg) throws HttpMalformedHeaderException { + private static void setTextHtmlResponseHeader(HttpMessage msg) + throws HttpMalformedHeaderException { msg.setResponseHeader( "HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n" diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java index ae99a55752b..046b3afabb4 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java @@ -71,7 +71,7 @@ protected LinkTargetScanRule createScanner() { return rule; } - private String getHeader(String contentType, int bodyLength) { + private static String getHeader(String contentType, int bodyLength) { return "HTTP/1.1 200 OK\r\n" + "Content-Type: " + contentType diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java index 07b11643e61..42b85c2aabf 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java @@ -46,12 +46,8 @@ protected MixedContentScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(311))); - assertThat(wasc, is(equalTo(4))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), @@ -79,6 +75,9 @@ void shouldHaveExpectedExampleAlert() { List alerts = rule.getExampleAlerts(); // THen assertThat(alerts.size(), is(equalTo(1))); + Alert alert = alerts.get(0); + assertThat(alert.getCweId(), is(equalTo(311))); + assertThat(alert.getWascId(), is(equalTo(4))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java index d6f6b523f97..d7fa17312a5 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java @@ -484,7 +484,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader( diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java index b49f01c1192..918609b785b 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java @@ -38,7 +38,7 @@ class RetrievedFromCacheScanRuleUnitTest extends PassiveScannerTest tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -85,6 +81,8 @@ void shouldHaveExpectedExampleAlert() { Alert alert = alerts.get(0); assertThat(alert.getName(), is(equalTo("Timestamp Disclosure - Unix"))); assertThat(alert.getParam(), is(equalTo("registeredAt"))); + assertThat(alert.getCweId(), is(equalTo(200))); + assertThat(alert.getWascId(), is(equalTo(13))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java index feb04c92351..217cddf1645 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java @@ -73,12 +73,8 @@ protected UsernameIdorScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(284))); - assertThat(wasc, is(equalTo(2))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -114,6 +110,8 @@ void shouldReturnExpectedExampleAlert() { assertThat(tags, hasKey(CommonAlertTag.CUSTOM_PAYLOADS.getTag())); assertThat(alert.getRisk(), is(equalTo(Alert.RISK_INFO))); assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_HIGH))); + assertThat(alert.getCweId(), is(equalTo(284))); + assertThat(alert.getWascId(), is(equalTo(2))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java index 942d16a666d..590bba306f6 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java @@ -253,7 +253,7 @@ void shouldRaiseAlertAsViewstateIsSplit() { * @param inject the string to inject * @return a base64 encoded string with the inject value injected at byte 40. */ - private String getViewstateWithText(String inject) { + private static String getViewstateWithText(String inject) { String base = "/wEPDwUJODczNjQ5OTk0D2QWAgIDD2QWAgIFDw8WAh4EVGV4dAUWSSBMb3ZlIERvdG5ldEN1cnJ5LmNvbWRkZMHbBY9JqBTvB5/6kXnY15AUSAwa"; byte[] decoded; diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java index 34fe89993a0..e439e4eb162 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java @@ -42,12 +42,8 @@ protected XAspNetVersionScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(933))); - assertThat(wasc, is(equalTo(14))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), @@ -119,6 +115,8 @@ void shouldReturnExpectedExampleAlert() { assertThat( alert.getDescription(), equalTo(Constant.messages.getString(MESSAGE_PREFIX + "desc"))); + assertThat(alert.getCweId(), is(equalTo(933))); + assertThat(alert.getWascId(), is(equalTo(14))); } @Test @@ -127,7 +125,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMessage(String header) throws HttpMalformedHeaderException { + private static HttpMessage createMessage(String header) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET http://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java index b1333447b2a..a681a4e0567 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java @@ -40,7 +40,7 @@ class XBackendServerInformationLeakScanRuleUnitTest private static final String XBS_HEADER = "X-Backend-Server"; private static final String HEADER_VALUE = "developer1.webapp.scl3.mozilla.com"; - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java index ed80098e9ec..c9e9d370a33 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java @@ -53,7 +53,7 @@ class XChromeLoggerDataInfoLeakScanRuleUnitTest + "ZWN1cml0eUNvbnRleHQgd2l0aCBhbiBhbm9ueW1vdXMgVG9rZW4iLCJ1bmtub" + "3duIiwiaW5mbyJdXSwicmVxdWVzdF91cmkiOiJcL2xvZ2luIn0="; - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionScanRuleUnitTest.java index 6d92916fef3..fe1baa5d6fe 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionScanRuleUnitTest.java @@ -48,12 +48,8 @@ protected XContentTypeOptionsScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(693))); - assertThat(wasc, is(equalTo(15))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), @@ -80,6 +76,8 @@ void