From ca7142a6794feb4a5fad36288ce780ce5f7790d5 Mon Sep 17 00:00:00 2001
From: ekkelenk <rudie.ekkelenkamp@deltares.nl>
Date: Mon, 25 Mar 2024 15:37:59 +0100
Subject: [PATCH] Added headers to nginx example, updated docs and use false
 positives list in zap2junit.xml conversion.

---
 tests/docker/zap/README.md      |  17 +++++-
 tests/docker/zap/nginx.conf     |   3 +-
 tests/docker/zap/weboc-zap.conf |   6 +-
 tests/docker/zap/zap2junit.xsl  | 103 ++++++++++++++++++--------------
 4 files changed, 79 insertions(+), 50 deletions(-)

diff --git a/tests/docker/zap/README.md b/tests/docker/zap/README.md
index 728ade978..3831538fb 100644
--- a/tests/docker/zap/README.md
+++ b/tests/docker/zap/README.md
@@ -1,14 +1,25 @@
+# ZAP
+The ZAP tool is used to detect any security vulnerabilities in the Web OC.
+It is important to configure the http servers with the correct security headers to comply with the OWASP rules.
+In this directory the configuration files for NGINX and the ZAP tool are stored.  
+
 # nginx.conf
 
 The zap scanner run using NGINX. Specific security headers are added to the config to make the Web OC mostly compliant.
 In some cases the ZAP tool will report a warning that cannot be prevented.
-In the weboc-zap.conf file these warnings are excluded with an explanation why.
+
+# weboc-zap.conf
+In the weboc-zap.conf file warnings are excluded with an explanation why.
+
 Among them are:
 
 - CSP: style-src unsafe-inline: The web framework used by the Web OC (Vue JS) is using inline css.
 - Sub Resource Integrity Attribute Missing: Not supported by the googles fonts css: <link rel="stylesheet" href="https://fonts.googleapis.com/css. See also: https://github.com/google/fonts/issues/473
 - Timestamp Disclosure - Unix. False positive on: /js/chunk-vendors.ce1436d0.js
 
-# After zap has generated the report.xml the zap2junit.xsl transformation can be used to create a junit compliant version from it.
+After zap has generated the report.xml the zap2junit.xsl transformation can be used to create a junit compliant version from it.
+Since the generated report files (report.html, report.json and report.xml) do not respect the configured weboc-zap.conf (it is only used to report to stdout) the zap2junit.xsl transformation is used to create a junit compliant version from it and respecting the ignore list.
+New entries to the ignore list, should be added to the zap2junit.xsl file as well.
 
-# This can be used by teamcity to generate a test report.
+# zap2junit.xsl
+This can be used by teamcity to generate a test report and report to github all checks have passed.
diff --git a/tests/docker/zap/nginx.conf b/tests/docker/zap/nginx.conf
index 5242ebf4a..0fba29508 100644
--- a/tests/docker/zap/nginx.conf
+++ b/tests/docker/zap/nginx.conf
@@ -23,7 +23,8 @@ http {
             add_header Permissions-Policy "fullscreen=(self)";
             add_header X-Content-Type-Options nosniff;
             add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-
+            add_header frame-ancestors 'none'; # See: https://content-security-policy.com/frame-ancestors/
+            add_header form-action 'self'; # See: https://content-security-policy.com/form-action/
 #           unsafe-inline cannot be avoided for Vuejs applications.
 #           Sub Resource Integrity Attribute Missing. Google fonts doesn't support this: https://github.com/google/fonts/issues/473
             add_header Content-Security-Policy "default-src 'self' blob: https://api.mapbox.com https://events.mapbox.com https://basemaps.cartocdn.com https://tiles-a.basemaps.cartocdn.com https://tiles-b.basemaps.cartocdn.com https://tiles-c.basemaps.cartocdn.com https://tiles-d.basemaps.cartocdn.com https://rwsos-dataservices-ont.avi.deltares.nl https://tiles.basemaps.cartocdn.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:;";
diff --git a/tests/docker/zap/weboc-zap.conf b/tests/docker/zap/weboc-zap.conf
index b8f31ab34..a29c2c7c7 100644
--- a/tests/docker/zap/weboc-zap.conf
+++ b/tests/docker/zap/weboc-zap.conf
@@ -1,2 +1,6 @@
 10106	IGNORE	(HTTP Only Site - Active/beta)
-10055   INFO	(CSP - Passive/release)
+10055	IGNORE	(CSP - Passive/release)
+10055	IGNORE	(CSP: Wildcard Directive)
+10055	IGNORE	(CSP: style-src unsafe-inline)
+40035	IGNORE	(Hidden File Finder - Active/release)
+10096	IGNORE	(Timestamp Disclosure - Passive/release)
\ No newline at end of file
diff --git a/tests/docker/zap/zap2junit.xsl b/tests/docker/zap/zap2junit.xsl
index b626a0e3d..2373bf4f6 100644
--- a/tests/docker/zap/zap2junit.xsl
+++ b/tests/docker/zap/zap2junit.xsl
@@ -1,51 +1,64 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-	<xsl:output method="xml" indent="yes"/>
+    <xsl:output method="xml" indent="yes"/>
 
