From bdd11421c983c09fd54745fd72c3d82f78a4d272 Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Mon, 10 Jul 2023 07:44:03 +0200 Subject: [PATCH 01/11] Refactor OWASP ZAP wrapper #2371 - Introduce ClientApiFacade to make usage of ClientApi easier to use and test - added javadoc to ClientApiFacade - merge multiple OwaspZapScan implementations into OwaspZapScanner - add test cases into OwaspZapScannerTest --- .../cli/OwaspZapScanExecutor.java | 12 +- .../cli/OwaspZapScanResolver.java | 40 - .../config/OwaspZapClientApiFactory.java | 5 +- .../config/OwaspZapScanContext.java | 24 +- .../config/ProxyInformation.java | 2 +- .../helper/OwaspZapApiResponseHelper.java | 20 - .../helper/OwaspZapProductMessageHelper.java | 11 + .../owaspzapwrapper/scan/AbstractScan.java | 594 -------------- .../owaspzapwrapper/scan/ClientApiFacade.java | 535 ++++++++++++ .../owaspzapwrapper/scan/OwaspZapScanner.java | 756 +++++++++++++++++ .../scan/UnauthenticatedScan.java | 87 -- .../scan/auth/AbstractAuthScan.java | 143 ---- .../owaspzapwrapper/scan/auth/AuthScan.java | 10 - .../scan/auth/HTTPBasicAuthScan.java | 77 -- .../owaspzapwrapper/util/SystemUtil.java | 17 + .../util/TargetConnectionChecker.java | 2 +- .../cli/OwaspZapScanExecutorTest.java | 114 --- .../cli/OwaspZapScanResolverTest.java | 79 -- .../config/OwaspZapClientApiFactoryTest.java | 6 +- .../OwaspZapScanContextFactoryTest.java | 4 +- .../helper/OwaspZapApiResponseHelperTest.java | 43 - .../scan/OwaspZapScannerTest.java | 767 ++++++++++++++++++ .../form-based-auth.json | 41 + 23 files changed, 2154 insertions(+), 1235 deletions(-) delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolver.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelper.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/AbstractScan.java create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/UnauthenticatedScan.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AbstractAuthScan.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AuthScan.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/HTTPBasicAuthScan.java create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java delete mode 100644 sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutorTest.java delete mode 100644 sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolverTest.java delete mode 100644 sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelperTest.java create mode 100644 sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java create mode 100644 sechub-wrapper-owasp-zap/src/test/resources/sechub-config-examples/form-based-auth.json diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java index 27260b2657..b38ae441b1 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java @@ -3,24 +3,22 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ClientApi; import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapClientApiFactory; import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScan; +import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScanner; import com.mercedesbenz.sechub.owaspzapwrapper.util.TargetConnectionChecker; public class OwaspZapScanExecutor { private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanExecutor.class); - OwaspZapScanResolver resolver; OwaspZapClientApiFactory clientApiFactory; TargetConnectionChecker connectionChecker; public OwaspZapScanExecutor() { clientApiFactory = new OwaspZapClientApiFactory(); - resolver = new OwaspZapScanResolver(); connectionChecker = new TargetConnectionChecker(); } @@ -29,10 +27,10 @@ public void execute(OwaspZapScanContext scanContext) throws ZapWrapperRuntimeExc connectionChecker.assertApplicationIsReachable(scanContext); } - ClientApi clientApi = clientApiFactory.create(scanContext.getServerConfig()); + ClientApiFacade clientApiFacade = clientApiFactory.create(scanContext.getServerConfig()); - OwaspZapScan owaspZapScan = resolver.resolveScanImplementation(scanContext, clientApi); + OwaspZapScanner owaspZapScanner = new OwaspZapScanner(clientApiFacade, scanContext); LOG.info("Starting Owasp Zap scan."); - owaspZapScan.scan(); + owaspZapScanner.scan(); } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolver.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolver.java deleted file mode 100644 index f5937eedc2..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolver.java +++ /dev/null @@ -1,40 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ClientApi; - -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScan; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.UnauthenticatedScan; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.auth.HTTPBasicAuthScan; - -public class OwaspZapScanResolver { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanResolver.class); - - public OwaspZapScan resolveScanImplementation(OwaspZapScanContext scanContext, ClientApi clientApi) { - LOG.info("Resolve scan implementation."); - OwaspZapScan scan; - AuthenticationType authenticationType = scanContext.getAuthenticationType(); - if (authenticationType == null) { - throw new ZapWrapperRuntimeException("No matching scan type could be found.", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); - } - - switch (authenticationType) { - case UNAUTHENTICATED: - scan = new UnauthenticatedScan(clientApi, scanContext); - LOG.info("Using unauthenticated scan"); - break; - case HTTP_BASIC_AUTHENTICATION: - scan = new HTTPBasicAuthScan(clientApi, scanContext); - LOG.info("Using http basic authentication scan"); - break; - default: - throw new ZapWrapperRuntimeException("No matching scan type could be found.", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); - } - return scan; - } - -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java index fc234a080a..643ff94642 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java @@ -7,11 +7,12 @@ import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; public class OwaspZapClientApiFactory { private static final Logger LOG = LoggerFactory.getLogger(OwaspZapClientApiFactory.class); - public ClientApi create(OwaspZapServerConfiguration serverConfig) { + public ClientApiFacade create(OwaspZapServerConfiguration serverConfig) { LOG.info("Creating Owasp Zap ClientApi."); assertValidServerConfig(serverConfig); String zaproxyHost = serverConfig.getZaproxyHost(); @@ -20,7 +21,7 @@ public ClientApi create(OwaspZapServerConfiguration serverConfig) { ClientApi clientApi = new ClientApi(zaproxyHost, zaproxyPort, zaproxyApiKey); - return clientApi; + return new ClientApiFacade(clientApi); } private void assertValidServerConfig(OwaspZapServerConfiguration serverConfig) { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java index 3de09dbfc9..331cbbaca3 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java @@ -40,8 +40,8 @@ public class OwaspZapScanContext { private Path apiDefinitionFile; // Using Set here to avoid duplicates - private Set owaspZapURLsIncludeList = new HashSet<>(); - private Set owaspZapURLsExcludeList = new HashSet<>(); + private Set owaspZapURLsIncludeSet = new HashSet<>(); + private Set owaspZapURLsExcludeSet = new HashSet<>(); private boolean connectionCheckEnabled; @@ -123,12 +123,12 @@ public Path getApiDefinitionFile() { return apiDefinitionFile; } - public Set getOwaspZapURLsIncludeList() { - return owaspZapURLsIncludeList; + public Set getOwaspZapURLsIncludeSet() { + return owaspZapURLsIncludeSet; } - public Set getOwaspZapURLsExcludeList() { - return owaspZapURLsExcludeList; + public Set getOwaspZapURLsExcludeSet() { + return owaspZapURLsExcludeSet; } public boolean connectionCheckEnabled() { @@ -180,8 +180,8 @@ public static class OwaspZapBasicScanContextBuilder { private Path apiDefinitionFile; // Using Set here to avoid duplicates - private Set owaspZapURLsIncludeList = new HashSet<>(); - private Set owaspZapURLsExcludeList = new HashSet<>(); + private Set owaspZapURLsIncludeSet = new HashSet<>(); + private Set owaspZapURLsExcludeSet = new HashSet<>(); private boolean connectionCheckEnabled; @@ -261,12 +261,12 @@ public OwaspZapBasicScanContextBuilder setApiDefinitionFile(Path apiDefinitionFi } public OwaspZapBasicScanContextBuilder setOwaspZapURLsIncludeSet(Set owaspZapURLsIncludeList) { - this.owaspZapURLsIncludeList.addAll(owaspZapURLsIncludeList); + this.owaspZapURLsIncludeSet.addAll(owaspZapURLsIncludeList); return this; } public OwaspZapBasicScanContextBuilder setOwaspZapURLsExcludeSet(Set owaspZapURLsExcludeList) { - this.owaspZapURLsExcludeList.addAll(owaspZapURLsExcludeList); + this.owaspZapURLsExcludeSet.addAll(owaspZapURLsExcludeList); return this; } @@ -312,8 +312,8 @@ public OwaspZapScanContext build() { owaspZapBasicScanConfiguration.apiDefinitionFile = this.apiDefinitionFile; - owaspZapBasicScanConfiguration.owaspZapURLsIncludeList.addAll(this.owaspZapURLsIncludeList); - owaspZapBasicScanConfiguration.owaspZapURLsExcludeList.addAll(this.owaspZapURLsExcludeList); + owaspZapBasicScanConfiguration.owaspZapURLsIncludeSet.addAll(this.owaspZapURLsIncludeSet); + owaspZapBasicScanConfiguration.owaspZapURLsExcludeSet.addAll(this.owaspZapURLsExcludeSet); owaspZapBasicScanConfiguration.connectionCheckEnabled = this.connectionCheckEnabled; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java index b5f8acb88f..6f13ef8d19 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java @@ -5,7 +5,7 @@ public class ProxyInformation { private String host; private int port; - ProxyInformation(String host, int port) { + public ProxyInformation(String host, int port) { this.host = host; this.port = port; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelper.java deleted file mode 100644 index 361e469c75..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelper.java +++ /dev/null @@ -1,20 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; - -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ApiResponseElement; - -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; - -public class OwaspZapApiResponseHelper { - - public String getIdOfApiRepsonse(ApiResponse response) { - if (response instanceof ApiResponseElement) { - return ((ApiResponseElement) response).getValue(); - } else { - throw new ZapWrapperRuntimeException("Parameter \"response\" is not an instance of ApiResponseElement.", - ZapWrapperExitCode.PRODUCT_EXECUTION_ERROR); - } - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java index f43d7c1e7d..d94451d970 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java @@ -58,6 +58,17 @@ public void writeProductError(ZapWrapperRuntimeException zapWrapperRuntimeExcept } } + public void writeUserMessagesWithScannedURLs(List urls) { + for (String url : urls) { + // robots.txt and sitemap.xml always appear inside the sites tree even if they + // are not available. Because of this it is skipped here. + if (url.contains("robots.txt") || url.contains("sitemap.xml")) { + continue; + } + writeSingleProductMessage(new SecHubMessage(SecHubMessageType.INFO, "Detect url to scan: " + url)); + } + } + private void writeProductErrorForExitCode(ZapWrapperExitCode exitCode) throws IOException { if (exitCode == null) { return; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/AbstractScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/AbstractScan.java deleted file mode 100644 index 9a7ca8de22..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/AbstractScan.java +++ /dev/null @@ -1,594 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; - -import java.io.File; -import java.io.IOException; -import java.net.URL; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.nio.file.StandardCopyOption; -import java.util.List; -import java.util.Optional; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ApiResponseElement; -import org.zaproxy.clientapi.core.ApiResponseList; -import org.zaproxy.clientapi.core.ClientApi; -import org.zaproxy.clientapi.core.ClientApiException; - -import com.mercedesbenz.sechub.commons.model.HTTPHeaderConfiguration; -import com.mercedesbenz.sechub.commons.model.SecHubMessage; -import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.Rule; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapApiResponseHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapEventHandler; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.ScanDurationHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.util.UrlUtil; - -public abstract class AbstractScan implements OwaspZapScan { - private static final Logger LOG = LoggerFactory.getLogger(AbstractScan.class); - - private static final int CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS = 3000; - - protected ClientApi clientApi; - protected OwaspZapScanContext scanContext; - - protected String contextId; - protected OwaspZapApiResponseHelper apiResponseHelper; - - private ScanDurationHelper scanDurationHelper; - private long remainingScanTime; - - private OwaspZapEventHandler owaspZapEventHandler; - - private UrlUtil urlUtil; - - public AbstractScan(ClientApi clientApi, OwaspZapScanContext scanContext) { - this.clientApi = clientApi; - this.scanContext = scanContext; - this.scanDurationHelper = new ScanDurationHelper(); - this.remainingScanTime = scanContext.getMaxScanDurationInMillis(); - this.apiResponseHelper = new OwaspZapApiResponseHelper(); - this.owaspZapEventHandler = new OwaspZapEventHandler(); - this.urlUtil = new UrlUtil(); - } - - @Override - public void scan() { - try { - scanUnsafe(); - } catch (ClientApiException e) { - cleanUp(); - throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". An error occured while scanning!", e, - ZapWrapperExitCode.PRODUCT_EXECUTION_ERROR); - } - } - - /** - * Creates a new scan context. - * - * @throws ClientApiException - */ - protected void createContext() throws ClientApiException { - LOG.info("Creating context: {}", scanContext.getContextName()); - ApiResponse createContextRepsonse = clientApi.context.newContext(scanContext.getContextName()); - this.contextId = apiResponseHelper.getIdOfApiRepsonse(createContextRepsonse); - } - - /** - * Adds all included and excluded URL into scan context. - * - * @throws ClientApiException - */ - protected void addIncludedAndExcludedUrlsToContext() throws ClientApiException { - LOG.info("For scan {}: Adding include and exclude parts.", scanContext.getContextName()); - registerUrlsIncludedInContext(); - registerUrlsExcludedFromContext(); - } - - /** - * Wait for the results of the spider. Periodically checks the progress of the - * spider. - * - * @param response - * @throws ClientApiException - */ - protected void waitForSpiderResults(ApiResponse response) throws ClientApiException { - String scanId = ((ApiResponseElement) response).getValue(); - int progressSpider = 0; - - long startTime = System.currentTimeMillis(); - long maxDuration = scanDurationHelper.computeSpiderMaxScanDuration(scanContext.isActiveScanEnabled(), scanContext.isAjaxSpiderEnabled(), - remainingScanTime); - - boolean timeOut = false; - - while (progressSpider < 100 && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { - List spiderResults = ((ApiResponseList) clientApi.spider.allUrls()).getItems(); - writeUserMessagesWithScannedURLs(spiderResults); - clientApi.spider.stop(scanId); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); - } - waitForNextCheck(); - progressSpider = Integer.parseInt(((ApiResponseElement) clientApi.spider.status(scanId)).getValue()); - LOG.info("For scan {}: Spider progress {}%", scanContext.getContextName(), progressSpider); - timeOut = System.currentTimeMillis() - startTime > maxDuration; - } - /* stop spider - otherwise running in background */ - clientApi.spider.stop(scanId); - - List spiderResults = ((ApiResponseList) clientApi.spider.allUrls()).getItems(); - writeUserMessagesWithScannedURLs(spiderResults); - LOG.info("For scan {}: Spider completed.", scanContext.getContextName()); - remainingScanTime = remainingScanTime - (System.currentTimeMillis() - startTime); - } - - /** - * Wait for the results of the ajax spider. Periodically checks the progress of - * the ajax spider. - * - * @throws ClientApiException - */ - protected void waitForAjaxSpiderResults() throws ClientApiException { - String ajaxSpiderStatus = null; - - long startTime = System.currentTimeMillis(); - long maxDuration = scanDurationHelper.computeAjaxSpiderMaxScanDuration(scanContext.isActiveScanEnabled(), remainingScanTime); - - boolean timeOut = false; - - while (!isAjaxSpiderStopped(ajaxSpiderStatus) && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { - clientApi.ajaxSpider.stop(); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); - } - waitForNextCheck(); - ajaxSpiderStatus = ((ApiResponseElement) clientApi.ajaxSpider.status()).getValue(); - LOG.info("For scan {}: AjaxSpider status {}", scanContext.getContextName(), ajaxSpiderStatus); - timeOut = (System.currentTimeMillis() - startTime) > maxDuration; - } - /* stop spider - otherwise running in background */ - clientApi.ajaxSpider.stop(); - LOG.info("For scan {}: AjaxSpider completed.", scanContext.getContextName()); - remainingScanTime = remainingScanTime - (System.currentTimeMillis() - startTime); - } - - /** - * Wait for the results of the passive scan. Periodically checks the progress of - * the passive scan. - * - * @throws ClientApiException - */ - protected void passiveScan() throws ClientApiException { - LOG.info("For scan {}: Starting passive scan.", scanContext.getContextName()); - long startTime = System.currentTimeMillis(); - long maxDuration = scanDurationHelper.computePassiveScanMaxScanDuration(scanContext.isActiveScanEnabled(), scanContext.isAjaxSpiderEnabled(), - remainingScanTime); - - int numberOfRecords = Integer.parseInt(((ApiResponseElement) clientApi.pscan.recordsToScan()).getValue()); - - while (numberOfRecords > 0 || (System.currentTimeMillis() - startTime) > maxDuration) { - if (owaspZapEventHandler.isScanCancelled()) { - owaspZapEventHandler.cancelScan(scanContext.getContextName()); - } - waitForNextCheck(); - numberOfRecords = Integer.parseInt(((ApiResponseElement) clientApi.pscan.recordsToScan()).getValue()); - LOG.info("For scan {}: Passive scan number of records left for scanning: {}", scanContext.getContextName(), numberOfRecords); - } - LOG.info("For scan {}: Passive scan completed.", scanContext.getContextName()); - remainingScanTime = remainingScanTime - (System.currentTimeMillis() - startTime); - } - - /** - * Wait for the results of the active scan. Periodically checks the progress of - * the active scan. - * - * @param response - * @throws ClientApiException - */ - protected void waitForActiveScanResults(ApiResponse response) throws ClientApiException { - String scanId = ((ApiResponseElement) response).getValue(); - int progressActive = 0; - - long startTime = System.currentTimeMillis(); - long maxDuration = remainingScanTime; - boolean timeOut = false; - while (progressActive < 100 && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { - clientApi.ascan.stop(scanId); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); - } - waitForNextCheck(); - progressActive = Integer.parseInt(((ApiResponseElement) clientApi.ascan.status(scanId)).getValue()); - LOG.info("For scan {}: Active scan progress {}%", scanContext.getContextName(), progressActive); - - timeOut = (System.currentTimeMillis() - startTime) > maxDuration; - } - clientApi.ascan.stop(scanId); - LOG.info("For scan {}: Active scan completed.", scanContext.getContextName()); - } - - /** - * Generates the SARIF report for the current scan, identified using the context - * name. - * - * @throws ClientApiException - */ - protected void generateOwaspZapReport() throws ClientApiException { - LOG.info("For scan {}: Writing results to report...", scanContext.getContextName()); - Path reportFile = scanContext.getReportFile(); - - String title = scanContext.getContextName(); - String template = "sarif-json"; - String theme = null; - String description = null; - String contexts = scanContext.getContextName(); - String sites = null; - String sections = null; - String includedconfidences = null; - String includedrisks = null; - String reportfilename = reportFile.getFileName().toString(); - String reportfilenamepattern = null; - String reportdir = resolveParentDirectoryPath(reportFile); - String display = null; - /* @formatter:off */ - // we use the context name as report title - clientApi.reports.generate( - title, - template, - theme, - description, - contexts, - sites, - sections, - includedconfidences, - includedrisks, - reportfilename, - reportfilenamepattern, - reportdir, - display); - /* @formatter:on */ - - // rename is necessary if the file extension is not .json, because Owasp Zap - // adds the file extension .json since we create a json report. Might not be - // necessary anymore if we have the sarif support - renameReportFileIfFileExtensionIsNotJSON(); - - LOG.info("For scan {}: Report can be found at {}", scanContext.getContextName(), reportFile.toFile().getAbsolutePath()); - - } - - protected void cleanUp() { - // to ensure parts from previous scan are deleted - try { - LOG.info("Cleaning up by starting new and empty session...", scanContext.getContextName()); - clientApi.core.newSession("Cleaned after scan", "true"); - LOG.info("New and empty session inside Owasp Zap created."); - - // Replacer rules are