shouldHaveExpectedExampleAlert() { assertTrue(StringUtils.isNotBlank(alert.getSolution())); assertTrue(StringUtils.isNotBlank(alert.getOtherInfo())); assertTrue(StringUtils.isNotBlank(alert.getReference())); + assertThat(alert.getCweId(), is(equalTo(693))); + assertThat(alert.getWascId(), is(equalTo(15))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java index 61754af785b..92da305a4d2 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java @@ -41,7 +41,7 @@ protected XDebugTokenScanRule createScanner() { return new XDebugTokenScanRule(); } - private HttpMessage createMessage() throws HttpMalformedHeaderException { + private static HttpMessage createMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); @@ -52,12 +52,8 @@ private HttpMessage createMessage() throws HttpMalformedHeaderException { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -84,6 +80,9 @@ void shouldHaveExpectedExampleAlert() { List alerts = rule.getExampleAlerts(); // THen assertThat(alerts.size(), is(equalTo(1))); + Alert alert = alerts.get(0); + assertThat(alert.getCweId(), is(equalTo(200))); + assertThat(alert.getWascId(), is(equalTo(13))); } @Test diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java index 096d12ec80b..eda0876b446 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java @@ -46,12 +46,8 @@ protected XPoweredByHeaderInfoLeakScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -83,6 +79,8 @@ void shouldHaveExpectedExampleAlert() { Alert alert = alerts.get(0); assertThat(alert.getRisk(), is(equalTo(Alert.RISK_LOW))); assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM))); + assertThat(alert.getCweId(), is(equalTo(200))); + assertThat(alert.getWascId(), is(equalTo(13))); } @Test diff --git a/addOns/pscanrulesAlpha/CHANGELOG.md b/addOns/pscanrulesAlpha/CHANGELOG.md index ba823773dc8..6d2b22c1e4e 100644 --- a/addOns/pscanrulesAlpha/CHANGELOG.md +++ b/addOns/pscanrulesAlpha/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed - Update minimum ZAP version to 2.15.0. +- Maintenance changes. ### Fixed - Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java index 89708443850..3528a2d1437 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java @@ -96,13 +96,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - /** - * scans the HTTP response for base64 signatures - * - * @param msg - * @param id - * @param source unused - */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java index 2156fb8090b..9e264eee1fc 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java @@ -114,7 +114,7 @@ private String doesResponseContainString(HttpBody body) { return null; } - private List loadFile(String file) { + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ @@ -162,19 +162,19 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "other"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } } diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java index eb84d994601..7d5329dc530 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java @@ -82,15 +82,15 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java index aca648a79ec..1d28a8d70f5 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java @@ -229,7 +229,7 @@ protected FetchMetadataRequestHeadersScanRule createScanner() { return new FetchMetadataRequestHeadersScanRule(); } - private String generateRequestForMissingCase(String missingHeader) { + private static String generateRequestForMissingCase(String missingHeader) { switch (missingHeader) { case "Sec-Fetch-Site": return HTTP_METHOD + SFM_VALID_HEADER + SFD_VALID_HEADER + SFU_VALID_HEADER; @@ -248,7 +248,7 @@ private String generateRequestForMissingCase(String missingHeader) { } } - private String generateRequestForInvalidCase(String invalidHeader) { + private static String generateRequestForInvalidCase(String invalidHeader) { switch (invalidHeader) { case "Sec-Fetch-Site": return HTTP_METHOD diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java index 6e356ccfc02..bbd244f6899 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java @@ -156,7 +156,7 @@ protected FullPathDisclosureScanRule createScanner() { return new FullPathDisclosureScanRule(); } - private HttpMessage createMessage(String body, Integer status) throws URIException { + private static HttpMessage createMessage(String body, Integer status) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/CHANGELOG.md b/addOns/pscanrulesBeta/CHANGELOG.md index 9b32e4a3d95..25f43b11f7f 100644 --- a/addOns/pscanrulesBeta/CHANGELOG.md +++ b/addOns/pscanrulesBeta/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Maintenance changes. ## [38] - 2024-06-27 ### Added diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java index dc357fb94df..10855532a8b 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java @@ -692,7 +692,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private Long extractAgeValue(String directiveToken, int tokenLength) { + private static Long extractAgeValue(String directiveToken, int tokenLength) { int commaLocation = directiveToken.indexOf(",", tokenLength); return Long.parseLong( directiveToken.substring( diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java index 1ee3c7d916d..fa60bcef7b9 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java @@ -192,15 +192,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java index f37f0c45498..b819007d69e 