-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added headers to nginx example, updated docs and use false positives …
…list in zap2junit.xml conversion.
- Loading branch information
1 parent
78c7b2a
commit ca7142a
Showing
4 changed files
with
79 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,25 @@ | ||
| # ZAP | ||
| The ZAP tool is used to detect any security vulnerabilities in the Web OC. | ||
| It is important to configure the http servers with the correct security headers to comply with the OWASP rules. | ||
| In this directory the configuration files for NGINX and the ZAP tool are stored. | ||
|
|
||
| # nginx.conf | ||
|
|
||
| The zap scanner run using NGINX. Specific security headers are added to the config to make the Web OC mostly compliant. | ||
| In some cases the ZAP tool will report a warning that cannot be prevented. | ||
| In the weboc-zap.conf file these warnings are excluded with an explanation why. | ||
|
|
||
| # weboc-zap.conf | ||
| In the weboc-zap.conf file warnings are excluded with an explanation why. | ||
|
|
||
| Among them are: | ||
|
|
||
| - CSP: style-src unsafe-inline: The web framework used by the Web OC (Vue JS) is using inline css. | ||
| - Sub Resource Integrity Attribute Missing: Not supported by the googles fonts css: <link rel="stylesheet" href="https://fonts.googleapis.com/css. See also: https://github.com/google/fonts/issues/473 | ||
| - Timestamp Disclosure - Unix. False positive on: /js/chunk-vendors.ce1436d0.js | ||
|
|
||
| # After zap has generated the report.xml the zap2junit.xsl transformation can be used to create a junit compliant version from it. | ||
| After zap has generated the report.xml the zap2junit.xsl transformation can be used to create a junit compliant version from it. | ||
| Since the generated report files (report.html, report.json and report.xml) do not respect the configured weboc-zap.conf (it is only used to report to stdout) the zap2junit.xsl transformation is used to create a junit compliant version from it and respecting the ignore list. | ||
| New entries to the ignore list, should be added to the zap2junit.xsl file as well. | ||
|
|
||
| # This can be used by teamcity to generate a test report. | ||
| # zap2junit.xsl | ||
| This can be used by teamcity to generate a test report and report to github all checks have passed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,6 @@ | ||
| 10106 IGNORE (HTTP Only Site - Active/beta) | ||
| 10055 INFO (CSP - Passive/release) | ||
| 10055 IGNORE (CSP - Passive/release) | ||
| 10055 IGNORE (CSP: Wildcard Directive) | ||
| 10055 IGNORE (CSP: style-src unsafe-inline) | ||
| 40035 IGNORE (Hidden File Finder - Active/release) | ||
| 10096 IGNORE (Timestamp Disclosure - Passive/release) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,51 +1,64 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> | ||
| <xsl:output method="xml" indent="yes"/> | ||
| <xsl:output method="xml" indent="yes"/> | ||
|
|
||
| <!-- When set to 1, minor risks are skipped.--> | ||
| <xsl:variable name="riskCodeLimit" select="1"/> | ||
| <xsl:param name="falsePositives" select="' (HTTP Only Site - Active/beta) (CSP - Passive/release) (CSP: Wildcard Directive) (CSP: style-src unsafe-inline) (Hidden File Finder - Active/release) (Timestamp Disclosure - Passive/release) (Hidden File Found) '"/> | ||
| <!-- When set to 1, minor risks are skipped.--> | ||
| <xsl:variable name="riskCodeLimit" select="1"/> | ||
| <xsl:param name="sourceFolder"/> | ||
| <xsl:variable name="NumberOfItems" select="count(OWASPZAPReport/site/alerts/alertitem/riskcode)"/> | ||
| <xsl:variable name="generatedDateTime" select="OWASPZAPReport/@generated"/> | ||
| <xsl:variable name="host" select="OWASPZAPReport/site/@host"/> | ||
| <xsl:template match="/"> | ||
| <testsuites> | ||
| <testsuite id="1" name="zap" package="owasp" hostname="{$host}" timestamp="{$generatedDateTime}" | ||