persistent even after restarting OWASP ZAP - // This means we need to cleanUp after every scan. - LOG.info("Start cleaning up replacer rules."); - cleanUpReplacerRules(); - LOG.info("Cleanup successful."); - } catch (ClientApiException e) { - LOG.error("For scan: {}. An error occurred during the clean up, because: {}", scanContext.getContextName(), e.getMessage()); - } - } - - protected void setupBasicConfiguration() throws ClientApiException { - LOG.info("Creating new session inside the Owasp Zap"); - // to ensure parts from previous scan are deleted - clientApi.core.newSession(scanContext.getContextName(), "true"); - LOG.info("Setting default of how many alerts of the same rule will be inside the report to unlimited."); - // setting this value to zero means unlimited - clientApi.core.setOptionMaximumAlertInstances("0"); - - // enable all passive scanner rules by default - clientApi.pscan.enableAllScanners(); - // enable all passive scanner rules by default - // null specifies the default scan policy - clientApi.ascan.enableAllScanners(null); - - // use firefox in headless mode by default - clientApi.ajaxSpider.setOptionBrowserId("firefox-headless"); - } - - protected void setupAdditonalProxyConfiguration() throws ClientApiException { - ProxyInformation proxyInformation = scanContext.getProxyInformation(); - if (proxyInformation != null) { - String proxyHost = proxyInformation.getHost(); - int proxyPort = proxyInformation.getPort(); - LOG.info("Using proxy {}:{} to reach target.", proxyHost, proxyPort); - clientApi.network.setHttpProxy(proxyHost, "" + proxyPort, null, null, null); - clientApi.network.setHttpProxyEnabled("true"); - clientApi.network.setHttpProxyAuthEnabled("false"); - } else { - LOG.info("No proxy was set, continuing without proxy."); - clientApi.network.setHttpProxyEnabled("false"); - } - } - - protected void deactivateRules() throws ClientApiException { - OwaspZapFullRuleset fullRuleset = scanContext.getFullRuleset(); - DeactivatedRuleReferences deactivatedRuleReferences = scanContext.getDeactivatedRuleReferences(); - if (fullRuleset == null && deactivatedRuleReferences == null) { - return; - } - List rulesReferences = deactivatedRuleReferences.getDeactivatedRuleReferences(); - if (rulesReferences == null) { - return; - } - - for (RuleReference ruleRef : rulesReferences) { - Rule ruleToDeactivate = fullRuleset.findRuleByReference(ruleRef.getReference()); - if (isPassiveRule(ruleToDeactivate.getType())) { - clientApi.pscan.disableScanners(ruleToDeactivate.getId()); - } else if (isActiveRule(ruleToDeactivate.getType())) { - // null specifies the default scan policy - clientApi.ascan.disableScanners(ruleToDeactivate.getId(), null); - } - } - } - - protected void loadApiDefinitions() throws ClientApiException { - if (scanContext.getApiDefinitionFile() == null) { - LOG.info("For scan {}: No file with API definition found!", scanContext.getContextName()); - return; - } - Optional apiConfig = scanContext.getSecHubWebScanConfiguration().getApi(); - if (!apiConfig.isPresent()) { - throw new ZapWrapperRuntimeException("For scan :" + scanContext.getContextName() + " No API type was definied!", - ZapWrapperExitCode.API_DEFINITION_CONFIG_INVALID); - } - - switch (apiConfig.get().getType()) { - case OPEN_API: - clientApi.openapi.importFile(scanContext.getApiDefinitionFile().toString(), scanContext.getTargetUrlAsString(), contextId); - break; - default: - // should never happen since API type is an Enum - // Failure should happen before getting here - throw new ZapWrapperRuntimeException("For scan :" + scanContext.getContextName() + " Unknown API type was definied!", - ZapWrapperExitCode.API_DEFINITION_CONFIG_INVALID); - } - } - - /** - * This method checks if the sites tree is empty. The OWASP ZAP creates this - * sites tree while crawling and detecting pages. The method is necessary since - * the active scanner exits with an exception if the sites tree is empty, when - * starting an active scan. - * - * This can only happen in very few cases, but then we want to be able to inform - * the user and write a report which is empty or contains at least the passively - * detected results. - * - * @return - * @throws ClientApiException - */ - protected boolean atLeastOneURLDetected() throws ClientApiException { - ApiResponseList sitesList = (ApiResponseList) clientApi.core.sites(); - return sitesList.getItems().size() > 0; - } - - protected void addReplacerRulesForHeaders() throws ClientApiException { - if (scanContext.getSecHubWebScanConfiguration().getHeaders().isEmpty()) { - LOG.info("No headers were configured inside the sechub webscan configuration."); - return; - } - - // description specifies the rule name, which will be set later in this method - String description = null; - - String enabled = "true"; - // "REQ_HEADER" means the header entry will be added to the requests if not - // existing or replaced if already existing - String matchtype = "REQ_HEADER"; - String matchregex = "false"; - - // matchstring and replacement will be set to the header name and header value - String matchstring = null; - String replacement = null; - - // setting initiators to null means all initiators (ZAP components), - // this means spider, active scan, etc will send this rule for their requests. - String initiators = null; - // default URL is null which means the header would be send on any request to - // any URL - String url = null; - List httpHeaders = scanContext.getSecHubWebScanConfiguration().getHeaders().get(); - LOG.info("For scan {}: Applying header configuration.", scanContext.getContextName()); - for (HTTPHeaderConfiguration httpHeader : httpHeaders) { - matchstring = httpHeader.getName(); - replacement = httpHeader.getValue(); - - if (httpHeader.getOnlyForUrls().isEmpty()) { - // if there are no onlyForUrl patterns, there is only one rule for each header - description = httpHeader.getName(); - clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); - } else { - for (String onlyForUrl : httpHeader.getOnlyForUrls().get()) { - // we need to create a rule for each onlyForUrl pattern on each header - description = onlyForUrl; - url = urlUtil.replaceWildCardsWithRegexInUrl(onlyForUrl); - clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); - } - } - } - } - - private void writeUserMessagesWithScannedURLs(List spiderResults) { - for (ApiResponse result : spiderResults) { - String url = result.toString(); - if (url.contains("robots.txt") || url.contains("sitemap.xml")) { - continue; - } - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage(new SecHubMessage(SecHubMessageType.INFO, "Detect url to scan: " + url)); - } - } - - private boolean isPassiveRule(String type) { - return "passive".equals(type.toLowerCase()); - } - - private boolean isActiveRule(String type) { - return "active".equals(type.toLowerCase()); - } - - private void scanUnsafe() throws ClientApiException { - /* OWASP ZAP setup on local machine */ - setupBasicConfiguration(); - deactivateRules(); - setupAdditonalProxyConfiguration(); - createContext(); - addReplacerRulesForHeaders(); - - /* OWASP ZAP setup with access to target */ - addIncludedAndExcludedUrlsToContext(); - loadApiDefinitions(); - - /* OWASP ZAP scan */ - if (scanContext.isAjaxSpiderEnabled()) { - runAjaxSpider(); - } - runSpider(); - passiveScan(); - if (scanContext.isActiveScanEnabled()) { - runActiveScan(); - } - - /* After scan */ - generateOwaspZapReport(); - cleanUp(); - } - - private void waitForNextCheck() { - try { - Thread.sleep(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); - } catch (InterruptedException e) { - Thread.currentThread().interrupt(); - } - } - - private boolean isAjaxSpiderStopped(String status) { - return "stopped".equals(status); - } - - private String resolveParentDirectoryPath(Path reportFile) { - if (reportFile == null) { - throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file not set.", - ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - if (Files.isDirectory(reportFile)) { - throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file must not be a directory!", - ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - - Path parent = reportFile.getParent(); - Path absolutePath = parent.toAbsolutePath(); - - return absolutePath.toString(); - } - - /** - * This method is used to rename the file back to the specified name in case the - * file did not end with .json. - * - * The reason for this method is that the Owasp Zap appends ".json" to the - * result file if we generate a report in json format. The PDS result.txt will - * then be called result.txt.json. Because of this behaviour the file will be - * renamed. - */ - private void renameReportFileIfFileExtensionIsNotJSON() { - String specifiedReportFile = scanContext.getReportFile().toAbsolutePath().toFile().getAbsolutePath(); - // If the Owasp Zap creates the file below, it will be renamed to the originally - // specified name - File owaspZapCreatedFile = new File(specifiedReportFile + ".json"); - if (owaspZapCreatedFile.exists()) { - try { - Path owaspzapReport = Paths.get(specifiedReportFile + ".json"); - Files.move(owaspzapReport, owaspzapReport.resolveSibling(scanContext.getReportFile().toAbsolutePath()), StandardCopyOption.REPLACE_EXISTING); - } catch (IOException e) { - throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". An error occurred renaming the report file", e, - ZapWrapperExitCode.IO_ERROR); - } - } - } - - private void visitInclude(String url) { - try { - String followRedirects = "false"; - clientApi.core.accessUrl(url, followRedirects); - } catch (ClientApiException e) { - LOG.error("While trying to access URL {} got the error: {}", url, e.getMessage()); - } - } - - private void registerUrlsIncludedInContext() throws ClientApiException { - for (URL url : scanContext.getOwaspZapURLsIncludeList()) { - clientApi.context.includeInContext(scanContext.getContextName(), url + ".*"); - visitInclude(url.toString()); - } - } - - private void registerUrlsExcludedFromContext() throws ClientApiException { - for (URL url : scanContext.getOwaspZapURLsExcludeList()) { - clientApi.context.excludeFromContext(scanContext.getContextName(), url + ".*"); - } - } - - private void cleanUpReplacerRules() throws ClientApiException { - if (scanContext.getSecHubWebScanConfiguration().getHeaders().isEmpty()) { - return; - } - - List httpHeaders = scanContext.getSecHubWebScanConfiguration().getHeaders().get(); - for (HTTPHeaderConfiguration httpHeader : httpHeaders) { - if (httpHeader.getOnlyForUrls().isEmpty()) { - String description = httpHeader.getName(); - clientApi.replacer.removeRule(description); - } else { - for (String onlyForUrl : httpHeader.getOnlyForUrls().get()) { - String description = onlyForUrl; - clientApi.replacer.removeRule(description); - } - } - } - } - - /** - * Runs classical spider (suitable for web applications) - just parsing.... - * creates tree - * - * @throws ClientApiException - */ - protected abstract void runSpider() throws ClientApiException; - - /** - * Runs web driver oriented spider (suitable for single page applications)- just - * clicking.... creates tree - * - * @throws ClientApiException - */ - protected abstract void runAjaxSpider() throws ClientApiException; - - /** - * Attacks the target - * - * @throws ClientApiException - */ - protected abstract void runActiveScan() throws ClientApiException; - -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java new file mode 100644 index 0000000000..34645135c6 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java @@ -0,0 +1,535 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.owaspzapwrapper.scan; + +import java.util.ArrayList; +import java.util.List; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.zaproxy.clientapi.core.ApiResponse; +import org.zaproxy.clientapi.core.ApiResponseElement; +import org.zaproxy.clientapi.core.ApiResponseList; +import org.zaproxy.clientapi.core.ClientApi; +import org.zaproxy.clientapi.core.ClientApiException; + +public class ClientApiFacade { + + private static final Logger LOG = LoggerFactory.getLogger(ClientApiFacade.class); + + private ClientApi clientApi; + + public ClientApiFacade(ClientApi clientApi) { + this.clientApi = clientApi; + } + + /** + * Create new context inside the OWASP ZAP. + * + * @param contextName + * @return contextId returned by OWASP ZAP + * @throws ClientApiException + */ + public String createNewContext(String contextName) throws ClientApiException { + ApiResponseElement createContextResponse = ((ApiResponseElement) clientApi.context.newContext(contextName)); + return getIdOfApiResponseElement(createContextResponse); + } + + /** + * + * @param contextName + * @param overwrite + * @return + * @throws ClientApiException + */ + public ApiResponse createNewSession(String contextName, String overwrite) throws ClientApiException { + return clientApi.core.newSession(contextName, overwrite); + } + + /** + * + * @param maximum + * @return + * @throws ClientApiException + */ + public ApiResponse configureMaximumAlertsForEachRule(String maximum) throws ClientApiException { + return clientApi.core.setOptionMaximumAlertInstances(maximum); + } + + /** + * + * @return + * @throws ClientApiException + */ + public ApiResponse enableAllPassiveScannerRules() throws ClientApiException { + return clientApi.pscan.enableAllScanners(); + } + + /** + * + * @param policy + * @return + * @throws ClientApiException + */ + public ApiResponse enableAllActiveScannerRulesForPolicy(String policy) throws ClientApiException { + return clientApi.ascan.enableAllScanners(null); + } + + /** + * + * @param browserId + * @return + * @throws ClientApiException + */ + public ApiResponse configureAjaxSpiderBrowserId(String browserId) throws ClientApiException { + return clientApi.ajaxSpider.setOptionBrowserId(browserId); + } + + /** + * + * @param ruleId + * @return + * @throws ClientApiException + */ + public ApiResponse disablePassiveScannerRule(String ruleId) throws ClientApiException { + return clientApi.pscan.disableScanners(ruleId); + } + + /** + * + * @param ruleId + * @param policy + * @return + * @throws ClientApiException + */ + public ApiResponse disableActiveScannerRuleForPolicy(String ruleId, String policy) throws ClientApiException { + return clientApi.ascan.disableScanners(ruleId, null); + } + + /** + * + * @param host + * @param port + * @param realm + * @param username + * @param password + * @return + * @throws ClientApiException + */ + public ApiResponse configureHttpProxy(String host, String port, String realm, String username, String password) throws ClientApiException { + return clientApi.network.setHttpProxy(host, port, realm, username, password); + } + + /** + * + * @param enabled + * @return + * @throws ClientApiException + */ + public ApiResponse setHttpProxyEnabled(String enabled) throws ClientApiException { + return clientApi.network.setHttpProxyEnabled(enabled); + } + + /** + * + * @param enabled + * @return + * @throws ClientApiException + */ + public ApiResponse setHttpProxyAuthEnabled(String enabled) throws ClientApiException { + return clientApi.network.setHttpProxyAuthEnabled(enabled); + } + + /** + * + * @param description + * @param enabled + * @param matchtype + * @param matchregex + * @param matchstring + * @param replacement + * @param initiators + * @param url + * @return + * @throws ClientApiException + */ + public ApiResponse addReplacerRule(String description, String enabled, String matchtype, String matchregex, String matchstring, String replacement, + String initiators, String url) throws ClientApiException { + return clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + } + + /** + * + * @param contextName + * @param urlPattern + * @return + * @throws ClientApiException + */ + public ApiResponse addIncludeUrlPatternToContext(String contextName, String urlPattern) throws ClientApiException { + return clientApi.context.includeInContext(contextName, urlPattern); + } + + /** + * + * @param contextName + * @param urlPattern + * @return + * @throws ClientApiException + */ + public ApiResponse addExcludeUrlPatternToContext(String contextName, String urlPattern) throws ClientApiException { + return clientApi.context.excludeFromContext(contextName, urlPattern); + } + + /** + * + * @param url + * @param followRedirects + * @return ApiResponse of OWASP ZAP or null when URL was not + * accessible. + */ + public ApiResponse accessUrlViaOwaspZap(String url, String followRedirects) { + ApiResponse response = null; + try { + response = clientApi.core.accessUrl(url, followRedirects); + } catch (ClientApiException e) { + LOG.error("While trying to access URL {} got the error: {}", url, e.getMessage()); + } + return response; + } + + /** + * + * @param openApiFile + * @param url + * @param contextId + * @return + * @throws ClientApiException + */ + public ApiResponse importOpenApiFile(String openApiFile, String url, String contextId) throws ClientApiException { + return clientApi.openapi.importFile(openApiFile, url, contextId); + } + + /** + * This method checks if the sites tree is empty. The OWASP ZAP creates this + * sites tree while crawling and detecting pages. The method is necessary since + * the active scanner exits with an exception if the sites tree is empty, when + * starting an active scan. + * + * This can only happen in very few cases, but then we want to be able to inform + * the user and write a report which is empty or contains at least the passively + * detected results. + * + * @return + * @throws ClientApiException + */ + public boolean atLeastOneURLDetected() throws ClientApiException { + ApiResponseList sitesList = (ApiResponseList) clientApi.core.sites(); + return sitesList.getItems().size() > 0; + } + + /** + * + * @param description + * @return + * @throws ClientApiException + */ + public ApiResponse removeReplacerRule(String description) throws ClientApiException { + return clientApi.replacer.removeRule(description); + } + + /** + * + * @param title + * @param template + * @param theme + * @param description + * @param contexts + * @param sites + * @param sections + * @param includedconfidences + * @param includedrisks + * @param reportfilename + * @param reportfilenamepattern + * @param reportdir + * @param display + * @return + * @throws ClientApiException + */ + public ApiResponse generateReport(String title, String template, String theme, String description, String contexts, String sites, String sections, + String includedconfidences, String includedrisks, String reportfilename, String reportfilenamepattern, String reportdir, String display) + throws ClientApiException { + return clientApi.reports.generate(title, template, theme, description, contexts, sites, sections, includedconfidences, includedrisks, reportfilename, + reportfilenamepattern, reportdir, display); + } + + /** + * Check the status of the ajax spider scan. + * + * @return The status as string after the ajax spider scan is started it is + * either "running" or "stopped". + * @throws ClientApiException + */ + public String getAjaxSpiderStatus() throws ClientApiException { + return ((ApiResponseElement) clientApi.ajaxSpider.status()).getValue(); + } + + /** + * + * @return + * @throws ClientApiException + */ + public ApiResponse stopAjaxSpider() throws ClientApiException { + return clientApi.ajaxSpider.stop(); + } + + /** + * + * @param scanId + * @return + * @throws ClientApiException + */ + public ApiResponse stopSpiderScan(String scanId) throws ClientApiException { + return clientApi.spider.stop(scanId); + } + + /** + * Get a list of all URLs detected by the spider scan. + * + * @return + * @throws ClientApiException + */ + public List getAllSpiderUrls() throws ClientApiException { + List results = ((ApiResponseList) clientApi.spider.allUrls()).getItems(); + List urls = new ArrayList<>(); + for (ApiResponse response : results) { + urls.add(response.toString()); + } + return urls; + } + + /** + * Get the status of the spider scan with a specific scan ID. + * + * @param scanId + * @return The status as a number between 0 and 100. (percentage of scan + * completion) + * @throws ClientApiException + */ + public int getSpiderStatusForScan(String scanId) throws ClientApiException { + ApiResponseElement status = (ApiResponseElement) clientApi.spider.status(scanId); + return Integer.parseInt(status.getValue()); + } + + /** + * Get the number of records left to scan for the passive scan. + * + * @param scanId + * @return + * @throws ClientApiException + */ + public int getNumberOfPassiveScannerRecordsToScan() throws ClientApiException { + ApiResponseElement recordsToScan = (ApiResponseElement) clientApi.pscan.recordsToScan(); + return Integer.parseInt(recordsToScan.getValue()); + } + + /** + * + * @param scanId + * @return + * @throws ClientApiException + */ + public ApiResponse stopActiveScan(String scanId) throws ClientApiException { + return clientApi.ascan.stop(scanId); + } + + /** + * Get the status of the active scan with a specific scan ID. + * + * @param scanId + * @return The status as a number between 0 and 100. (percentage of scan + * completion) + * @throws ClientApiException + */ + public int getActiveScannerStatusForScan(String scanId) throws ClientApiException { + ApiResponseElement status = (ApiResponseElement) clientApi.ascan.status(scanId); + return Integer.parseInt(status.getValue()); + } + + /** + * + * @param targetUrlAsString + * @param maxChildren + * @param recurse + * @param contextName + * @param subTreeOnly + * @return the ID of the started spider scan + * @throws ClientApiException + */ + public String startSpiderScan(String targetUrlAsString, String maxChildren, String recurse, String contextName, String subTreeOnly) + throws ClientApiException { + ApiResponse response = clientApi.spider.scan(targetUrlAsString, maxChildren, recurse, contextName, subTreeOnly); + return getIdOfApiResponseElement((ApiResponseElement) response); + } + + /** + * + * @param targetUrlAsString + * @param inScope + * @param contextName + * @param subTreeOnly + * @return the response of the OWASP ZAP API call + * @throws ClientApiException + */ + public ApiResponse startAjaxSpiderScan(String targetUrlAsString, String inScope, String contextName, String subTreeOnly) throws ClientApiException { + return clientApi.ajaxSpider.scan(targetUrlAsString, inScope, contextName, subTreeOnly); + } + + /** + * + * @param targetUrlAsString + * @param recurse + * @param inScopeOnly + * @param scanPolicyName + * @param method + * @param postData + * @return the ID of the started active scan + * @throws ClientApiException + */ + public String startActiveScan(String targetUrlAsString, String recurse, String inScopeOnly, String scanPolicyName, String method, String postData) + throws ClientApiException { + ApiResponse response = clientApi.ascan.scan(targetUrlAsString, recurse, inScopeOnly, scanPolicyName, method, postData); + return getIdOfApiResponseElement((ApiResponseElement) response); + } + + /** + * + * @param contextId + * @param userId + * @param url + * @param maxchildren + * @param recurse + * @param subtreeonly + * @return the ID of the started spider scan + * @throws ClientApiException + */ + public String startSpiderScanAsUser(String contextId, String userId, String url, String maxchildren, String recurse, String subtreeonly) + throws ClientApiException { + ApiResponse response = clientApi.spider.scanAsUser(contextId, userId, url, maxchildren, recurse, subtreeonly); + return getIdOfApiResponseElement((ApiResponseElement) response); + } + + /** + * + * @param contextname + * @param username + * @param url + * @param subtreeonly + * @return the response of the OWASP ZAP API call + * @throws ClientApiException + */ + public ApiResponse startAjaxSpiderScanAsUser(String contextname, String username, String url, String subtreeonly) throws ClientApiException { + return clientApi.ajaxSpider.scanAsUser(contextname, username, url, subtreeonly); + } + + /** + * + * @param url + * @param contextId + * @param userId + * @param recurse + * @param scanpolicyname + * @param method + * @param postdata + * @return the ID of the started active scan + * @throws ClientApiException + */ + public String startActiveScanAsUser(String url, String contextId, String userId, String recurse, String scanpolicyname, String method, String postdata) + throws ClientApiException { + ApiResponse response = clientApi.ascan.scanAsUser(url, contextId, userId, recurse, scanpolicyname, method, postdata); + return getIdOfApiResponseElement((ApiResponseElement) response); + } + + /** + * + * @param contextId + * @param authMethodName + * @param authMethodConfigParams + * @return + * @throws ClientApiException + */ + public ApiResponse configureAuthenticationMethod(String contextId, String authMethodName, String authMethodConfigParams) throws ClientApiException { + return clientApi.authentication.setAuthenticationMethod(contextId, authMethodName, authMethodConfigParams); + } + + /** + * + * @param contextId + * @param methodName + * @param methodconfigparams + * @return + * @throws ClientApiException + */ + public ApiResponse sessionManagementMethod(String contextId, String methodName, String methodconfigparams) throws ClientApiException { + return clientApi.sessionManagement.setSessionManagementMethod(contextId, methodName, methodconfigparams); + } + + /** + * + * @param contextId + * @param username + * @return + * @throws ClientApiException + */ + public String createNewUser(String contextId, String username) throws ClientApiException { + ApiResponseElement creatUserResponse = ((ApiResponseElement) clientApi.users.newUser(contextId, username)); + return getIdOfApiResponseElement(creatUserResponse); + } + + /** + * + * @param contextId + * @param userId + * @param authCredentialsConfigParams + * @return + * @throws ClientApiException + */ + public ApiResponse configureAuthenticationCredentials(String contextId, String userId, String authCredentialsConfigParams) throws ClientApiException { + return clientApi.users.setAuthenticationCredentials(contextId, userId, authCredentialsConfigParams); + } + + /** + * + * @param contextId + * @param userId + * @param enabled + * @return + * @throws ClientApiException + */ + public ApiResponse setUserEnabled(String contextId, String userId, String enabled) throws ClientApiException { + return clientApi.users.setUserEnabled(contextId, userId, enabled); + } + + /** + * + * @param contextId + * @param userId + * @return + * @throws ClientApiException + */ + public ApiResponse setForcedUser(String contextId, String userId) throws ClientApiException { + return clientApi.forcedUser.setForcedUser(contextId, userId); + } + + /** + * + * @param enabled + * @return + * @throws ClientApiException + */ + public ApiResponse setForcedUserModeEnabled(boolean enabled) throws ClientApiException { + return clientApi.forcedUser.setForcedUserModeEnabled(enabled); + } + + private String getIdOfApiResponseElement(ApiResponseElement apiResponseElement) { + return apiResponseElement.getValue(); + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java new file mode 100644 index 0000000000..6d5d124281 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java @@ -0,0 +1,756 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.owaspzapwrapper.scan; + +import java.io.File; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.net.URL; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardCopyOption; +import java.util.List; +import java.util.Optional; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.zaproxy.clientapi.core.ClientApiException; + +import com.mercedesbenz.sechub.commons.model.HTTPHeaderConfiguration; +import com.mercedesbenz.sechub.commons.model.SecHubMessage; +import com.mercedesbenz.sechub.commons.model.SecHubMessageType; +import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiConfiguration; +import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; +import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration; +import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; +import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.SessionManagementType; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.Rule; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapEventHandler; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.ScanDurationHelper; +import com.mercedesbenz.sechub.owaspzapwrapper.util.SystemUtil; +import com.mercedesbenz.sechub.owaspzapwrapper.util.UrlUtil; + +public class OwaspZapScanner implements OwaspZapScan { + private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanner.class); + static final int CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS = 5000; + + ClientApiFacade clientApiFacade; + OwaspZapScanContext scanContext; + + ScanDurationHelper scanDurationHelper; + OwaspZapEventHandler owaspZapEventHandler; + UrlUtil urlUtil; + SystemUtil systemUtil; + + long remainingScanTime; + + public OwaspZapScanner(ClientApiFacade clientApiFacade, OwaspZapScanContext scanContext) { + this.clientApiFacade = clientApiFacade; + this.scanContext = scanContext; + + this.scanDurationHelper = new ScanDurationHelper(); + this.owaspZapEventHandler = new OwaspZapEventHandler(); + this.urlUtil = new UrlUtil(); + this.systemUtil = new SystemUtil(); + + this.remainingScanTime = scanContext.getMaxScanDurationInMillis(); + } + + @Override + public void scan() { + try { + /* OWASP ZAP setup on local machine */ + setupStandardConfiguration(); + deactivateRules(scanContext.getFullRuleset(), scanContext.getDeactivatedRuleReferences()); + setupAdditonalProxyConfiguration(scanContext.getProxyInformation()); + String owaspZapContextId = createContext(); + addReplacerRulesForHeaders(); + + /* OWASP ZAP setup with access to target */ + addIncludedAndExcludedUrlsToContext(); + loadApiDefinitions(owaspZapContextId); + + /* OWASP ZAP scan */ + executeScan(owaspZapContextId); + + /* After scan */ + generateOwaspZapReport(); + cleanUp(); + } catch (ClientApiException e) { + cleanUp(); + throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". An error occured while scanning!", e, + ZapWrapperExitCode.PRODUCT_EXECUTION_ERROR); + } + } + + void setupStandardConfiguration() throws ClientApiException { + LOG.info("Creating new session inside the Owasp Zap"); + // to ensure parts from previous scan are deleted + clientApiFacade.createNewSession(scanContext.getContextName(), "true"); + + LOG.info("Setting default of how many alerts of the same rule will be inside the report to unlimited."); + // setting this value to zero means unlimited + clientApiFacade.configureMaximumAlertsForEachRule("0"); + + LOG.info("Enable all passive scan rules before configuration begins."); + // enable all passive scanner rules by default + clientApiFacade.enableAllPassiveScannerRules(); + + LOG.info("Enable all active scan rules before configuration begins."); + // enable all passive scanner rules by default + // null specifies the default scan policy + clientApiFacade.enableAllActiveScannerRulesForPolicy(null); + + LOG.info("Set browser for ajaxSpider."); + // use firefox in headless mode by default + clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless"); + } + + void deactivateRules(OwaspZapFullRuleset fullRuleset, DeactivatedRuleReferences deactivatedRuleReferences) throws ClientApiException { + if (fullRuleset == null || deactivatedRuleReferences == null) { + return; + } + List rulesReferences = deactivatedRuleReferences.getDeactivatedRuleReferences(); + if (rulesReferences == null) { + return; + } + + for (RuleReference ruleRef : rulesReferences) { + Rule ruleToDeactivate = fullRuleset.findRuleByReference(ruleRef.getReference()); + if (isPassiveRule(ruleToDeactivate.getType())) { + LOG.info("Deactivate passive scanner rule: {} ", ruleRef.getReference()); + clientApiFacade.disablePassiveScannerRule(ruleToDeactivate.getId()); + } else if (isActiveRule(ruleToDeactivate.getType())) { + LOG.info("Deactivate active scanner rule: {} ", ruleRef.getReference()); + // null specifies the default scan policy + clientApiFacade.disableActiveScannerRuleForPolicy(ruleToDeactivate.getId(), null); + } + } + } + + void setupAdditonalProxyConfiguration(ProxyInformation proxyInformation) throws ClientApiException { + if (proxyInformation != null) { + String proxyHost = proxyInformation.getHost(); + int proxyPort = proxyInformation.getPort(); + LOG.info("Using proxy {}:{} to reach target.", proxyHost, proxyPort); + clientApiFacade.configureHttpProxy(proxyHost, "" + proxyPort, null, null, null); + clientApiFacade.setHttpProxyEnabled("true"); + clientApiFacade.setHttpProxyAuthEnabled("false"); + } else { + LOG.info("No proxy was set, continuing without proxy."); + clientApiFacade.setHttpProxyEnabled("false"); + } + } + + /** + * Creates new context in the current OWASP ZAP session. + * + * @return the context id returned by the OWASP ZAP API + * @throws ClientApiException + */ + String createContext() throws ClientApiException { + LOG.info("Creating context: {}", scanContext.getContextName()); + return clientApiFacade.createNewContext(scanContext.getContextName()); + } + + void addReplacerRulesForHeaders() throws ClientApiException { + if (scanContext.getSecHubWebScanConfiguration().getHeaders().isEmpty()) { + LOG.info("No headers were configured inside the sechub webscan configuration."); + return; + } + + // description specifies the rule name, which will be set later in this method + String description = null; + + String enabled = "true"; + // "REQ_HEADER" means the header entry will be added to the requests if not + // existing or replaced if already existing + String matchtype = "REQ_HEADER"; + String matchregex = "false"; + + // matchstring and replacement will be set to the header name and header value + String matchstring = null; + String replacement = null; + + // setting initiators to null means all initiators (ZAP components), + // this means spider, active scan, etc will send this rule for their requests. + String initiators = null; + // default URL is null which means the header would be send on any request to + // any URL + String url = null; + List httpHeaders = scanContext.getSecHubWebScanConfiguration().getHeaders().get(); + LOG.info("For scan {}: Applying header configuration.", scanContext.getContextName()); + for (HTTPHeaderConfiguration httpHeader : httpHeaders) { + matchstring = httpHeader.getName(); + replacement = httpHeader.getValue(); + + if (httpHeader.getOnlyForUrls().isEmpty()) { + // if there are no onlyForUrl patterns, there is only one rule for each header + description = httpHeader.getName(); + clientApiFacade.addReplacerRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + } else { + for (String onlyForUrl : httpHeader.getOnlyForUrls().get()) { + // we need to create a rule for each onlyForUrl pattern on each header + description = onlyForUrl; + url = urlUtil.replaceWildCardsWithRegexInUrl(onlyForUrl); + clientApiFacade.addReplacerRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + } + } + } + } + + /** + * Adds all included and excluded URL into scan context. + * + * @throws ClientApiException + */ + void addIncludedAndExcludedUrlsToContext() throws ClientApiException { + LOG.info("For scan {}: Adding include parts.", scanContext.getContextName()); + for (URL url : scanContext.getOwaspZapURLsIncludeSet()) { + clientApiFacade.addIncludeUrlPatternToContext(scanContext.getContextName(), url + ".*"); + String followRedirects = "false"; + clientApiFacade.accessUrlViaOwaspZap(url.toString(), followRedirects); + } + + LOG.info("For scan {}: Adding exclude parts.", scanContext.getContextName()); + for (URL url : scanContext.getOwaspZapURLsExcludeSet()) { + clientApiFacade.addExcludeUrlPatternToContext(scanContext.getContextName(), url + ".*"); + } + } + + void loadApiDefinitions(String owaspZapContextId) throws ClientApiException { + if (scanContext.getApiDefinitionFile() == null) { + LOG.info("For scan {}: No file with API definition found!", scanContext.getContextName()); + return; + } + Optional apiConfig = scanContext.getSecHubWebScanConfiguration().getApi(); + if (!apiConfig.isPresent()) { + throw new ZapWrapperRuntimeException("For scan :" + scanContext.getContextName() + " No API type was definied!", + ZapWrapperExitCode.API_DEFINITION_CONFIG_INVALID); + } + + switch (apiConfig.get().getType()) { + case OPEN_API: + clientApiFacade.importOpenApiFile(scanContext.getApiDefinitionFile().toString(), scanContext.getTargetUrlAsString(), owaspZapContextId); + break; + default: + // should never happen since API type is an Enum + // Failure should happen before getting here + throw new ZapWrapperRuntimeException("For scan :" + scanContext.getContextName() + " Unknown API type was definied!", + ZapWrapperExitCode.API_DEFINITION_CONFIG_INVALID); + } + } + + void executeScan(String owaspZapContextId) throws ClientApiException { + UserInformation userInfo = configureLoginInsideOwaspZapContext(owaspZapContextId); + if (userInfo != null) { + if (scanContext.isAjaxSpiderEnabled()) { + runAjaxSpiderAsUser(userInfo.userName); + } + runSpiderAsUser(owaspZapContextId, userInfo.owaspZapuserId); + passiveScan(); + if (scanContext.isActiveScanEnabled()) { + runActiveScanAsUser(owaspZapContextId, userInfo.owaspZapuserId); + } + } else { + if (scanContext.isAjaxSpiderEnabled()) { + runAjaxSpider(); + } + runSpider(); + passiveScan(); + if (scanContext.isActiveScanEnabled()) { + runActiveScan(); + } + } + } + + /** + * Configure login according to the sechub webscan config. + * + * @param owaspZapContextId + * @return UserInformation containing userName and owaspZapUserId or + * null if nothing could be configured. + * @throws ClientApiException + */ + UserInformation configureLoginInsideOwaspZapContext(String owaspZapContextId) throws ClientApiException { + if (scanContext.getSecHubWebScanConfiguration().getLogin().isEmpty()) { + LOG.info("For scan {}: No login section detected.", scanContext.getContextName()); + return null; + } + + WebLoginConfiguration webLoginConfiguration = scanContext.getSecHubWebScanConfiguration().getLogin().get(); + if (webLoginConfiguration.getBasic().isPresent()) { + LOG.info("For scan {}: Applying basic authentication config.", scanContext.getContextName()); + return initBasicAuthentication(owaspZapContextId, webLoginConfiguration.getBasic().get()); + } + + return null; + } + + /** + * Generates the SARIF report for the current scan, identified using the context + * name. + * + * @throws ClientApiException + */ + void generateOwaspZapReport() throws ClientApiException { + LOG.info("For scan {}: Writing results to report...", scanContext.getContextName()); + Path reportFile = scanContext.getReportFile(); + + String title = scanContext.getContextName(); + String template = "sarif-json"; + String theme = null; + String description = null; + String contexts = scanContext.getContextName(); + String sites = null; + String sections = null; + String includedconfidences = null; + String includedrisks = null; + String reportfilename = reportFile.getFileName().toString(); + String reportfilenamepattern = null; + String reportdir = resolveParentDirectoryPath(reportFile); + String display = null; + /* @formatter:off */ + // we use the context name as report title + clientApiFacade.generateReport( + title, + template, + theme, + description, + contexts, + sites, + sections, + includedconfidences, + includedrisks, + reportfilename, + reportfilenamepattern, + reportdir, + display + ); + /* @formatter:on */ + + // rename is necessary if the file extension is not .json, because Owasp Zap + // adds the file extension .json since we create a json report. Might not be + // necessary anymore if we have the sarif support + renameReportFileToOriginalNameIfNecessary(); + + LOG.info("For scan {}: Report can be found at {}", scanContext.getContextName(), reportFile.toFile().getAbsolutePath()); + } + + void cleanUp() { + // to ensure parts from previous scan are deleted + try { + LOG.info("Cleaning up by starting new and empty session...", scanContext.getContextName()); + clientApiFacade.createNewSession("Cleaned after scan", "true"); + LOG.info("New and empty session inside Owasp Zap created."); + + // Replacer rules are persistent even after restarting OWASP ZAP + // This means we need to cleanUp after every scan. + LOG.info("Start cleaning up replacer rules."); + cleanUpReplacerRules(); + LOG.info("Cleanup successful."); + } catch (ClientApiException e) { + LOG.error("For scan: {}. An error occurred during the clean up, because: {}", scanContext.getContextName(), e.getMessage()); + } + } + + void runSpider() throws ClientApiException { + String contextName = scanContext.getContextName(); + String subTreeOnly = "true"; + String recurse = "true"; + String maxChildren = null; + String targetUrlAsString = scanContext.getTargetUrlAsString(); + LOG.info("For scan {}: Starting Spider.", contextName); + /* @formatter:off */ + String scanId = clientApiFacade.startSpiderScan( + targetUrlAsString, + maxChildren, + recurse, + contextName, + subTreeOnly); + /* @formatter:on */ + waitForSpiderResults(scanId); + } + + void runAjaxSpider() throws ClientApiException { + String inScope = "true"; + String subTreeOnly = "true"; + String contextName = scanContext.getContextName(); + String targetUrlAsString = scanContext.getTargetUrlAsString(); + LOG.info("For scan {}: Starting AjaxSpider.", scanContext.getContextName()); + /* @formatter:off */ + clientApiFacade.startAjaxSpiderScan( + targetUrlAsString, + inScope, + contextName, + subTreeOnly); + /* @formatter:on */ + waitForAjaxSpiderResults(); + } + + void runActiveScan() throws ClientApiException { + // Necessary otherwise the active scanner exits with an exception, + // if no URLs to scan where detected by the spider/ajaxSpider before + if (!clientApiFacade.atLeastOneURLDetected()) { + LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); + scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( + new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " + + "Please check if the URL you specified or any of the includes are accessible.")); + return; + } + String targetUrlAsString = scanContext.getTargetUrlAsString(); + String inScopeOnly = "true"; + String recurse = "true"; + String scanPolicyName = null; + String method = null; + String postData = null; + LOG.info("For scan {}: Starting ActiveScan.", scanContext.getContextName()); + /* @formatter:off */ + String scanId = clientApiFacade.startActiveScan( + targetUrlAsString, + recurse, + inScopeOnly, + scanPolicyName, + method, + postData); + /* @formatter:on */ + waitForActiveScanResults(scanId); + } + + void runSpiderAsUser(String contextId, String userId) throws ClientApiException { + String url = scanContext.getTargetUrlAsString(); + String maxchildren = null; + String recurse = "true"; + String subtreeonly = "true"; + LOG.info("For scan {}: Starting authenticated Spider.", scanContext.getContextName()); + /* @formatter:off */ + String scanId = clientApiFacade.startSpiderScanAsUser( + contextId, + userId, + url, + maxchildren, + recurse, + subtreeonly); + /* @formatter:on */ + waitForSpiderResults(scanId); + } + + void runAjaxSpiderAsUser(String username) throws ClientApiException { + String contextname = scanContext.getContextName(); + String url = scanContext.getTargetUrlAsString(); + String subtreeonly = "true"; + LOG.info("For scan {}: Starting authenticated Ajax Spider.", scanContext.getContextName()); + /* @formatter:off */ + clientApiFacade.startAjaxSpiderScanAsUser( + contextname, + username, + url, + subtreeonly); + /* @formatter:on */ + waitForAjaxSpiderResults(); + } + + void runActiveScanAsUser(String contextId, String userId) throws ClientApiException { + // Necessary otherwise the active scanner exits with an exception, + // if no URLs to scan where detected by the spider/ajaxSpider before + if (!clientApiFacade.atLeastOneURLDetected()) { + LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); + scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( + new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " + + "Please check if the URL you specified or any of the includes are accessible.")); + return; + } + String url = scanContext.getTargetUrlAsString(); + String recurse = "true"; + String scanpolicyname = null; + String method = null; + String postdata = null; + LOG.info("For scan {}: Starting authenticated ActiveScan.", scanContext.getContextName()); + /* @formatter:off */ + String scanId = clientApiFacade.startActiveScanAsUser( + url, + contextId, + userId, + recurse, + scanpolicyname, + method, + postdata); + /* @formatter:on */ + waitForActiveScanResults(scanId); + } + + /** + * Wait for the results of the ajax spider. Periodically checks the progress of + * the ajax spider. + * + * @throws ClientApiException + */ + void waitForAjaxSpiderResults() throws ClientApiException { + String ajaxSpiderStatus = null; + + long startTime = systemUtil.getCurrentTimeInMilliseconds(); + long maxDuration = scanDurationHelper.computeAjaxSpiderMaxScanDuration(scanContext.isActiveScanEnabled(), remainingScanTime); + + boolean timeOut = false; + + while (!isAjaxSpiderStopped(ajaxSpiderStatus) && !timeOut) { + if (owaspZapEventHandler.isScanCancelled()) { + clientApiFacade.stopAjaxSpider(); + owaspZapEventHandler.cancelScan(scanContext.getContextName()); + } + systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + ajaxSpiderStatus = clientApiFacade.getAjaxSpiderStatus(); + LOG.info("For scan {}: AjaxSpider status {}", scanContext.getContextName(), ajaxSpiderStatus); + timeOut = (systemUtil.getCurrentTimeInMilliseconds() - startTime) > maxDuration; + } + /* stop spider - otherwise running in background */ + clientApiFacade.stopAjaxSpider(); + LOG.info("For scan {}: AjaxSpider completed.", scanContext.getContextName()); + remainingScanTime = remainingScanTime - (systemUtil.getCurrentTimeInMilliseconds() - startTime); + } + + /** + * Wait for the results of the spider. Periodically checks the progress of the + * spider. + * + * @param response + * @throws ClientApiException + */ + void waitForSpiderResults(String scanId) throws ClientApiException { + int progressSpider = 0; + + long startTime = systemUtil.getCurrentTimeInMilliseconds(); + long maxDuration = scanDurationHelper.computeSpiderMaxScanDuration(scanContext.isActiveScanEnabled(), scanContext.isAjaxSpiderEnabled(), + remainingScanTime); + + boolean timeOut = false; + + while (progressSpider < 100 && !timeOut) { + if (owaspZapEventHandler.isScanCancelled()) { + clientApiFacade.stopSpiderScan(scanId); + owaspZapEventHandler.cancelScan(scanContext.getContextName()); + } + systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + progressSpider = clientApiFacade.getSpiderStatusForScan(scanId); + LOG.info("For scan {}: Spider progress {}%", scanContext.getContextName(), progressSpider); + timeOut = systemUtil.getCurrentTimeInMilliseconds() - startTime > maxDuration; + } + /* stop spider - otherwise running in background */ + clientApiFacade.stopSpiderScan(scanId); + + scanContext.getOwaspZapProductMessageHelper().writeUserMessagesWithScannedURLs(clientApiFacade.getAllSpiderUrls()); + LOG.info("For scan {}: Spider completed.", scanContext.getContextName()); + remainingScanTime = remainingScanTime - (systemUtil.getCurrentTimeInMilliseconds() - startTime); + } + + /** + * Wait for the results of the passive scan. Periodically checks the progress of + * the passive scan. + * + * @throws ClientApiException + */ + void passiveScan() throws ClientApiException { + LOG.info("For scan {}: Starting passive scan.", scanContext.getContextName()); + long startTime = systemUtil.getCurrentTimeInMilliseconds(); + long maxDuration = scanDurationHelper.computePassiveScanMaxScanDuration(scanContext.isActiveScanEnabled(), scanContext.isAjaxSpiderEnabled(), + remainingScanTime); + + int numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); + boolean timeOut = false; + + while (numberOfRecords > 0 && !timeOut) { + if (owaspZapEventHandler.isScanCancelled()) { + owaspZapEventHandler.cancelScan(scanContext.getContextName()); + } + systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); + LOG.info("For scan {}: Passive scan number of records left for scanning: {}", scanContext.getContextName(), numberOfRecords); + timeOut = systemUtil.getCurrentTimeInMilliseconds() - startTime > maxDuration; + } + LOG.info("For scan {}: Passive scan completed.", scanContext.getContextName()); + remainingScanTime = remainingScanTime - (systemUtil.getCurrentTimeInMilliseconds() - startTime); + } + + /** + * Wait for the results of the active scan. Periodically checks the progress of + * the active scan. + * + * @param response + * @throws ClientApiException + */ + void waitForActiveScanResults(String scanId) throws ClientApiException { + int progressActive = 0; + + long startTime = systemUtil.getCurrentTimeInMilliseconds(); + long maxDuration = remainingScanTime; + boolean timeOut = false; + while (progressActive < 100 && !timeOut) { + if (owaspZapEventHandler.isScanCancelled()) { + clientApiFacade.stopActiveScan(scanId); + owaspZapEventHandler.cancelScan(scanContext.getContextName()); + } + systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + progressActive = clientApiFacade.getActiveScannerStatusForScan(scanId); + LOG.info("For scan {}: Active scan progress {}%", scanContext.getContextName(), progressActive); + + timeOut = (systemUtil.getCurrentTimeInMilliseconds() - startTime) > maxDuration; + } + clientApiFacade.stopActiveScan(scanId); + LOG.info("For scan {}: Active scan completed.", scanContext.getContextName()); + } + + private boolean isPassiveRule(String type) { + return "passive".equals(type.toLowerCase()); + } + + private boolean isActiveRule(String type) { + return "active".equals(type.toLowerCase()); + } + + private UserInformation initBasicAuthentication(String owaspZapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { + String realm = ""; + if (basicLoginConfiguration.getRealm().isPresent()) { + realm = basicLoginConfiguration.getRealm().get(); + } + String port = "" + scanContext.getTargetUrl().getPort(); + /* @formatter:off */ + StringBuilder authMethodConfigParams = new StringBuilder(); + authMethodConfigParams.append("hostname=").append(urlEncodeUTF8(scanContext.getTargetUrl().getHost())) + .append("&realm=").append(urlEncodeUTF8(realm)) + .append("&port=").append(urlEncodeUTF8(port)); + /* @formatter:on */ + LOG.info("For scan {}: Setting basic authentication.", scanContext.getContextName()); + String authMethodName = scanContext.getAuthenticationType().getOwaspZapAuthenticationMethod(); + clientApiFacade.configureAuthenticationMethod(owaspZapContextId, authMethodName, authMethodConfigParams.toString()); + + String methodName = SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod(); + + // methodconfigparams in case of http basic auth is null, because it is + // configured automatically + String methodconfigparams = null; + clientApiFacade.sessionManagementMethod(owaspZapContextId, methodName, methodconfigparams); + + return initBasicAuthScanUser(owaspZapContextId, basicLoginConfiguration); + } + + private UserInformation initBasicAuthScanUser(String owaspZapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { + String username = new String(basicLoginConfiguration.getUser()); + String password = new String(basicLoginConfiguration.getPassword()); + + String userId = clientApiFacade.createNewUser(owaspZapContextId, username); + + /* @formatter:off */ + StringBuilder authCredentialsConfigParams = new StringBuilder(); + authCredentialsConfigParams.append("username=").append(urlEncodeUTF8(username)) + .append("&password=").append(urlEncodeUTF8(password)); + /* @formatter:on */ + + LOG.info("For scan {}: Setting up user.", scanContext.getContextName()); + clientApiFacade.configureAuthenticationCredentials(owaspZapContextId, userId, authCredentialsConfigParams.toString()); + String enabled = "true"; + clientApiFacade.setUserEnabled(owaspZapContextId, userId, enabled); + + clientApiFacade.setForcedUser(owaspZapContextId, userId); + clientApiFacade.setForcedUserModeEnabled(true); + + UserInformation userInfo = new UserInformation(); + userInfo.owaspZapuserId = userId; + userInfo.userName = username; + return userInfo; + } + + private boolean isAjaxSpiderStopped(String status) { + return "stopped".equals(status); + } + + private String resolveParentDirectoryPath(Path reportFile) { + if (reportFile == null) { + throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file not set.", + ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + if (Files.isDirectory(reportFile)) { + throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file must not be a directory!", + ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + + Path parent = reportFile.getParent(); + Path absolutePath = parent.toAbsolutePath(); + + return absolutePath.toString(); + } + + /** + * This method is used to rename the file back to the specified name in case the + * file did not end with .json. + * + * The reason for this method is that the Owasp Zap appends ".json" to the + * result file if we generate a report in json format. The PDS result.txt will + * then be called result.txt.json. Because of this behaviour the file will be + * renamed. + */ + private void renameReportFileToOriginalNameIfNecessary() { + String specifiedReportFile = scanContext.getReportFile().toAbsolutePath().toFile().getAbsolutePath(); + // If the Owasp Zap creates the file below, it will be renamed to the originally + // specified name + File owaspZapCreatedFile = new File(specifiedReportFile + ".json"); + if (owaspZapCreatedFile.exists()) { + try { + Path owaspzapReport = Paths.get(specifiedReportFile + ".json"); + Files.move(owaspzapReport, owaspzapReport.resolveSibling(scanContext.getReportFile().toAbsolutePath()), StandardCopyOption.REPLACE_EXISTING); + } catch (IOException e) { + throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". An error occurred renaming the report file", e, + ZapWrapperExitCode.IO_ERROR); + } + } + } + + private void cleanUpReplacerRules() throws ClientApiException { + if (scanContext.getSecHubWebScanConfiguration().getHeaders().isEmpty()) { + return; + } + + List httpHeaders = scanContext.getSecHubWebScanConfiguration().getHeaders().get(); + for (HTTPHeaderConfiguration httpHeader : httpHeaders) { + if (httpHeader.getOnlyForUrls().isEmpty()) { + String description = httpHeader.getName(); + clientApiFacade.removeReplacerRule(description); + } else { + for (String onlyForUrl : httpHeader.getOnlyForUrls().get()) { + String description = onlyForUrl; + clientApiFacade.removeReplacerRule(description); + } + } + } + } + + private String urlEncodeUTF8(String stringToEncode) { + try { + return URLEncoder.encode(stringToEncode, StandardCharsets.UTF_8.toString()); + } catch (UnsupportedEncodingException e) { + throw new IllegalStateException("This should not happen because we always use UTF-8: " + e); + } + } + + class UserInformation { + private String userName; + private String owaspZapuserId; + + // for testing + String getUserName() { + return userName; + } + + // for testing + String getOwaspZapuserId() { + return owaspZapuserId; + } + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/UnauthenticatedScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/UnauthenticatedScan.java deleted file mode 100644 index e609185654..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/UnauthenticatedScan.java +++ /dev/null @@ -1,87 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ClientApi; -import org.zaproxy.clientapi.core.ClientApiException; - -import com.mercedesbenz.sechub.commons.model.SecHubMessage; -import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; - -public class UnauthenticatedScan extends AbstractScan { - - private static final Logger LOG = LoggerFactory.getLogger(UnauthenticatedScan.class); - - public UnauthenticatedScan(ClientApi clientApi, OwaspZapScanContext scanContext) { - super(clientApi, scanContext); - } - - @Override - protected void runSpider() throws ClientApiException { - String contextName = scanContext.getContextName(); - String subTreeOnly = "true"; - String recurse = "true"; - String maxChildren = null; - String targetUrlAsString = scanContext.getTargetUrlAsString(); - LOG.info("For scan {}: Starting Spider.", contextName); - /* @formatter:off */ - ApiResponse responseSpider = clientApi.spider.scan( - targetUrlAsString, - maxChildren, - recurse, - contextName, - subTreeOnly); - /* @formatter:on */ - waitForSpiderResults(responseSpider); - } - - @Override - protected void runAjaxSpider() throws ClientApiException { - String inScope = "true"; - String subTreeOnly = "true"; - String contextName = scanContext.getContextName(); - String targetUrlAsString = scanContext.getTargetUrlAsString(); - LOG.info("For scan {}: Starting AjaxSpider.", scanContext.getContextName()); - /* @formatter:off */ - clientApi.ajaxSpider.scan( - targetUrlAsString, - inScope, - contextName, - subTreeOnly); - /* @formatter:on */ - waitForAjaxSpiderResults(); - } - - @Override - protected void runActiveScan() throws ClientApiException { - // Necessary otherwise the active scanner exits with an exception, - // if no URLs to scan where detected by the spider/ajaxSpider before - if (!atLeastOneURLDetected()) { - LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( - new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " - + "Please check if the URL you specified or any of the includes are accessible.")); - return; - } - String targetUrlAsString = scanContext.getTargetUrlAsString(); - String inScopeOnly = "true"; - String recurse = "true"; - String scanPolicyName = null; - String method = null; - String postData = null; - LOG.info("For scan {}: Starting ActiveScan.", scanContext.getContextName()); - /* @formatter:off */ - ApiResponse responseActive = clientApi.ascan.scan( - targetUrlAsString, - recurse, - inScopeOnly, - scanPolicyName, - method, - postData); - /* @formatter:on */ - waitForActiveScanResults(responseActive); - } -} \ No newline at end of file diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AbstractAuthScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AbstractAuthScan.java deleted file mode 100644 index b23cd16ea2..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AbstractAuthScan.java +++ /dev/null @@ -1,143 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan.auth; - -import java.io.UnsupportedEncodingException; -import java.net.URLEncoder; -import java.nio.charset.StandardCharsets; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ClientApi; -import org.zaproxy.clientapi.core.ClientApiException; - -import com.mercedesbenz.sechub.commons.model.SecHubMessage; -import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.AbstractScan; - -public abstract class AbstractAuthScan extends AbstractScan implements AuthScan { - private static final Logger LOG = LoggerFactory.getLogger(AbstractAuthScan.class); - - protected String userId; - protected String username; - - public AbstractAuthScan(ClientApi clientApi, OwaspZapScanContext scanContext) { - super(clientApi, scanContext); - } - - @Override - public void scan() { - try { - scanUnsafe(); - } catch (ClientApiException e) { - LOG.error("For scan {}: An error occured while scanning! Reason: {}", scanContext.getContextName(), e.getMessage(), e); - throw new ZapWrapperRuntimeException("An error occurred during the scan execution", e, ZapWrapperExitCode.PRODUCT_EXECUTION_ERROR); - } - } - - @Override - protected void runSpider() throws ClientApiException { - String url = scanContext.getTargetUrlAsString(); - String maxchildren = null; - String recurse = "true"; - String subtreeonly = "true"; - LOG.info("For scan {}: Starting authenticated Spider.", scanContext.getContextName()); - /* @formatter:off */ - ApiResponse responseSpider = clientApi.spider.scanAsUser( - contextId, - userId, - url, - maxchildren, - recurse, - subtreeonly); - /* @formatter:on */ - waitForSpiderResults(responseSpider); - } - - @Override - protected void runAjaxSpider() throws ClientApiException { - String contextname = scanContext.getContextName(); - String url = scanContext.getTargetUrlAsString(); - String subtreeonly = "true"; - LOG.info("For scan {}: Starting authenticated Ajax Spider.", scanContext.getContextName()); - /* @formatter:off */ - clientApi.ajaxSpider.scanAsUser( - contextname, - username, - url, - subtreeonly); - /* @formatter:on */ - - waitForAjaxSpiderResults(); - } - - @Override - protected void runActiveScan() throws ClientApiException { - // Necessary otherwise the active scanner exits with an exception, - // if no URLs to scan where detected by the spider/ajaxSpider before - if (!atLeastOneURLDetected()) { - LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( - new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " - + "Please check if the URL you specified or any of the includes are accessible.")); - return; - } - String url = scanContext.getTargetUrlAsString(); - String recurse = "true"; - String scanpolicyname = null; - String method = null; - String postdata = null; - LOG.info("For scan {}: Starting authenticated ActiveScan.", scanContext.getContextName()); - /* @formatter:off */ - ApiResponse responseActive = clientApi.ascan.scanAsUser( - url, - contextId, - userId, - recurse, - scanpolicyname, - method, - postdata); - /* @formatter:on */ - waitForActiveScanResults(responseActive); - } - - protected String urlEncodeUTF8(String stringToEncode) { - try { - return URLEncoder.encode(stringToEncode, StandardCharsets.UTF_8.toString()); - } catch (UnsupportedEncodingException e) { - throw new IllegalStateException("This should not happen because we always use UTF-8: " + e); - } - } - - private void scanUnsafe() throws ClientApiException { - /* OWASP ZAP setup on local machine */ - setupBasicConfiguration(); - deactivateRules(); - setupAdditonalProxyConfiguration(); - createContext(); - addReplacerRulesForHeaders(); - - /* OWASP ZAP setup with access to target */ - addIncludedAndExcludedUrlsToContext(); - init(); - loadApiDefinitions(); - - /* OWASP ZAP scan */ - if (scanContext.isAjaxSpiderEnabled()) { - runAjaxSpider(); - } - runSpider(); - passiveScan(); - if (scanContext.isActiveScanEnabled()) { - runActiveScan(); - } - - /* After scan */ - generateOwaspZapReport(); - cleanUp(); - } - -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AuthScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AuthScan.java deleted file mode 100644 index 1474c93d49..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/AuthScan.java +++ /dev/null @@ -1,10 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan.auth; - -import org.zaproxy.clientapi.core.ClientApiException; - -public interface AuthScan { - - public void init() throws ClientApiException; - -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/HTTPBasicAuthScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/HTTPBasicAuthScan.java deleted file mode 100644 index 98b3d21015..