-	<!-- When set to 1, minor risks are skipped.-->
-	<xsl:variable name="riskCodeLimit" select="1"/>
+    <xsl:param name="falsePositives" select="' (HTTP Only Site - Active/beta) (CSP - Passive/release) (CSP: Wildcard Directive) (CSP: style-src unsafe-inline) (Hidden File Finder - Active/release) (Timestamp Disclosure - Passive/release) (Hidden File Found) '"/>
+    <!-- When set to 1, minor risks are skipped.-->
+    <xsl:variable name="riskCodeLimit" select="1"/>
+    <xsl:param name="sourceFolder"/>
+    <xsl:variable name="NumberOfItems" select="count(OWASPZAPReport/site/alerts/alertitem/riskcode)"/>
+    <xsl:variable name="generatedDateTime" select="OWASPZAPReport/@generated"/>
+    <xsl:variable name="host" select="OWASPZAPReport/site/@host"/>
+    <xsl:template match="/">
+        <testsuites>
+            <testsuite id="1" name="zap" package="owasp" hostname="{$host}" timestamp="{$generatedDateTime}"
+                       tests="{$NumberOfItems}" failures="{$NumberOfItems}" errors="0" time="{$generatedDateTime}">
+                <properties/>
+                <xsl:for-each select="OWASPZAPReport/site/alerts/alertitem">
+                    <!-- riscode 0 = informational, 1 = Low, 2 = Medium, 3 = High -->
+                    <!-- confidence 1 = low, 2 = medium, 3 = high -->
+                    <xsl:variable name="riskcode" select="riskcode"/>
+                    <xsl:variable name="confidence" select="confidence"/>
+                    <xsl:variable name="riskdesc" select="riskdesc"/>
+                    <xsl:variable name="name" select="name"/>
 
-	<xsl:param name="sourceFolder"/>
+                    <!-- Only report for risks with a riskcode > limit -->
+                    <xsl:if test="$riskcode &gt; $riskCodeLimit">
+                        <xsl:choose>
+                            <!-- should not be in the ignore list. Name is withouth (), -->
+                            <xsl:when test="not(contains($falsePositives, concat('(', $name, ')')))">
+                                <xsl:variable name="stacktrace">
+                                    <xsl:value-of select="solution"/>:
+                                    <xsl:for-each select="instances/instance">
+                                        <xsl:value-of select="uri"/>, <xsl:value-of select="method"/>, <xsl:value-of
+                                            select="param"/>,
+                                    </xsl:for-each>
+                                </xsl:variable>
+                                <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}">
+                                    <failure message="{$stacktrace}" type="{$riskdesc}">
+                                    </failure>
+                                </testcase>
+                            </xsl:when>
+                            <xsl:otherwise>
+                                <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}">
+                                    <skipped>On ignore list</skipped>
+                                </testcase>
+                            </xsl:otherwise>
+                        </xsl:choose>
+                    </xsl:if>
+                    <xsl:if test="$riskcode &lt;= $riskCodeLimit">
+                        <testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}">
+                            <skipped>
+                            </skipped>
+                        </testcase>
+                    </xsl:if>
 
-	<xsl:variable name="NumberOfItems" select="count(OWASPZAPReport/site/alerts/alertitem/riskcode)"/>
-	<xsl:variable name="generatedDateTime" select="OWASPZAPReport/@generated"/>
-	<xsl:variable name="host" select="OWASPZAPReport/site/@host"/>
-	<xsl:template match="/">
-		<testsuites>
-		<testsuite id="1" name="zap" package="owasp" hostname="{$host}" timestamp="{$generatedDateTime}" tests="{$NumberOfItems}" failures="{$NumberOfItems}" errors="0" time="{$generatedDateTime}">
-			<properties/>
-			<xsl:for-each select="OWASPZAPReport/site/alerts/alertitem">
-				<!-- riscode 0 = informational, 1 = Low, 2 = Medium, 3 = High -->
-				<!-- confidence 1 = low, 2 = medium, 3 = high -->
-				<xsl:variable name="riskcode" select="riskcode"/>
-				<xsl:variable name="confidence" select="confidence"/>
-				<xsl:variable name="riskdesc" select="riskdesc"/>
-				<!-- Only report for risks with a riskcode > limit -->
-				<xsl:if test="$riskcode &gt; $riskCodeLimit">
-					<xsl:variable name="stacktrace">
-						<xsl:value-of select="solution"/>:
-						<xsl:for-each select="instances/instance">
-							<xsl:value-of select="uri"/>, <xsl:value-of select="method"/>, <xsl:value-of select="param"/>,
-						</xsl:for-each>
-					</xsl:variable>
-				<testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}">
-					<failure message="{$stacktrace}" type="{$riskdesc}">
-					</failure>
-				</testcase>
-				</xsl:if>
-				<xsl:if test="$riskcode &lt;= $riskCodeLimit">
-					<testcase name="{name}" classname="{riskdesc}" time="{$generatedDateTime}">
-						<skipped>
-						</skipped>
-					</testcase>
-				</xsl:if>
-
-			</xsl:for-each>
-			<!-- required for JUnit xsd -->
-			<system-out></system-out>
-			<!-- required for JUnit xsd -->
-			<system-err></system-err>
-		</testsuite>
-		</testsuites>
-	</xsl:template>
+                </xsl:for-each>
+                <!-- required for JUnit xsd -->
+                <system-out></system-out>
+                <!-- required for JUnit xsd -->
+                <system-err></system-err>
+            </testsuite>
+        </testsuites>
+    </xsl:template>
 </xsl:stylesheet>