created an exclusion list for zap.

tests/docker/zap/README.md

@@ -1,7 +1,9 @@
 # nginx.conf
 
 The zap scanner run using NGINX. Specific security headers are added to the config to make the Web OC mostly compliant.
-In some cases the ZAP tool will report a warning that cannot be prevented. The following is a list of warnings and the reason they cannot be prevented:
+In some cases the ZAP tool will report a warning that cannot be prevented.
+In the weboc-zap.conf file these warnings are excluded with an explanation why.
+Among them are:
 
 - CSP: style-src unsafe-inline: The web framework used by the Web OC (Vue JS) is using inline css.
 - Sub Resource Integrity Attribute Missing: Not supported by the googles fonts css: <link rel="stylesheet" href="https://fonts.googleapis.com/css. See also: https://github.com/google/fonts/issues/473

tests/docker/zap/docker-compose.yaml

@@ -15,9 +15,11 @@ services:
       - '80:80'
 
   # The report ./folder is mounted to generate the zap report.
+  # The web-zap.conf contains the exclusions that are marked as false positives.
   zap:
     container_name: zap
     image: owasp/zap2docker-stable
-    command: 'zap-full-scan.py -t http://nginx-weboc -j -g gen.conf -r report.html -x report.xml -J report.json'
+    command: 'zap-full-scan.py -t http://nginx-weboc -j -g gen.conf -j -c /weboc-zap.conf  -r report.html -x report.xml -J report.json'
     volumes:
+      - ./weboc-zap.conf:/weboc-zap.conf:ro
       - ./report:/zap/wrk/:rw

tests/docker/zap/weboc-zap.conf

@@ -0,0 +1,2 @@
+10106	IGNORE	(HTTP Only Site - Active/beta)
+10055   INFO	(CSP - Passive/release)