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/auth/HTTPBasicAuthScan.java +++ /dev/null @@ -1,77 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan.auth; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ClientApi; -import org.zaproxy.clientapi.core.ClientApiException; - -import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.SessionManagementType; - -public class HTTPBasicAuthScan extends AbstractAuthScan { - - private BasicLoginConfiguration basicLoginConfiguration; - - private static final Logger LOG = LoggerFactory.getLogger(HTTPBasicAuthScan.class); - - public HTTPBasicAuthScan(ClientApi clientApi, OwaspZapScanContext scanContext) { - super(clientApi, scanContext); - } - - @Override - public void init() throws ClientApiException { - this.basicLoginConfiguration = this.scanContext.getSecHubWebScanConfiguration().getLogin().get().getBasic().get(); - initAuthenticationMethod(); - initScanUser(); - - } - - private void initAuthenticationMethod() throws ClientApiException { - String realm = ""; - if (basicLoginConfiguration.getRealm().isPresent()) { - realm = basicLoginConfiguration.getRealm().get(); - } - String port = Integer.toString(scanContext.getTargetUrl().getPort()); - /* @formatter:off */ - StringBuilder authMethodConfigParams = new StringBuilder(); - authMethodConfigParams.append("hostname=").append(urlEncodeUTF8(scanContext.getTargetUrl().getHost())) - .append("&realm=").append(urlEncodeUTF8(realm)) - .append("&port=").append(urlEncodeUTF8(port)); - /* @formatter:on */ - LOG.info("For scan {}: Setting authentication.", scanContext.getContextName()); - String authMethodName = scanContext.getAuthenticationType().getOwaspZapAuthenticationMethod(); - clientApi.authentication.setAuthenticationMethod(contextId, authMethodName, authMethodConfigParams.toString()); - - String methodName = SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod(); - - // methodconfigparams in case of http basic auth is null, because it is - // configured automatically - String methodconfigparams = null; - clientApi.sessionManagement.setSessionManagementMethod(contextId, methodName, methodconfigparams); - } - - private void initScanUser() throws ClientApiException { - username = new String(basicLoginConfiguration.getUser()); - String password = new String(basicLoginConfiguration.getPassword()); - - ApiResponse creatUserResponse = clientApi.users.newUser(contextId, username); - userId = apiResponseHelper.getIdOfApiRepsonse(creatUserResponse); - - /* @formatter:off */ - StringBuilder authCredentialsConfigParams = new StringBuilder(); - authCredentialsConfigParams.append("username=").append(urlEncodeUTF8(username)) - .append("&password=").append(urlEncodeUTF8(password)); - /* @formatter:on */ - - LOG.info("For scan {}: Setting up user.", scanContext.getContextName()); - clientApi.users.setAuthenticationCredentials(contextId, userId, authCredentialsConfigParams.toString()); - String enabled = "true"; - clientApi.users.setUserEnabled(contextId, userId, enabled); - - clientApi.forcedUser.setForcedUser(contextId, userId); - clientApi.forcedUser.setForcedUserModeEnabled(true); - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java new file mode 100644 index 0000000000..a1e3819e4f --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java @@ -0,0 +1,17 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.owaspzapwrapper.util; + +public class SystemUtil { + + public void waitForMilliseconds(int milliseconds) { + try { + Thread.sleep(milliseconds); + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + } + } + + public long getCurrentTimeInMilliseconds() { + return System.currentTimeMillis(); + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java index af8611de29..3c817f2c0a 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java @@ -40,7 +40,7 @@ public class TargetConnectionChecker { public void assertApplicationIsReachable(OwaspZapScanContext scanContext) { boolean isReachable = false; - Iterator iterator = scanContext.getOwaspZapURLsIncludeList().iterator(); + Iterator iterator = scanContext.getOwaspZapURLsIncludeSet().iterator(); while (iterator.hasNext() && isReachable == false) { // trying to reach the target URL and all includes until the first reachable // URL is found. diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutorTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutorTest.java deleted file mode 100644 index e2b50d1c78..0000000000 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutorTest.java +++ /dev/null @@ -1,114 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; - -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.doThrow; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.never; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import java.net.URL; -import java.util.HashSet; -import java.util.Set; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.zaproxy.clientapi.core.ClientApi; - -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapClientApiFactory; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapProductMessageHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScan; -import com.mercedesbenz.sechub.owaspzapwrapper.util.TargetConnectionChecker; - -class OwaspZapScanExecutorTest { - - private OwaspZapScanExecutor executorToTest; - - private OwaspZapClientApiFactory clientApiFactory; - private OwaspZapScanResolver resolver; - private TargetConnectionChecker connectionChecker; - - @BeforeEach - void beforeEach() { - executorToTest = new OwaspZapScanExecutor(); - - clientApiFactory = mock(OwaspZapClientApiFactory.class); - resolver = mock(OwaspZapScanResolver.class); - connectionChecker = mock(TargetConnectionChecker.class); - - executorToTest.clientApiFactory = clientApiFactory; - executorToTest.resolver = resolver; - executorToTest.connectionChecker = connectionChecker; - } - - @Test - void the_result_from_resolver_returned_is_executed() throws Exception { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - ClientApi clientApi = mock(ClientApi.class); - - URL targetUrl = new URL("http://www.example.com"); - Set includeList = new HashSet<>(); - includeList.add(targetUrl); - - when(scanContext.getTargetUrl()).thenReturn(targetUrl); - when(scanContext.getOwaspZapURLsIncludeList()).thenReturn(includeList); - when(scanContext.getMaxNumberOfConnectionRetries()).thenReturn(1); - when(scanContext.getRetryWaittimeInMilliseconds()).thenReturn(0); - when(scanContext.connectionCheckEnabled()).thenReturn(false); - - OwaspZapScan scan = mock(OwaspZapScan.class); - when(resolver.resolveScanImplementation(eq(scanContext), any())).thenReturn(scan); - when(clientApiFactory.create(scanContext.getServerConfig())).thenReturn(clientApi); - doNothing().when(connectionChecker).assertApplicationIsReachable(scanContext); - - /* execute */ - executorToTest.execute(scanContext); - - /* test */ - verify(connectionChecker, never()).assertApplicationIsReachable(scanContext); - verify(clientApiFactory).create(scanContext.getServerConfig()); - verify(resolver).resolveScanImplementation(scanContext, clientApi); - verify(scan).scan(); - - } - - @Test - void target_is_not_reachable_throws_mustexitruntimeexception() throws Exception { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - OwaspZapProductMessageHelper productMessageHelper = mock(OwaspZapProductMessageHelper.class); - - ClientApi clientApi = mock(ClientApi.class); - - URL targetUrl = new URL("http://www.my-url.com"); - - Set includeList = new HashSet<>(); - includeList.add(targetUrl); - when(scanContext.getOwaspZapURLsIncludeList()).thenReturn(includeList); - when(scanContext.getMaxNumberOfConnectionRetries()).thenReturn(1); - when(scanContext.getRetryWaittimeInMilliseconds()).thenReturn(0); - when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(productMessageHelper); - when(scanContext.connectionCheckEnabled()).thenReturn(true); - doNothing().when(productMessageHelper).writeSingleProductMessage(any()); - - OwaspZapScan scan = mock(OwaspZapScan.class); - when(resolver.resolveScanImplementation(eq(scanContext), any())).thenReturn(scan); - when(clientApiFactory.create(scanContext.getServerConfig())).thenReturn(clientApi); - doThrow(new ZapWrapperRuntimeException(null, null)).when(connectionChecker).assertApplicationIsReachable(eq(scanContext)); - - /* execute + test */ - assertThrows(ZapWrapperRuntimeException.class, () -> executorToTest.execute(scanContext)); - - verify(connectionChecker).assertApplicationIsReachable(scanContext); - verify(scan, never()).scan(); - verify(clientApiFactory, never()).create(scanContext.getServerConfig()); - verify(resolver, never()).resolveScanImplementation(scanContext, clientApi); - - } -} diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolverTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolverTest.java deleted file mode 100644 index 6fe977a2cc..0000000000 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanResolverTest.java +++ /dev/null @@ -1,79 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; - -import static org.junit.jupiter.api.Assertions.*; -import static org.mockito.Mockito.*; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.EnumSource; -import org.zaproxy.clientapi.core.ClientApi; - -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScan; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.UnauthenticatedScan; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.auth.HTTPBasicAuthScan; - -class OwaspZapScanResolverTest { - - private OwaspZapScanResolver resolverToTest; - - @BeforeEach - void beforeEach() { - resolverToTest = new OwaspZapScanResolver(); - } - - @Test - void unauthenticated_scan_is_resolved_correctly() { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - when(scanContext.getAuthenticationType()).thenReturn(AuthenticationType.UNAUTHENTICATED); - ClientApi clientApi = mock(ClientApi.class); - - /* execute */ - OwaspZapScan scan = resolverToTest.resolveScanImplementation(scanContext, clientApi); - - /* test */ - assertTrue(scan instanceof UnauthenticatedScan); - } - - @Test - void http_basic_authentication_scan_is_resolved_correctly() { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - when(scanContext.getAuthenticationType()).thenReturn(AuthenticationType.HTTP_BASIC_AUTHENTICATION); - ClientApi clientApi = mock(ClientApi.class); - - /* execute */ - OwaspZapScan scan = resolverToTest.resolveScanImplementation(scanContext, clientApi); - - /* test */ - assertTrue(scan instanceof HTTPBasicAuthScan); - } - - @Test - void authenticationtype_null_is_throwing_mustexitruntimeexception() { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - when(scanContext.getAuthenticationType()).thenReturn(null); - ClientApi clientApi = mock(ClientApi.class); - - /* execute + test */ - assertThrows(ZapWrapperRuntimeException.class, () -> resolverToTest.resolveScanImplementation(scanContext, clientApi)); - } - - @ParameterizedTest - @EnumSource(value = AuthenticationType.class, names = { "FORM_BASED_AUTHENTICATION", "SCRIPT_BASED_AUTHENTICATION", "JSON_BASED_AUTHENTICATION" }) - void not_yet_supported_authenticationtype_is_throwing_mustexitruntimeexception(AuthenticationType authType) { - /* prepare */ - OwaspZapScanContext scanContext = mock(OwaspZapScanContext.class); - when(scanContext.getAuthenticationType()).thenReturn(authType); - ClientApi clientApi = mock(ClientApi.class); - - /* execute + test */ - assertThrows(ZapWrapperRuntimeException.class, () -> resolverToTest.resolveScanImplementation(scanContext, clientApi)); - } - -} diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java index 022a494699..516183ed61 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java @@ -7,10 +7,10 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.CsvSource; -import org.zaproxy.clientapi.core.ClientApi; import org.zaproxy.clientapi.core.ClientApiException; import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; class OwaspZapClientApiFactoryTest { @@ -33,10 +33,10 @@ void valid_configuration_returns_clientapi_object() throws ClientApiException { OwaspZapServerConfiguration serverConfig = new OwaspZapServerConfiguration("127.0.0.1", 8080, "secret-key"); /* execute */ - ClientApi clientApi = factoryToTest.create(serverConfig); + ClientApiFacade clientApiFacade = factoryToTest.create(serverConfig); /* test */ - assertNotNull(clientApi); + assertNotNull(clientApiFacade); } /* @formatter:off */ diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java index c94bd36da7..8bdd8c280c 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java @@ -487,8 +487,8 @@ void includes_and_excludes_from_sechub_json_are_inside_result() { OwaspZapScanContext result = factoryToTest.create(settings); /* test */ - assertEquals(3, result.getOwaspZapURLsIncludeList().size()); - assertEquals(2, result.getOwaspZapURLsExcludeList().size()); + assertEquals(3, result.getOwaspZapURLsIncludeSet().size()); + assertEquals(2, result.getOwaspZapURLsExcludeSet().size()); } @ParameterizedTest diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelperTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelperTest.java deleted file mode 100644 index e999dbfd0d..0000000000 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapApiResponseHelperTest.java +++ /dev/null @@ -1,43 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; - -import static org.junit.jupiter.api.Assertions.*; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.zaproxy.clientapi.core.ApiResponse; -import org.zaproxy.clientapi.core.ApiResponseElement; -import org.zaproxy.clientapi.core.ApiResponseList; - -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; - -class OwaspZapApiResponseHelperTest { - - private OwaspZapApiResponseHelper helperToTest; - - @BeforeEach - void beforeEach() { - helperToTest = new OwaspZapApiResponseHelper(); - } - - @Test - void invalid_type_helper_throws_mustexitruntimeexception() { - /* prepare */ - ApiResponse response = new ApiResponseList("example"); - - /* execute + test */ - assertThrows(ZapWrapperRuntimeException.class, () -> helperToTest.getIdOfApiRepsonse(response)); - } - - @Test - void valid_type_results_in_correct_id() { - /* prepare */ - ApiResponse response = new ApiResponseElement("example", "10"); - - /* execute */ - String id = helperToTest.getIdOfApiRepsonse(response); - - /* test */ - assertEquals("10", id); - } -} diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java new file mode 100644 index 0000000000..15b60fe432 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java @@ -0,0 +1,767 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.owaspzapwrapper.scan; + +import static org.junit.jupiter.api.Assertions.*; +import static org.mockito.ArgumentMatchers.*; +import static org.mockito.Mockito.*; + +import java.net.MalformedURLException; +import java.net.URI; +import java.net.URL; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import java.util.stream.Stream; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Named; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ValueSource; +import org.zaproxy.clientapi.core.ApiResponse; +import org.zaproxy.clientapi.core.ClientApiException; + +import com.mercedesbenz.sechub.commons.model.HTTPHeaderConfiguration; +import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; +import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; +import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; +import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; +import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.SessionManagementType; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; +import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.IncludeExcludeToOwaspZapURLHelper; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapEventHandler; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapProductMessageHelper; +import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapURLType; +import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScanner.UserInformation; +import com.mercedesbenz.sechub.owaspzapwrapper.util.SystemUtil; +import com.mercedesbenz.sechub.test.TestFileReader; + +class OwaspZapScannerTest { + + private OwaspZapScanner scannerToTest; + + private ClientApiFacade clientApiFacade; + private OwaspZapScanContext scanContext; + private OwaspZapEventHandler owaspZapEventHandler; + private SystemUtil systemUtil; + + private OwaspZapProductMessageHelper helper; + private String contextName = "context-name"; + + @BeforeEach + void beforeEach() { + // create mocks + clientApiFacade = mock(ClientApiFacade.class); + scanContext = mock(OwaspZapScanContext.class); + systemUtil = mock(SystemUtil.class); + helper = mock(OwaspZapProductMessageHelper.class); + + owaspZapEventHandler = mock(OwaspZapEventHandler.class); + + // assign mocks + scannerToTest = new OwaspZapScanner(clientApiFacade, scanContext); + scannerToTest.systemUtil = systemUtil; + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + + // set global behavior + when(scanContext.getContextName()).thenReturn(contextName); + when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(helper); + + doNothing().when(helper).writeProductError(any()); + doNothing().when(helper).writeProductMessages(any()); + doNothing().when(helper).writeSingleProductMessage(any()); + doNothing().when(helper).writeUserMessagesWithScannedURLs(any()); + + doNothing().when(systemUtil).waitForMilliseconds(OwaspZapScanner.CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + when(systemUtil.getCurrentTimeInMilliseconds()).thenCallRealMethod(); + } + + @Test + void setup_standard_configuration_results_in_expected_calls() throws ClientApiException { + /* prepare */ + when(clientApiFacade.createNewSession(scanContext.getContextName(), "true")).thenReturn(null); + when(clientApiFacade.configureMaximumAlertsForEachRule("0")).thenReturn(null); + when(clientApiFacade.enableAllPassiveScannerRules()).thenReturn(null); + when(clientApiFacade.enableAllActiveScannerRulesForPolicy(null)).thenReturn(null); + when(clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless")).thenReturn(null); + + /* execute */ + scannerToTest.setupStandardConfiguration(); + + /* test */ + verify(clientApiFacade, times(1)).createNewSession(scanContext.getContextName(), "true"); + verify(clientApiFacade, times(1)).configureMaximumAlertsForEachRule("0"); + verify(clientApiFacade, times(1)).enableAllPassiveScannerRules(); + verify(clientApiFacade, times(1)).enableAllActiveScannerRulesForPolicy(null); + verify(clientApiFacade, times(1)).configureAjaxSpiderBrowserId("firefox-headless"); + } + + @Test + void deactivate_rules_ruleset_or_rules_to_deactivate_null_results_in_nothing_is_configured() throws ClientApiException { + /* prepare */ + DeactivatedRuleReferences deactivatedReferences = mock(DeactivatedRuleReferences.class); + when(deactivatedReferences.getDeactivatedRuleReferences()).thenReturn(null); + + /* execute */ + scannerToTest.deactivateRules(null, null); + scannerToTest.deactivateRules(new OwaspZapFullRuleset(), null); + scannerToTest.deactivateRules(null, new DeactivatedRuleReferences()); + scannerToTest.deactivateRules(new OwaspZapFullRuleset(), deactivatedReferences); + + /* test */ + verify(clientApiFacade, never()).disablePassiveScannerRule(any()); + verify(clientApiFacade, never()).disableActiveScannerRuleForPolicy(any(), any()); + } + + @Test + void deactivate_rules_results_in_rules_are_deactivated() throws ClientApiException { + /* prepare */ + DeactivatedRuleReferences deactivatedReferences = new DeactivatedRuleReferences(); + // passive rules to deactivate + deactivatedReferences.addRuleReference(new RuleReference("Timestamp-Disclosure-10096", "first-info")); + // active rules to deactivate + deactivatedReferences.addRuleReference(new RuleReference("Cross-Site-Scripting-(Reflected)-40012", "second-info")); + deactivatedReferences.addRuleReference(new RuleReference("Path-Traversal-6", "third-info")); + + String json = TestFileReader.loadTextFile("src/test/resources/zap-available-rules/owaspzap-full-ruleset.json"); + OwaspZapFullRuleset ruleSet = new OwaspZapFullRuleset().fromJSON(json); + + when(clientApiFacade.disablePassiveScannerRule(any())).thenReturn(null); + when(clientApiFacade.disableActiveScannerRuleForPolicy(any(), any())).thenReturn(null); + + /* execute */ + scannerToTest.deactivateRules(ruleSet, deactivatedReferences); + + /* test */ + verify(clientApiFacade, times(1)).disablePassiveScannerRule(any()); + verify(clientApiFacade, times(2)).disableActiveScannerRuleForPolicy(any(), any()); + } + + @Test + void setup_addtional_proxy_information_with_proxy_information_null_results_in_proxy_disabled() + throws ClientApiException { + /* prepare */ + when(clientApiFacade.setHttpProxyEnabled("false")).thenReturn(null); + + /* execute */ + scannerToTest.setupAdditonalProxyConfiguration(null); + + /* test */ + verify(clientApiFacade, times(1)).setHttpProxyEnabled("false"); + } + + @Test + void setup_addtional_proxy_information_results_in_proxy_enabled() throws ClientApiException { + /* prepare */ + String host = "127.0.0.1"; + int port = 8000; + ProxyInformation proxyInformation = new ProxyInformation(host, port); + + when(clientApiFacade.configureHttpProxy(host, "" + port, null, null, null)).thenReturn(null); + when(clientApiFacade.setHttpProxyEnabled("true")).thenReturn(null); + when(clientApiFacade.setHttpProxyAuthEnabled("false")).thenReturn(null); + + /* execute */ + scannerToTest.setupAdditonalProxyConfiguration(proxyInformation); + + /* test */ + verify(clientApiFacade, times(1)).configureHttpProxy(host, "" + port, null, null, null); + verify(clientApiFacade, times(1)).setHttpProxyEnabled("true"); + verify(clientApiFacade, times(1)).setHttpProxyAuthEnabled("false"); + } + + @Test + void create_context_results_in_expected_calls() throws ClientApiException { + /* prepare */ + String expectedContextId = "random-id"; + when(clientApiFacade.createNewContext(contextName)).thenReturn(expectedContextId); + + /* execute */ + String