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java @@ -125,7 +125,7 @@ private AlertBuilder createAlert(String evidence) { .setCweId(502); // CWE-502: Deserialization of Untrusted Data } - private boolean hasJsoMagicSequence(String value) { + private static boolean hasJsoMagicSequence(String value) { return hasJsoBase64MagicSequence(value) || hasUriEncodedMagicSequence(value); } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java index 04af1435b37..71de6c47335 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java @@ -104,15 +104,15 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java index b35040a49f5..78af6f21ac7 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java @@ -643,13 +643,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - /** - * scans the HTTP response for Source Code signatures - * - * @param msg - * @param id - * @param source unused - */ @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { if (ResourceIdentificationUtils.isCss(msg) @@ -715,15 +708,15 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { + private static String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java index a38e200b832..b7faaf92ae0 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java @@ -128,7 +128,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { + private static String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { String src = element.getAttributeValue("src"); if (src == null) { return ""; @@ -155,7 +155,7 @@ private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap return integrityHash; } - private String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { + private static String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { String integrityHash = calculateIntegrityHash(msg, element, tree); if (integrityHash.isEmpty()) { return ""; diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java index d17a37c8d39..870c7b2b969 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java @@ -45,7 +45,7 @@ */ class CacheableScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); @@ -55,7 +55,7 @@ private HttpMessage createMessage() throws URIException { return msg; } - private HttpMessage createMessageBasicAuthorization() throws URIException { + private static HttpMessage createMessageBasicAuthorization() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java index ef0daceea43..10de1d47bbc 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InPageBannerInfoLeakScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage(String banner) throws URIException { + private static HttpMessage createMessage(String banner) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java index 225dbc15bff..a22dca52cdf 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java @@ -254,7 +254,8 @@ void shouldReturnExpectedExampleAlert() { assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW))); } - private HttpMessage createHttpMessageWithRespBody(String responseBody, String contentType) + private static HttpMessage createHttpMessageWithRespBody( + String responseBody, String contentType) throws HttpMalformedHeaderException, URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRuleUnitTest.java index d5b01217812..b962c979fbc 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRuleUnitTest.java @@ -323,14 +323,5 @@ protected JsoScanRule createScanner() { private static class AnObject implements Serializable { private static final long serialVersionUID = 1L; - private static String value; - - public static String getValue() { - return value; - } - - public static void setValue(String value) { - AnObject.value = value; - } } } diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java index 673bb59a749..29a17cc7c55 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java @@ -222,7 +222,8 @@ private void assertNumberOfAlertsRaised(int expected) { assertEquals(expected, alertsRaised.size()); } - private HttpMessage createHttpMessageFromHtml(String html) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessageFromHtml(String html) + throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET " + URI + " HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200\r\n"); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java index abd47568f53..4f56dd483d5 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java @@ -243,11 +243,11 @@ void shouldHaveExpectedExamples() { assertThat(example.getName(), is(equalTo("Source Code Disclosure - PHP"))); } - private String wrapWithHTML(String code) { + private static String wrapWithHTML(String code) { return CODE_HTML + code + CODE_HTML; } - private void assertAlertAttributes(Alert alert, String evidence, final String language) { + private static void assertAlertAttributes(Alert alert, String evidence, final String language) { assertThat(alert.getRisk(), is(Alert.RISK_MEDIUM)); assertThat(alert.getConfidence(), is(Alert.CONFIDENCE_MEDIUM)); assertThat(alert.getName(), is(getLocalisedString("name") + " - " + language)); @@ -261,7 +261,7 @@ private void assertAlertAttributes(Alert alert, String evidence, final String la assertThat(alert.getWascId(), is(13)); } - private String getLocalisedString(String key, Object... params) { + private static String getLocalisedString(String key, Object... params) { return Constant.messages.getString("pscanbeta.sourcecodedisclosure." + key, params); } }