| tests="{$NumberOfItems}" failures="{$NumberOfItems}" errors="0" time="{$generatedDateTime}"> | ||
| <properties/> | ||
| <xsl:for-each select="OWASPZAPReport/site/alerts/alertitem"> | ||
| <!-- riscode 0 = informational, 1 = Low, 2 = Medium, 3 = High --> | ||
| <!-- confidence 1 = low, 2 = medium, 3 = high --> | ||
| <xsl:variable name="riskcode" select="riskcode"/> | ||
| <xsl:variable name="confidence" select="confidence"/> | ||
| <xsl:variable name="riskdesc" select="riskdesc"/> | ||
| <xsl:variable name="name" select="name"/> | ||
|
|
||
| <xsl:param name="sourceFolder"/> | ||
| <!-- Only report for risks with a riskcode > limit --> | ||
| <xsl:if test="$riskcode > $riskCodeLimit"> | ||
| <xsl:choose> | ||
| <!-- should not be in the ignore list. Name is withouth (), --> | ||
| <xsl:when test="not(contains($falsePositives, concat('(', $name, ')')))"> | ||
| <xsl:variable name="stacktrace"> | ||
| <xsl:value-of select="solution"/>: | ||
| <xsl:for-each select="instances/instance"> | ||
| <xsl:value-of select="uri"/>, <xsl:value-of select="method"/>, <xsl:value-of | ||
| select="param"/>, | ||
| </xsl:for-each> | ||
| </xsl:variable> | ||
| <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}"> | ||
| <failure message="{$stacktrace}" type="{$riskdesc}"> | ||
| </failure> | ||
| </testcase> | ||
| </xsl:when> | ||
| <xsl:otherwise> | ||
| <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}"> | ||
| <skipped>On ignore list</skipped> | ||
| </testcase> | ||
| </xsl:otherwise> | ||
| </xsl:choose> | ||
| </xsl:if> | ||
| <xsl:if test="$riskcode <= $riskCodeLimit"> | ||
| <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}"> | ||
| <skipped> | ||
| </skipped> | ||
| </testcase> | ||
| </xsl:if> | ||
|
|
||
| <xsl:variable name="NumberOfItems" select="count(OWASPZAPReport/site/alerts/alertitem/riskcode)"/> | ||
| <xsl:variable name="generatedDateTime" select="OWASPZAPReport/@generated"/> | ||
| <xsl:variable name="host" select="OWASPZAPReport/site/@host"/> | ||
| <xsl:template match="/"> | ||
| <testsuites> | ||
| <testsuite id="1" name="zap" package="owasp" hostname="{$host}" timestamp="{$generatedDateTime}" tests="{$NumberOfItems}" failures="{$NumberOfItems}" errors="0" time="{$generatedDateTime}"> | ||
| <properties/> | ||
| <xsl:for-each select="OWASPZAPReport/site/alerts/alertitem"> | ||
| <!-- riscode 0 = informational, 1 = Low, 2 = Medium, 3 = High --> | ||
| <!-- confidence 1 = low, 2 = medium, 3 = high --> | ||
| <xsl:variable name="riskcode" select="riskcode"/> | ||
| <xsl:variable name="confidence" select="confidence"/> | ||
| <xsl:variable name="riskdesc" select="riskdesc"/> | ||
| <!-- Only report for risks with a riskcode > limit --> | ||
| <xsl:if test="$riskcode > $riskCodeLimit"> | ||
| <xsl:variable name="stacktrace"> | ||
| <xsl:value-of select="solution"/>: | ||
| <xsl:for-each select="instances/instance"> | ||
| <xsl:value-of select="uri"/>, <xsl:value-of select="method"/>, <xsl:value-of select="param"/>, | ||
| </xsl:for-each> | ||
| </xsl:variable> | ||
| <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}"> | ||
| <failure message="{$stacktrace}" type="{$riskdesc}"> | ||
| </failure> | ||
| </testcase> | ||
| </xsl:if> | ||
| <xsl:if test="$riskcode <= $riskCodeLimit"> | ||
| <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}"> | ||
| <skipped> | ||
| </skipped> | ||
| </testcase> | ||
| </xsl:if> | ||
|
|
||
| </xsl:for-each> | ||
| <!-- required for JUnit xsd --> | ||
| <system-out></system-out> | ||
| <!-- required for JUnit xsd --> | ||
| <system-err></system-err> | ||
| </testsuite> | ||
| </testsuites> | ||
| </xsl:template> | ||
| </xsl:for-each> | ||
| <!-- required for JUnit xsd --> | ||
| <system-out></system-out> | ||
| <!-- required for JUnit xsd --> | ||
| <system-err></system-err> | ||
| </testsuite> | ||
| </testsuites> | ||
| </xsl:template> | ||
| </xsl:stylesheet> |