contextId = scannerToTest.createContext(); + + /* test */ + assertEquals(expectedContextId, contextId); + verify(scanContext, times(2)).getContextName(); + verify(clientApiFacade, times(1)).createNewContext(contextName); + } + + @Test + void add_replacer_rules_for_headers_with_no_headers_results_add_replacer_rule_is_never_called() throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubwebScanConfig = new SecHubWebScanConfiguration(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubwebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.addReplacerRulesForHeaders(); + + /* test */ + verify(clientApiFacade, never()).addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any()); + } + + @ParameterizedTest + @MethodSource("headerPartWithoutOnlyForUrlsTestNamedArguments") + void add_replacer_rules_for_headers_with_no_onlyForUrls_results_add_replacer_rule_is_called_once_for_each_header(String sechubScanConfigJSON) + throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(sechubScanConfigJSON).getWebScan().get(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.addReplacerRulesForHeaders(); + + /* test */ + int times = sechubWebScanConfig.getHeaders().get().size(); + verify(clientApiFacade, times(times)).addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any()); + } + + @ParameterizedTest + @MethodSource("headerPartWithOnlyForUrlsTestNamedArguments") + void add_replacer_rules_for_headers_with_onlyForUrls_results_add_replacer_rule_is_called_once_for_each_onylForUrl(String sechubScanConfigJSON) + throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(sechubScanConfigJSON).getWebScan().get(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.addReplacerRulesForHeaders(); + + /* test */ + int times = sechubWebScanConfig.getHeaders().get().size(); + for (HTTPHeaderConfiguration header : sechubWebScanConfig.getHeaders().get()) { + if (header.getOnlyForUrls().isPresent()) { + // minus 1 because the method will called for any header at least once + times += header.getOnlyForUrls().get().size() - 1; + } + } + verify(clientApiFacade, times(times)).addReplacerRule(any(), any(), any(), any(), any(), any(), any(), any()); + } + + @ParameterizedTest + @ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-include-exclude.json" }) + void set_includes_and_excludes_api_facade_is_called_once_for_each_include_and_once_for_exclude(String sechubConfigFile) + throws ClientApiException, MalformedURLException { + /* prepare */ + String json = TestFileReader.loadTextFile(sechubConfigFile); + + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get(); + IncludeExcludeToOwaspZapURLHelper helper = new IncludeExcludeToOwaspZapURLHelper(); + + URL targetUrl = sechubWebScanConfig.getUrl().toURL(); + List includesList = sechubWebScanConfig.getIncludes().get(); + Set includes = new HashSet<>(helper.createListOfUrls(OwaspZapURLType.INCLUDE, targetUrl, includesList, new ArrayList<>())); + when(scanContext.getOwaspZapURLsIncludeSet()).thenReturn(includes); + + List excludesList = sechubWebScanConfig.getExcludes().get(); + Set excludes = new HashSet<>(helper.createListOfUrls(OwaspZapURLType.EXCLUDE, targetUrl, excludesList, new ArrayList<>())); + when(scanContext.getOwaspZapURLsExcludeSet()).thenReturn(excludes); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.addIncludeUrlPatternToContext(any(), any())).thenReturn(response); + when(clientApiFacade.accessUrlViaOwaspZap(any(), any())).thenReturn(response); + when(clientApiFacade.addExcludeUrlPatternToContext(any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.addIncludedAndExcludedUrlsToContext(); + + /* test */ + verify(clientApiFacade, times(includes.size())).addIncludeUrlPatternToContext(any(), any()); + verify(clientApiFacade, times(includes.size())).accessUrlViaOwaspZap(any(), any()); + verify(clientApiFacade, times(excludes.size())).addExcludeUrlPatternToContext(any(), any()); + } + + @Test + void import_openapi_file_but_api_file_is_null_api_facade_is_never_called() throws ClientApiException { + /* prepare */ + String contextId = "context-id"; + when(scanContext.getApiDefinitionFile()).thenReturn(null); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.importOpenApiFile(any(), any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.loadApiDefinitions(contextId); + + /* test */ + verify(clientApiFacade, never()).importOpenApiFile(any(), any(), any()); + } + + @ParameterizedTest + @ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json" }) + void import_openapi_file_api_facade_is_called_once(String sechubConfigFile) throws ClientApiException { + /* prepare */ + String contextId = "context-id"; + String json = TestFileReader.loadTextFile(sechubConfigFile); + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get(); + + when(scanContext.getApiDefinitionFile()).thenReturn(Paths.get(sechubConfigFile)); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.importOpenApiFile(any(), any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.loadApiDefinitions(contextId); + + /* test */ + verify(clientApiFacade, times(1)).importOpenApiFile(any(), any(), any()); + } + + @ParameterizedTest + @ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json", + "src/test/resources/sechub-config-examples/form-based-auth.json" }) + void configure_login_inside_owasp_zap_using_no_auth_and_unsupported_auth_return_null(String sechubConfigFile) throws ClientApiException { + /* prepare */ + String contextId = "context-id"; + String json = TestFileReader.loadTextFile(sechubConfigFile); + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get(); + + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + /* execute */ + UserInformation userInformation = scannerToTest.configureLoginInsideOwaspZapContext(contextId); + + /* test */ + assertEquals(null, userInformation); + } + + @Test + void configure_login_inside_owasp_zap_using_basic_auth_results_in_expected_calls() throws ClientApiException, MalformedURLException { + /* prepare */ + String contextId = "context-id"; + String userId = "user-id"; + URL targetUrl = URI.create("https:127.0.0.1:8000").toURL(); + String json = TestFileReader.loadTextFile("src/test/resources/sechub-config-examples/basic-auth.json"); + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get(); + BasicLoginConfiguration basicLoginConfiguration = sechubWebScanConfig.getLogin().get().getBasic().get(); + String userName = new String(basicLoginConfiguration.getUser()); + + ApiResponse response = mock(ApiResponse.class); + + when(scanContext.getTargetUrl()).thenReturn(targetUrl); + when(scanContext.getAuthenticationType()).thenReturn(AuthenticationType.HTTP_BASIC_AUTHENTICATION); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + when(clientApiFacade.configureAuthenticationMethod(eq(contextId), eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getOwaspZapAuthenticationMethod()), + any())).thenReturn(response); + when(clientApiFacade.sessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod()), + any())).thenReturn(response); + when(clientApiFacade.createNewUser(contextId, userName)).thenReturn(userId); + when(clientApiFacade.configureAuthenticationCredentials(eq(contextId), eq(userId), any())).thenReturn(response); + when(clientApiFacade.setForcedUser(contextId, userId)).thenReturn(response); + when(clientApiFacade.setForcedUserModeEnabled(true)).thenReturn(response); + + /* execute */ + UserInformation userInformation = scannerToTest.configureLoginInsideOwaspZapContext(contextId); + + /* test */ + assertEquals(userName, userInformation.getUserName()); + assertEquals(userId, userInformation.getOwaspZapuserId()); + + verify(scanContext, times(2)).getTargetUrl(); + verify(scanContext, times(1)).getAuthenticationType(); + + verify(clientApiFacade, times(1)).configureAuthenticationMethod(eq(contextId), + eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getOwaspZapAuthenticationMethod()), any()); + verify(clientApiFacade, times(1)).sessionManagementMethod(eq(contextId), + eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod()), any()); + verify(clientApiFacade, times(1)).createNewUser(contextId, userName); + verify(clientApiFacade, times(1)).configureAuthenticationCredentials(eq(contextId), eq(userId), any()); + verify(clientApiFacade, times(1)).setForcedUser(contextId, userId); + verify(clientApiFacade, times(1)).setForcedUserModeEnabled(true); + } + + @Test + void generate_report_calls_api_facade_once() throws ClientApiException { + /* prepare */ + when(scanContext.getReportFile()) + .thenReturn(Paths.get("src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json")); + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), + any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.generateOwaspZapReport(); + + /* test */ + verify(clientApiFacade, times(1)).generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), + any(), any(), any(), any()); + } + + @Test + void cleanup_after_scan() throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubwebScanConfig = new SecHubWebScanConfiguration(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubwebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.removeReplacerRule(any())).thenReturn(response); + + /* execute */ + scannerToTest.cleanUp(); + + /* test */ + verify(clientApiFacade, never()).removeReplacerRule(any()); + } + + @ParameterizedTest + @MethodSource("headerPartWithoutOnlyForUrlsTestNamedArguments") + void cleanup_after_scan_without_onylForUrls_headers_set_cleans_up_all_replacer_rules(String sechubScanConfigJSON) throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(sechubScanConfigJSON).getWebScan().get(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.removeReplacerRule(any())).thenReturn(response); + + /* execute */ + scannerToTest.cleanUp(); + + /* test */ + int times = sechubWebScanConfig.getHeaders().get().size(); + verify(clientApiFacade, times(times)).removeReplacerRule(any()); + } + + @ParameterizedTest + @MethodSource("headerPartWithOnlyForUrlsTestNamedArguments") + void cleanup_after_scan_with_onylForUrls_headers_set_cleans_up_all_replacer_rules(String sechubScanConfigJSON) throws ClientApiException { + /* prepare */ + SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(sechubScanConfigJSON).getWebScan().get(); + when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); + + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.removeReplacerRule(any())).thenReturn(response); + + /* execute */ + scannerToTest.cleanUp(); + + /* test */ + int times = sechubWebScanConfig.getHeaders().get().size(); + for (HTTPHeaderConfiguration header : sechubWebScanConfig.getHeaders().get()) { + if (header.getOnlyForUrls().isPresent()) { + // minus 1 because the method will called for any header at least once + times += header.getOnlyForUrls().get().size() - 1; + } + } + verify(clientApiFacade, times(times)).removeReplacerRule(any()); + } + + @Test + void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { + /* prepare */ + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + + when(clientApiFacade.stopAjaxSpider()).thenReturn(null); + + /* execute */ + ZapWrapperRuntimeException exception = assertThrows(ZapWrapperRuntimeException.class, () -> { + scannerToTest.waitForAjaxSpiderResults(); + }); + + /* test */ + assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); + verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(clientApiFacade, times(1)).stopAjaxSpider(); + } + + @Test + void wait_for_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + + when(clientApiFacade.stopAjaxSpider()).thenReturn(null); + when(clientApiFacade.getAjaxSpiderStatus()).thenReturn("stopped"); + + /* execute */ + scannerToTest.waitForAjaxSpiderResults(); + + /* test */ + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(clientApiFacade, atLeast(1)).getAjaxSpiderStatus(); + verify(clientApiFacade, times(1)).stopAjaxSpider(); + } + + @Test + void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + + when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); + + /* execute */ + ZapWrapperRuntimeException exception = assertThrows(ZapWrapperRuntimeException.class, () -> { + scannerToTest.waitForSpiderResults(scanId); + }); + + /* test */ + assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); + verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(clientApiFacade, times(1)).stopSpiderScan(scanId); + } + + @Test + void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + OwaspZapProductMessageHelper messageHelper = mock(OwaspZapProductMessageHelper.class); + when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(messageHelper); + doNothing().when(messageHelper).writeUserMessagesWithScannedURLs(any()); + + when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); + when(clientApiFacade.getSpiderStatusForScan(scanId)).thenReturn(42); + when(clientApiFacade.getAllSpiderUrls()).thenReturn(null); + + /* execute */ + scannerToTest.waitForSpiderResults(scanId); + + /* test */ + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(scanContext, times(1)).getOwaspZapProductMessageHelper(); + verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); + verify(clientApiFacade, atLeast(1)).getSpiderStatusForScan(scanId); + verify(clientApiFacade, times(1)).stopSpiderScan(scanId); + verify(clientApiFacade, times(1)).getAllSpiderUrls(); + } + + @Test + void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { + /* prepare */ + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.isActiveScanEnabled()).thenReturn(false); + when(scanContext.isAjaxSpiderEnabled()).thenReturn(false); + + when(clientApiFacade.getNumberOfPassiveScannerRecordsToScan()).thenReturn(12); + + /* execute */ + ZapWrapperRuntimeException exception = assertThrows(ZapWrapperRuntimeException.class, () -> { + scannerToTest.passiveScan(); + }); + + /* test */ + assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); + verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(scanContext, times(1)).isAjaxSpiderEnabled(); + verify(clientApiFacade, atLeast(1)).getNumberOfPassiveScannerRecordsToScan(); + } + + @Test + void wait_for_passiveScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.isActiveScanEnabled()).thenReturn(false); + when(scanContext.isAjaxSpiderEnabled()).thenReturn(false); + + when(clientApiFacade.getNumberOfPassiveScannerRecordsToScan()).thenReturn(0); + + /* execute */ + scannerToTest.passiveScan(); + + /* test */ + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(scanContext, times(1)).isAjaxSpiderEnabled(); + verify(clientApiFacade, times(1)).getNumberOfPassiveScannerRecordsToScan(); + } + + @Test + void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + + when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(42); + when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); + + /* execute */ + ZapWrapperRuntimeException exception = assertThrows(ZapWrapperRuntimeException.class, () -> { + scannerToTest.waitForActiveScanResults(scanId); + }); + + /* test */ + assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); + verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(clientApiFacade, never()).getActiveScannerStatusForScan(scanId); + verify(clientApiFacade, times(1)).stopActiveScan(scanId); + } + + @Test + void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(100); + when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); + + /* execute */ + scannerToTest.waitForActiveScanResults(scanId); + + /* test */ + verify(clientApiFacade, atLeast(1)).getActiveScannerStatusForScan(scanId); + verify(clientApiFacade, times(1)).stopActiveScan(scanId); + } + + @Test + void run_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + + when(clientApiFacade.stopAjaxSpider()).thenReturn(null); + when(clientApiFacade.getAjaxSpiderStatus()).thenReturn("stopped"); + + /* execute */ + scannerToTest.runAjaxSpider(); + + /* test */ + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(clientApiFacade, atLeast(1)).getAjaxSpiderStatus(); + verify(clientApiFacade, times(1)).stopAjaxSpider(); + } + + @Test + void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.isActiveScanEnabled()).thenReturn(true); + OwaspZapProductMessageHelper messageHelper = mock(OwaspZapProductMessageHelper.class); + when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(messageHelper); + doNothing().when(messageHelper).writeUserMessagesWithScannedURLs(any()); + + when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); + when(clientApiFacade.getSpiderStatusForScan(scanId)).thenReturn(42); + when(clientApiFacade.getAllSpiderUrls()).thenReturn(null); + when(clientApiFacade.startSpiderScan(any(), any(), any(), any(), any())).thenReturn(scanId); + + /* execute */ + scannerToTest.runSpider(); + + /* test */ + verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).isActiveScanEnabled(); + verify(scanContext, times(1)).getOwaspZapProductMessageHelper(); + verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); + verify(clientApiFacade, atLeast(1)).getSpiderStatusForScan(scanId); + verify(clientApiFacade, times(1)).stopSpiderScan(scanId); + verify(clientApiFacade, times(1)).getAllSpiderUrls(); + verify(clientApiFacade, times(1)).startSpiderScan(any(), any(), any(), any(), any()); + } + + @Test + void run_activeScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { + /* prepare */ + String scanId = "12345"; + + scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + + scannerToTest.remainingScanTime = 100L; + + when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(100); + when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); + when(clientApiFacade.startActiveScan(any(), any(), any(), any(), any(), any())).thenReturn(scanId); + when(clientApiFacade.atLeastOneURLDetected()).thenReturn(true); + + /* execute */ + scannerToTest.runActiveScan(); + + /* test */ + verify(clientApiFacade, atLeast(1)).getActiveScannerStatusForScan(scanId); + verify(clientApiFacade, times(1)).stopActiveScan(scanId); + verify(clientApiFacade, times(1)).startActiveScan(any(), any(), any(), any(), any(), any()); + } + + static Stream headerPartWithoutOnlyForUrlsTestNamedArguments() { + /* @formatter:off */ + return Stream.of( + Arguments.of( + Named.of("3 Headers without onlyForUrls", + "{\"apiVersion\":\"1.0\",\"webScan\":{\"url\":\"https://productfailure.demo.example.org\",\"headers\":[{\"name\":\"Authorization\",\"value\":\"{{.HEADER_VALUE}}\"},{\"name\":\"x-file-size\",\"value\":\"123456\"},{\"name\":\"custom-header\",\"value\":\"test-value\"}]}}")), + Arguments.of( + Named.of("2 Headers without onlyForUrls", + "{\"apiVersion\":\"1.0\",\"webScan\":{\"url\":\"https://productfailure.demo.example.org\",\"headers\":[{\"name\":\"x-file-size\",\"value\":\"123456\"},{\"name\":\"custom-header\",\"value\":\"test-value\"}]}}"))); + /* @formatter:on */ + } + + static Stream headerPartWithOnlyForUrlsTestNamedArguments() { + /* @formatter:off */ + return Stream.of( + Arguments.of( + Named.of("2 Headers 2nd with onlyForUrls", + "{\"apiVersion\":\"1.0\",\"webScan\":{\"url\":\"https://productfailure.demo.example.org\",\"headers\":[{\"name\":\"Authorization\",\"value\":\"{{.HEADER_VALUE}}\"},{\"name\":\"x-file-size\",\"value\":\"123456\",\"onlyForUrls\":[\"https://productfailure.demo.example.org/admin\",\"https://productfailure.demo.example.org/upload/<*>\",\"https://productfailure.demo.example.org/<*>/special/\"]}]}}")), + Arguments.of( + Named.of("3 Headers 2nd and 3rd with onlyForUrls", + "{\"apiVersion\":\"1.0\",\"webScan\":{\"url\":\"https://productfailure.demo.example.org\",\"headers\":[{\"name\":\"Authorization\",\"value\":\"{{.HEADER_VALUE}}\"},{\"name\":\"x-file-size\",\"value\":\"123456\",\"onlyForUrls\":[\"https://productfailure.demo.example.org/admin\",\"https://productfailure.demo.example.org/upload/<*>\",\"https://productfailure.demo.example.org/<*>/special/\"]},{\"name\":\"test-name\",\"value\":\"test-value\",\"onlyForUrls\":[\"https://productfailure.demo.example.org/profile\",\"https://productfailure.demo.example.org/upload\"]}]}}"))); + /* @formatter:on */ + } + +} diff --git a/sechub-wrapper-owasp-zap/src/test/resources/sechub-config-examples/form-based-auth.json b/sechub-wrapper-owasp-zap/src/test/resources/sechub-config-examples/form-based-auth.json new file mode 100644 index 0000000000..c58ee26e91 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/test/resources/sechub-config-examples/form-based-auth.json @@ -0,0 +1,41 @@ +{ + "apiVersion" : "1.0", + "webScan" : { + "url" : "https://productfailure.demo.example.org", + "login" : { + "url" : "https://productfailure.demo.example.org/login", + "form" : { + "script" : { + "pages" : [ { + "actions" : [ { + "type" : "username", + "selector" : "#example_login_userid", + "value" : "{{ .LOGIN_USER }}" + }, { + "type" : "password", + "selector" : "#example_login_pwd", + "value" : "{{ .LOGIN_PWD }}" + }, { + "type" : "click", + "selector" : "#next", + "description" : "Click to go to next page" + } ] + }, { + "actions" : [ { + "type" : "input", + "selector" : "#example_other_inputfield", + "value" : "{{ .OTHER_VALUE }}" + }, { + "type" : "wait", + "value" : "1", + "unit" : "second" + }, { + "type" : "click", + "selector" : "#doLogin" + } ] + } ] + } + } + } + } +} \ No newline at end of file From a3ae1304912f435425236e34b39a310c1fae2a8c Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Fri, 4 Aug 2023 15:29:33 +0200 Subject: [PATCH 02/11] Add JsonIgnoreProperties to HTTPHeaderConfiguration #2454 --- .../sechub/commons/model/HTTPHeaderConfiguration.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sechub-commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/HTTPHeaderConfiguration.java b/sechub-commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/HTTPHeaderConfiguration.java index 32374163f3..da4ebcd98c 100644 --- a/sechub-commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/HTTPHeaderConfiguration.java +++ b/sechub-commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/HTTPHeaderConfiguration.java @@ -4,6 +4,9 @@ import java.util.List; import java.util.Optional; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; + +@JsonIgnoreProperties(ignoreUnknown = true) public class HTTPHeaderConfiguration { public static final String PROPERTY_NAME = "name"; public static final String PROPERTY_VALUE = "value"; From db3e277b00352a1b677141d25bfae10ce58a108f Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Mon, 14 Aug 2023 14:32:54 +0200 Subject: [PATCH 03/11] Update zaproxy java client api version #2371 --- gradle/libraries.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libraries.gradle b/gradle/libraries.gradle index 4e057b3241..3cb870124e 100644 --- a/gradle/libraries.gradle +++ b/gradle/libraries.gradle @@ -68,7 +68,7 @@ ext { restDocsApiSpec: "0.16.4", // newest version compatible with Spring Boot 2.x /* Owasp Zap wrapper */ - owaspzap_client_api: "1.11.0", + owaspzap_client_api: "1.12.0", jcommander: "1.82", thymeleaf_extras_springsecurity5: "3.1.1.RELEASE", From c1b414908234ea9937241213e3cc0024582471bc Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Thu, 24 Aug 2023 17:16:17 +0200 Subject: [PATCH 04/11] Rename Owasp Zap into Zap #2436 --- .../cli/OwaspZapScanExecutor.java | 36 -- .../config/OwaspZapClientApiFactory.java | 41 --- .../config/OwaspZapScanContext.java | 329 ------------------ .../config/auth/SessionManagementType.java | 28 -- .../owaspzapwrapper/scan/OwaspZapScan.java | 8 - .../cli/CommandLineSettings.java | 26 +- .../zapwrapper/cli/ZapScanExecutor.java | 36 ++ .../cli/ZapWrapperCLI.java} | 26 +- .../cli/ZapWrapperCommandLineParser.java} | 24 +- .../cli/ZapWrapperExitCode.java | 2 +- .../cli/ZapWrapperRuntimeException.java | 2 +- .../config/ApiDefinitionFileProvider.java | 6 +- .../config/ProxyInformation.java | 2 +- .../config/RuleProvider.java | 18 +- .../config/SecHubScanConfigProvider.java | 6 +- .../config/ZapClientApiFactory.java | 41 +++ .../zapwrapper/config/ZapScanContext.java | 329 ++++++++++++++++++ .../config/ZapScanContextFactory.java} | 80 +++-- .../config/ZapServerConfiguration.java} | 6 +- .../config/auth/AuthenticationType.java | 14 +- .../config/auth/SessionManagementType.java | 28 ++ .../data/DeactivatedRuleReferences.java | 2 +- .../config/data/Rule.java | 2 +- .../config/data/RuleReference.java | 2 +- .../config/data/ZapFullRuleset.java} | 14 +- .../helper/BaseTargetUriFactory.java | 6 +- .../helper/IncludeExcludeToZapURLHelper.java} | 6 +- .../helper/ScanDurationHelper.java | 16 +- .../helper/ScanPercentageConstants.java | 2 +- .../SecHubWebScanConfigurationHelper.java | 4 +- .../helper/ZapEventHandler.java} | 14 +- .../helper/ZapProductMessageHelper.java} | 15 +- .../helper/ZapURLType.java} | 6 +- .../scan/ClientApiFacade.java | 21 +- .../sechub/zapwrapper/scan/ZapScan.java | 8 + .../scan/ZapScanner.java} | 289 ++++++++------- .../util/EnvironmentVariableConstants.java | 2 +- .../util/EnvironmentVariableReader.java | 2 +- .../util/FileUtilities.java | 6 +- .../util/SystemUtil.java | 8 +- .../util/TargetConnectionChecker.java | 20 +- .../util/UrlUtil.java | 2 +- ... zap-full-ruleset-all-release-status.json} | 0 .../requirements.txt | 0 .../zap_ruleset_helper.py} | 0 .../config/ApiDefinitionFileProviderTest.java | 6 +- .../config/RuleProviderTest.java | 18 +- .../config/SecHubScanConfigProviderTest.java | 4 +- .../config/ZapClientApiFactoryTest.java} | 19 +- .../config/ZapScanContextFactoryTest.java} | 96 ++--- .../data/DeactivatedRuleReferencesTest.java | 2 +- .../helper/BaseTargetUriFactoryTest.java | 4 +- .../IncludeExcludeToZapURIHelperTest.java} | 16 +- .../helper/ScanDurationHelperTest.java | 4 +- .../SecHubWebScanConfigurationHelperTest.java | 6 +- .../helper/ZapEventHandlerTest.java} | 20 +- .../helper/ZapProductMessageHelperTest.java} | 14 +- .../scan/ZapScannerTest.java} | 282 +++++++-------- .../util/FileUtilitiesTest.java | 8 +- .../util/TargetConnectionCheckerTest.java | 5 +- .../util/UrlUtilTest.java | 4 +- ...vate.json => zap-rules-to-deactivate.json} | 0 ...ull-ruleset.json => zap-full-ruleset.json} | 0 63 files changed, 1024 insertions(+), 1019 deletions(-) delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/SessionManagementType.java delete mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScan.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/cli/CommandLineSettings.java (84%) create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/cli/OwaspZapWrapperCLI.java => zapwrapper/cli/ZapWrapperCLI.java} (54%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/cli/OwaspZapWrapperCommandLineParser.java => zapwrapper/cli/ZapWrapperCommandLineParser.java} (57%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/cli/ZapWrapperExitCode.java (92%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/cli/ZapWrapperRuntimeException.java (91%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/ApiDefinitionFileProvider.java (92%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/ProxyInformation.java (85%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/RuleProvider.java (70%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/SecHubScanConfigProvider.java (82%) create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/config/OwaspZapScanContextFactory.java => zapwrapper/config/ZapScanContextFactory.java} (74%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/config/OwaspZapServerConfiguration.java => zapwrapper/config/ZapServerConfiguration.java} (71%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/auth/AuthenticationType.java (65%) create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/SessionManagementType.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/data/DeactivatedRuleReferences.java (94%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/data/Rule.java (91%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/data/RuleReference.java (90%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/config/data/OwaspZapFullRuleset.java => zapwrapper/config/data/ZapFullRuleset.java} (84%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/BaseTargetUriFactory.java (92%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/IncludeExcludeToOwaspZapURLHelper.java => zapwrapper/helper/IncludeExcludeToZapURLHelper.java} (84%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/ScanDurationHelper.java (79%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/ScanPercentageConstants.java (96%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/SecHubWebScanConfigurationHelper.java (94%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/OwaspZapEventHandler.java => zapwrapper/helper/ZapEventHandler.java} (57%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/OwaspZapProductMessageHelper.java => zapwrapper/helper/ZapProductMessageHelper.java} (87%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/OwaspZapURLType.java => zapwrapper/helper/ZapURLType.java} (60%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/scan/ClientApiFacade.java (95%) create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper/scan/OwaspZapScanner.java => zapwrapper/scan/ZapScanner.java} (75%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/EnvironmentVariableConstants.java (93%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/EnvironmentVariableReader.java (96%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/FileUtilities.java (71%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/SystemUtil.java (66%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/TargetConnectionChecker.java (88%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/UrlUtil.java (94%) rename sechub-wrapper-owasp-zap/src/main/resources/full-rulesets/{owasp-zap-full-ruleset-all-release-status.json => zap-full-ruleset-all-release-status.json} (100%) rename sechub-wrapper-owasp-zap/src/main/resources/{owaspzap-ruleset-helper => zap-ruleset-helper}/requirements.txt (100%) rename sechub-wrapper-owasp-zap/src/main/resources/{owaspzap-ruleset-helper/owaspzap_ruleset_helper.py => zap-ruleset-helper/zap_ruleset_helper.py} (100%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/ApiDefinitionFileProviderTest.java (97%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/RuleProviderTest.java (79%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/SecHubScanConfigProviderTest.java (94%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java => zapwrapper/config/ZapClientApiFactoryTest.java} (67%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java => zapwrapper/config/ZapScanContextFactoryTest.java} (85%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/config/data/DeactivatedRuleReferencesTest.java (95%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/BaseTargetUriFactoryTest.java (95%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/IncludeExcludeToOwaspZapURIHelperTest.java => zapwrapper/helper/IncludeExcludeToZapURIHelperTest.java} (76%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/ScanDurationHelperTest.java (97%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/helper/SecHubWebScanConfigurationHelperTest.java (90%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/OwaspZapEventHandlerTest.java => zapwrapper/helper/ZapEventHandlerTest.java} (59%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/helper/OwaspZapProductMessageHelperTest.java => zapwrapper/helper/ZapProductMessageHelperTest.java} (90%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper/scan/OwaspZapScannerTest.java => zapwrapper/scan/ZapScannerTest.java} (76%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/FileUtilitiesTest.java (68%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/TargetConnectionCheckerTest.java (83%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/{owaspzapwrapper => zapwrapper}/util/UrlUtilTest.java (93%) rename sechub-wrapper-owasp-zap/src/test/resources/wrapper-deactivated-rule-examples/{owaspzap-rules-to-deactivate.json => zap-rules-to-deactivate.json} (100%) rename sechub-wrapper-owasp-zap/src/test/resources/zap-available-rules/{owaspzap-full-ruleset.json => zap-full-ruleset.json} (100%) diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java deleted file mode 100644 index b38ae441b1..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapScanExecutor.java +++ /dev/null @@ -1,36 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapClientApiFactory; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScanner; -import com.mercedesbenz.sechub.owaspzapwrapper.util.TargetConnectionChecker; - -public class OwaspZapScanExecutor { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanExecutor.class); - - OwaspZapClientApiFactory clientApiFactory; - - TargetConnectionChecker connectionChecker; - - public OwaspZapScanExecutor() { - clientApiFactory = new OwaspZapClientApiFactory(); - connectionChecker = new TargetConnectionChecker(); - } - - public void execute(OwaspZapScanContext scanContext) throws ZapWrapperRuntimeException { - if (scanContext.connectionCheckEnabled()) { - connectionChecker.assertApplicationIsReachable(scanContext); - } - - ClientApiFacade clientApiFacade = clientApiFactory.create(scanContext.getServerConfig()); - - OwaspZapScanner owaspZapScanner = new OwaspZapScanner(clientApiFacade, scanContext); - LOG.info("Starting Owasp Zap scan."); - owaspZapScanner.scan(); - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java deleted file mode 100644 index 643ff94642..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactory.java +++ /dev/null @@ -1,41 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.zaproxy.clientapi.core.ClientApi; - -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; - -public class OwaspZapClientApiFactory { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapClientApiFactory.class); - - public ClientApiFacade create(OwaspZapServerConfiguration serverConfig) { - LOG.info("Creating Owasp Zap ClientApi."); - assertValidServerConfig(serverConfig); - String zaproxyHost = serverConfig.getZaproxyHost(); - int zaproxyPort = serverConfig.getZaproxyPort(); - String zaproxyApiKey = serverConfig.getZaproxyApiKey(); - - ClientApi clientApi = new ClientApi(zaproxyHost, zaproxyPort, zaproxyApiKey); - - return new ClientApiFacade(clientApi); - } - - private void assertValidServerConfig(OwaspZapServerConfiguration serverConfig) { - if (serverConfig == null) { - throw new ZapWrapperRuntimeException("Owasp Zap server configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - if (serverConfig.getZaproxyHost() == null) { - throw new ZapWrapperRuntimeException("Owasp Zap host configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - if (serverConfig.getZaproxyPort() <= 0) { - throw new ZapWrapperRuntimeException("Owasp Zap host configuration ahs to be a valid port number!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - if (serverConfig.getZaproxyApiKey() == null) { - throw new ZapWrapperRuntimeException("Owasp Zap api-key configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java deleted file mode 100644 index 331cbbaca3..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContext.java +++ /dev/null @@ -1,329 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; - -import java.net.URL; -import java.nio.file.Path; -import java.util.HashSet; -import java.util.Set; - -import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapProductMessageHelper; - -public class OwaspZapScanContext { - private OwaspZapServerConfiguration serverConfig; - private boolean verboseOutput = false; - - private boolean ajaxSpiderEnabled; - private boolean activeScanEnabled; - - private Path reportFile; - - private String contextName; - - private URL targetUrl; - - private AuthenticationType authenticationType; - - private long maxScanDurationInMillis; - - private SecHubWebScanConfiguration secHubWebScanConfiguration; - - private ProxyInformation proxyInformation; - - private OwaspZapFullRuleset fullRuleset; - - private DeactivatedRuleReferences deactivatedRuleReferences; - - private Path apiDefinitionFile; - - // Using Set here to avoid duplicates - private Set owaspZapURLsIncludeSet = new HashSet<>(); - private Set owaspZapURLsExcludeSet = new HashSet<>(); - - private boolean connectionCheckEnabled; - - private int maxNumberOfConnectionRetries; - private int retryWaittimeInMilliseconds; - - private OwaspZapProductMessageHelper owaspZapProductMessageHelper; - - private OwaspZapScanContext() { - } - - public OwaspZapServerConfiguration getServerConfig() { - return serverConfig; - } - - public boolean isVerboseOutput() { - return verboseOutput; - } - - public boolean isAjaxSpiderEnabled() { - return ajaxSpiderEnabled; - } - - public boolean isActiveScanEnabled() { - return activeScanEnabled; - } - - public Path getReportFile() { - return reportFile; - } - - public String getContextName() { - return contextName; - } - - public String getTargetUrlAsString() { - return getTargetUrl().toString(); - } - - public URL getTargetUrl() { - return targetUrl; - } - - public AuthenticationType getAuthenticationType() { - return authenticationType; - } - - public long getMaxScanDurationInMillis() { - return maxScanDurationInMillis; - } - - public SecHubWebScanConfiguration getSecHubWebScanConfiguration() { - return secHubWebScanConfiguration; - } - - /** - * Resolves proxy information if available - * - * @return proxy information or null when no proxy information - * available - */ - public ProxyInformation getProxyInformation() { - return proxyInformation; - } - - public OwaspZapFullRuleset getFullRuleset() { - return fullRuleset; - } - - public DeactivatedRuleReferences getDeactivatedRuleReferences() { - return deactivatedRuleReferences; - } - - /** - * - * @return api defintion file or null if not available - */ - public Path getApiDefinitionFile() { - return apiDefinitionFile; - } - - public Set getOwaspZapURLsIncludeSet() { - return owaspZapURLsIncludeSet; - } - - public Set getOwaspZapURLsExcludeSet() { - return owaspZapURLsExcludeSet; - } - - public boolean connectionCheckEnabled() { - return connectionCheckEnabled; - } - - public int getMaxNumberOfConnectionRetries() { - return maxNumberOfConnectionRetries; - } - - public int getRetryWaittimeInMilliseconds() { - return retryWaittimeInMilliseconds; - } - - public OwaspZapProductMessageHelper getOwaspZapProductMessageHelper() { - return owaspZapProductMessageHelper; - } - - public static OwaspZapBasicScanContextBuilder builder() { - return new OwaspZapBasicScanContextBuilder(); - } - - public static class OwaspZapBasicScanContextBuilder { - private OwaspZapServerConfiguration serverConfig; - - private boolean verboseOutput = false; - - private boolean ajaxSpiderEnabled; - private boolean activeScanEnabled; - - private Path reportFile; - - private String contextName; - - private URL targetUrl; - - private AuthenticationType authenticationType; - - private long maxScanDurationInMillis; - - private SecHubWebScanConfiguration secHubWebScanConfiguration; - - private ProxyInformation proxyInformation; - - private OwaspZapFullRuleset fullRuleset; - - private DeactivatedRuleReferences deactivatedRuleReferences; - - private Path apiDefinitionFile; - - // Using Set here to avoid duplicates - private Set owaspZapURLsIncludeSet = new HashSet<>(); - private Set owaspZapURLsExcludeSet = new HashSet<>(); - - private boolean connectionCheckEnabled; - - private int maxNumberOfConnectionRetries; - private int setRetryWaittimeInMilliseconds; - - private OwaspZapProductMessageHelper owaspZapProductMessageHelper; - - public OwaspZapBasicScanContextBuilder setServerConfig(OwaspZapServerConfiguration serverConfig) { - this.serverConfig = serverConfig; - return this; - } - - public OwaspZapBasicScanContextBuilder setVerboseOutput(boolean verboseOutput) { - this.verboseOutput = verboseOutput; - return this; - } - - public OwaspZapBasicScanContextBuilder setAjaxSpiderEnabled(boolean ajaxSpiderEnabled) { - this.ajaxSpiderEnabled = ajaxSpiderEnabled; - return this; - } - - public OwaspZapBasicScanContextBuilder setActiveScanEnabled(boolean activeScanEnabled) { - this.activeScanEnabled = activeScanEnabled; - return this; - } - - public OwaspZapBasicScanContextBuilder setReportFile(Path reportFile) { - this.reportFile = reportFile; - return this; - } - - public OwaspZapBasicScanContextBuilder setContextName(String contextName) { - this.contextName = contextName; - return this; - } - - public OwaspZapBasicScanContextBuilder setTargetUrl(URL targetUrl) { - this.targetUrl = targetUrl; - return this; - } - - public OwaspZapBasicScanContextBuilder setAuthenticationType(AuthenticationType authenticationType) { - this.authenticationType = authenticationType; - return this; - } - - public OwaspZapBasicScanContextBuilder setMaxScanDurationInMillis(long maxScanDurationInMillis) { - this.maxScanDurationInMillis = maxScanDurationInMillis; - return this; - } - - public OwaspZapBasicScanContextBuilder setSecHubWebScanConfiguration(SecHubWebScanConfiguration secHubWebScanConfiguration) { - this.secHubWebScanConfiguration = secHubWebScanConfiguration; - return this; - } - - public OwaspZapBasicScanContextBuilder setProxyInformation(ProxyInformation proxyInformation) { - this.proxyInformation = proxyInformation; - return this; - } - - public OwaspZapBasicScanContextBuilder setFullRuleset(OwaspZapFullRuleset fullRuleset) { - this.fullRuleset = fullRuleset; - return this; - } - - public OwaspZapBasicScanContextBuilder setDeactivatedRuleReferences(DeactivatedRuleReferences deactivatedRuleReferences) { - this.deactivatedRuleReferences = deactivatedRuleReferences; - return this; - } - - public OwaspZapBasicScanContextBuilder setApiDefinitionFile(Path apiDefinitionFile) { - this.apiDefinitionFile = apiDefinitionFile; - return this; - } - - public OwaspZapBasicScanContextBuilder setOwaspZapURLsIncludeSet(Set owaspZapURLsIncludeList) { - this.owaspZapURLsIncludeSet.addAll(owaspZapURLsIncludeList); - return this; - } - - public OwaspZapBasicScanContextBuilder setOwaspZapURLsExcludeSet(Set owaspZapURLsExcludeList) { - this.owaspZapURLsExcludeSet.addAll(owaspZapURLsExcludeList); - return this; - } - - public OwaspZapBasicScanContextBuilder setConnectionCheckEnabled(boolean connectionCheckEnabled) { - this.connectionCheckEnabled = connectionCheckEnabled; - return this; - } - - public OwaspZapBasicScanContextBuilder setMaxNumberOfConnectionRetries(int maxNumberOfConnectionRetries) { - this.maxNumberOfConnectionRetries = maxNumberOfConnectionRetries; - return this; - } - - public OwaspZapBasicScanContextBuilder setRetryWaittimeInMilliseconds(int retryWaittimeInMilliseconds) { - this.setRetryWaittimeInMilliseconds = retryWaittimeInMilliseconds; - return this; - } - - public OwaspZapBasicScanContextBuilder setOwaspZapProductMessageHelper(OwaspZapProductMessageHelper owaspZapProductMessageHelper) { - this.owaspZapProductMessageHelper = owaspZapProductMessageHelper; - return this; - } - - public OwaspZapScanContext build() { - OwaspZapScanContext owaspZapBasicScanConfiguration = new OwaspZapScanContext(); - owaspZapBasicScanConfiguration.serverConfig = this.serverConfig; - owaspZapBasicScanConfiguration.verboseOutput = this.verboseOutput; - owaspZapBasicScanConfiguration.ajaxSpiderEnabled = this.ajaxSpiderEnabled; - owaspZapBasicScanConfiguration.activeScanEnabled = this.activeScanEnabled; - owaspZapBasicScanConfiguration.reportFile = this.reportFile; - owaspZapBasicScanConfiguration.contextName = this.contextName; - owaspZapBasicScanConfiguration.targetUrl = this.targetUrl; - owaspZapBasicScanConfiguration.authenticationType = this.authenticationType; - - owaspZapBasicScanConfiguration.maxScanDurationInMillis = this.maxScanDurationInMillis; - - owaspZapBasicScanConfiguration.secHubWebScanConfiguration = this.secHubWebScanConfiguration; - - owaspZapBasicScanConfiguration.proxyInformation = this.proxyInformation; - - owaspZapBasicScanConfiguration.fullRuleset = this.fullRuleset; - owaspZapBasicScanConfiguration.deactivatedRuleReferences = this.deactivatedRuleReferences; - - owaspZapBasicScanConfiguration.apiDefinitionFile = this.apiDefinitionFile; - - owaspZapBasicScanConfiguration.owaspZapURLsIncludeSet.addAll(this.owaspZapURLsIncludeSet); - owaspZapBasicScanConfiguration.owaspZapURLsExcludeSet.addAll(this.owaspZapURLsExcludeSet); - - owaspZapBasicScanConfiguration.connectionCheckEnabled = this.connectionCheckEnabled; - - owaspZapBasicScanConfiguration.maxNumberOfConnectionRetries = this.maxNumberOfConnectionRetries; - owaspZapBasicScanConfiguration.retryWaittimeInMilliseconds = this.setRetryWaittimeInMilliseconds; - - owaspZapBasicScanConfiguration.owaspZapProductMessageHelper = this.owaspZapProductMessageHelper; - - return owaspZapBasicScanConfiguration; - } - - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/SessionManagementType.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/SessionManagementType.java deleted file mode 100644 index 46afb67042..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/SessionManagementType.java +++ /dev/null @@ -1,28 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.auth; - -/** - * Representing the different session management types available to Owasp Zap. - * Makes the OWASP ZAP API easier to use. - * - */ -public enum SessionManagementType { - - HTTP_AUTH_SESSION_MANAGEMENT("httpAuthSessionManagement"), - - COOKIE_BASED_SESSION_MANAGEMENT("cookieBasedSessionManagement"), - - SCRIPT_BASED_SESSION_MANAGEMENT("scriptBasedSessionManagement"), - - ; - - private String owaspZapSessionManagementMethod; - - private SessionManagementType(String owaspZapSessionManagementMethod) { - this.owaspZapSessionManagementMethod = owaspZapSessionManagementMethod; - } - - public String getOwaspZapSessionManagementMethod() { - return owaspZapSessionManagementMethod; - } -} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScan.java deleted file mode 100644 index fe2a668467..0000000000 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScan.java +++ /dev/null @@ -1,8 +0,0 @@ -// SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; - -public interface OwaspZapScan { - - void scan(); - -} \ No newline at end of file diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/CommandLineSettings.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java similarity index 84% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/CommandLineSettings.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java index 05522a922b..3bf94d8db1 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/CommandLineSettings.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java @@ -1,13 +1,13 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; +package com.mercedesbenz.sechub.zapwrapper.cli; import java.io.File; import java.nio.file.Path; import java.nio.file.Paths; import com.beust.jcommander.Parameter; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants; -import com.mercedesbenz.sechub.owaspzapwrapper.util.FileUtilities; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; +import com.mercedesbenz.sechub.zapwrapper.util.FileUtilities; public class CommandLineSettings { @Parameter(names = { "--help" }, description = "Shows help and provides information on how to use the wrapper.", help = true) @@ -32,8 +32,7 @@ public Path getReportFile() { return reportFileAsPath.toAbsolutePath(); } - @Parameter(names = { - "--jobUUID" }, description = "The Job-UUID, which will be used as internal identifier for the Owasp Zap scan context.", required = false) + @Parameter(names = { "--jobUUID" }, description = "The Job-UUID, which will be used as internal identifier for the Zap scan context.", required = false) private String jobUUID; public String getJobUUID() { @@ -47,21 +46,21 @@ public File getSecHubConfigFile() { return FileUtilities.stringToFile(sechubConfigFile); } - @Parameter(names = { "--ajaxSpider" }, description = "Set this option to enable Owasp Zap ajaxSpider.", required = false) + @Parameter(names = { "--ajaxSpider" }, description = "Set this option to enable Zap ajaxSpider.", required = false) private boolean ajaxSpiderEnabled; public boolean isAjaxSpiderEnabled() { return ajaxSpiderEnabled; } - @Parameter(names = { "--activeScan" }, description = "Set this option to enable Owasp Zap active scan.", required = false) + @Parameter(names = { "--activeScan" }, description = "Set this option to enable Zap active scan.", required = false) private boolean activeScanEnabled; public boolean isActiveScanEnabled() { return activeScanEnabled; } - @Parameter(names = { "--zapHost" }, description = "Specifies the Owasp Zap host address. You can also set the environment variable " + @Parameter(names = { "--zapHost" }, description = "Specifies the Zap host address. You can also set the environment variable " + EnvironmentVariableConstants.ZAP_HOST_ENV_VARIABLE_NAME + ", instead of using this parameter.", required = false) private String zapHost; @@ -69,7 +68,7 @@ public String getZapHost() { return zapHost; } - @Parameter(names = { "--zapPort" }, description = "Specifies the Owasp Zap host port. You can also set the environment variable " + @Parameter(names = { "--zapPort" }, description = "Specifies the Zap host port. You can also set the environment variable " + EnvironmentVariableConstants.ZAP_PORT_ENV_VARIABLE_NAME + ", instead of using this parameter.", required = false) private int zapPort; @@ -77,7 +76,7 @@ public int getZapPort() { return zapPort; } - @Parameter(names = { "--zapApiKey" }, description = "Specifies the Owasp Zap host api key. You can also set the environment variable " + @Parameter(names = { "--zapApiKey" }, description = "Specifies the Zap host api key. You can also set the environment variable " + EnvironmentVariableConstants.ZAP_API_KEY_ENV_VARIABLE_NAME + ", instead of using this parameter.", required = false) private String zapApiKey; @@ -108,22 +107,21 @@ public int getProxyPort() { return proxyPort; } - @Parameter(names = { "--fullRulesetfile" }, description = "Specify a file with all rules installed for the Owasp Zap.", required = true) + @Parameter(names = { "--fullRulesetfile" }, description = "Specify a file with all rules installed for the Zap.", required = true) private String fullRulesetFile; public File getFullRulesetFile() { return FileUtilities.stringToFile(fullRulesetFile); } - @Parameter(names = { - "--rulesDeactivationfile" }, description = "Specify a file with rules to deactivate during the scan inside the Owasp Zap.", required = false) + @Parameter(names = { "--rulesDeactivationfile" }, description = "Specify a file with rules to deactivate during the scan inside the Zap.", required = false) private String rulesDeactvationFile; public File getRulesDeactvationFile() { return FileUtilities.stringToFile(rulesDeactvationFile); } - @Parameter(names = { "--deactivateRules" }, description = "Specify references of rules you want to deactivate during the scan inside the Owasp Zap. " + @Parameter(names = { "--deactivateRules" }, description = "Specify references of rules you want to deactivate during the scan inside the Zap. " + "If you specifiy multiple rules use comma separated values like: rule1,rule,rule3", required = false) private String deactivatedRuleReferences; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java new file mode 100644 index 0000000000..0877dedd96 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java @@ -0,0 +1,36 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.cli; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.mercedesbenz.sechub.zapwrapper.config.ZapClientApiFactory; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; +import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner; +import com.mercedesbenz.sechub.zapwrapper.util.TargetConnectionChecker; + +public class ZapScanExecutor { + private static final Logger LOG = LoggerFactory.getLogger(ZapScanExecutor.class); + + ZapClientApiFactory clientApiFactory; + + TargetConnectionChecker connectionChecker; + + public ZapScanExecutor() { + clientApiFactory = new ZapClientApiFactory(); + connectionChecker = new TargetConnectionChecker(); + } + + public void execute(ZapScanContext scanContext) throws ZapWrapperRuntimeException { + if (scanContext.connectionCheckEnabled()) { + connectionChecker.assertApplicationIsReachable(scanContext); + } + + ClientApiFacade clientApiFacade = clientApiFactory.create(scanContext.getServerConfig()); + + ZapScanner zapScanner = new ZapScanner(clientApiFacade, scanContext); + LOG.info("Starting Zap scan."); + zapScanner.scan(); + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCLI.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCLI.java similarity index 54% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCLI.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCLI.java index 6e680b4554..40cdd9804c 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCLI.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCLI.java @@ -1,23 +1,23 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; +package com.mercedesbenz.sechub.zapwrapper.cli; import java.io.IOException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.OwaspZapWrapperCommandLineParser.OwaspZapWrapperCommandLineParserException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperCommandLineParser.ZapWrapperCommandLineParserException; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; -public class OwaspZapWrapperCLI { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapWrapperCLI.class); +public class ZapWrapperCLI { + private static final Logger LOG = LoggerFactory.getLogger(ZapWrapperCLI.class); public static void main(String[] args) throws IOException { - new OwaspZapWrapperCLI().start(args); + new ZapWrapperCLI().start(args); } private void start(String[] args) throws IOException { - OwaspZapScanContext scanContext = null; + ZapScanContext scanContext = null; try { LOG.info("Building the scan configuration."); scanContext = resolveScanContext(args); @@ -30,22 +30,22 @@ private void start(String[] args) throws IOException { } catch (ZapWrapperRuntimeException e) { LOG.error("An error occurred during the scan: {}.", e.getMessage(), e); - scanContext.getOwaspZapProductMessageHelper().writeProductError(e); + scanContext.getZapProductMessageHelper().writeProductError(e); System.exit(e.getExitCode().getExitCode()); - } catch (OwaspZapWrapperCommandLineParserException e) { + } catch (ZapWrapperCommandLineParserException e) { LOG.error("An error occurred while parsing the command line arguments: {}", e.getMessage(), e); System.exit(ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION.getExitCode()); } } - private OwaspZapScanContext resolveScanContext(String[] args) throws OwaspZapWrapperCommandLineParserException { - OwaspZapWrapperCommandLineParser parser = new OwaspZapWrapperCommandLineParser(); + private ZapScanContext resolveScanContext(String[] args) throws ZapWrapperCommandLineParserException { + ZapWrapperCommandLineParser parser = new ZapWrapperCommandLineParser(); return parser.parse(args); } - private void startExecution(OwaspZapScanContext scanContext) { - OwaspZapScanExecutor scanExecutor = new OwaspZapScanExecutor(); + private void startExecution(ZapScanContext scanContext) { + ZapScanExecutor scanExecutor = new ZapScanExecutor(); scanExecutor.execute(scanContext); } } \ No newline at end of file diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCommandLineParser.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCommandLineParser.java similarity index 57% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCommandLineParser.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCommandLineParser.java index 3449bdf87c..11682fb983 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/OwaspZapWrapperCommandLineParser.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperCommandLineParser.java @@ -1,19 +1,19 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; +package com.mercedesbenz.sechub.zapwrapper.cli; import com.beust.jcommander.JCommander; import com.beust.jcommander.ParameterException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContextFactory; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContextFactory; -public class OwaspZapWrapperCommandLineParser { +public class ZapWrapperCommandLineParser { private JCommander commander; - public class OwaspZapWrapperCommandLineParserException extends Exception { + public class ZapWrapperCommandLineParserException extends Exception { private static final long serialVersionUID = 1L; - public OwaspZapWrapperCommandLineParserException(String message, Exception e) { + public ZapWrapperCommandLineParserException(String message, Exception e) { super(message, e); } } @@ -23,9 +23,9 @@ public OwaspZapWrapperCommandLineParserException(String message, Exception e) { * * @param args * @return configuration or null when only help wanted - * @throws OwaspZapWrapperCommandLineParserException + * @throws ZapWrapperCommandLineParserException */ - public OwaspZapScanContext parse(String... args) throws OwaspZapWrapperCommandLineParserException { + public ZapScanContext parse(String... args) throws ZapWrapperCommandLineParserException { CommandLineSettings settings = parseCommandLineParameters(args); if (settings.isHelpRequired()) { @@ -33,16 +33,16 @@ public OwaspZapScanContext parse(String... args) throws OwaspZapWrapperCommandLi return null; } - OwaspZapScanContextFactory configFactory = new OwaspZapScanContextFactory(); + ZapScanContextFactory configFactory = new ZapScanContextFactory(); return configFactory.create(settings); } - private CommandLineSettings parseCommandLineParameters(String... args) throws OwaspZapWrapperCommandLineParserException { + private CommandLineSettings parseCommandLineParameters(String... args) throws ZapWrapperCommandLineParserException { CommandLineSettings settings = new CommandLineSettings(); /* @formatter:off */ commander = JCommander.newBuilder() - .programName("OwaspZapWrapper") + .programName("ZapWrapper") .addObject(settings) .acceptUnknownOptions(false) .build(); @@ -51,7 +51,7 @@ private CommandLineSettings parseCommandLineParameters(String... args) throws Ow commander.parse(args); return settings; } catch (ParameterException e) { - throw new OwaspZapWrapperCommandLineParserException("Parsing command line parameters failed!", e); + throw new ZapWrapperCommandLineParserException("Parsing command line parameters failed!", e); } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperExitCode.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperExitCode.java similarity index 92% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperExitCode.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperExitCode.java index 36c339819e..029130e14d 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperExitCode.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperExitCode.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; +package com.mercedesbenz.sechub.zapwrapper.cli; /** * diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperRuntimeException.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperRuntimeException.java similarity index 91% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperRuntimeException.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperRuntimeException.java index 276c57ed40..1dea710e81 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/cli/ZapWrapperRuntimeException.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapWrapperRuntimeException.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.cli; +package com.mercedesbenz.sechub.zapwrapper.cli; public class ZapWrapperRuntimeException extends RuntimeException { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProvider.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProvider.java similarity index 92% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProvider.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProvider.java index f82c3e49d4..a845c51b0c 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProvider.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProvider.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import java.io.File; import java.nio.file.Path; @@ -10,8 +10,8 @@ import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; import com.mercedesbenz.sechub.commons.model.SecHubSourceDataConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; public class ApiDefinitionFileProvider { private static final Logger LOG = LoggerFactory.getLogger(ApiDefinitionFileProvider.class); diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ProxyInformation.java similarity index 85% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ProxyInformation.java index 6f13ef8d19..3bb5385675 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ProxyInformation.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ProxyInformation.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; public class ProxyInformation { private String host; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProvider.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProvider.java similarity index 70% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProvider.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProvider.java index 8d67a8c482..4dc48c8b3f 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProvider.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProvider.java @@ -1,14 +1,14 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import java.io.File; import java.io.IOException; import com.mercedesbenz.sechub.commons.TextFileReader; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; public class RuleProvider { @@ -17,11 +17,11 @@ public class RuleProvider { /** * * @param fullRulesetFile - * @return OwaspZapFullRuleset specified by file or new empty - * OwaspZapFullRuleset if file is null or does not exist + * @return ZapFullRuleset specified by file or new empty ZapFullRuleset if file + * is null or does not exist */ - public OwaspZapFullRuleset fetchFullRuleset(File fullRulesetFile) { - OwaspZapFullRuleset fullRuleset = new OwaspZapFullRuleset(); + public ZapFullRuleset fetchFullRuleset(File fullRulesetFile) { + ZapFullRuleset fullRuleset = new ZapFullRuleset(); if (fullRulesetFile == null) { return fullRuleset; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProvider.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProvider.java similarity index 82% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProvider.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProvider.java index 1aae1b9ed1..9c483f3959 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProvider.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProvider.java @@ -1,13 +1,13 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import java.io.File; import java.io.IOException; import com.mercedesbenz.sechub.commons.TextFileReader; import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; public class SecHubScanConfigProvider { public SecHubScanConfiguration getSecHubWebConfiguration(File secHubConfigFile) { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java new file mode 100644 index 0000000000..b2f507829e --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java @@ -0,0 +1,41 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.config; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.zaproxy.clientapi.core.ClientApi; + +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; + +public class ZapClientApiFactory { + private static final Logger LOG = LoggerFactory.getLogger(ZapClientApiFactory.class); + + public ClientApiFacade create(ZapServerConfiguration serverConfig) { + LOG.info("Creating Zap ClientApi."); + assertValidServerConfig(serverConfig); + String zaproxyHost = serverConfig.getZaproxyHost(); + int zaproxyPort = serverConfig.getZaproxyPort(); + String zaproxyApiKey = serverConfig.getZaproxyApiKey(); + + ClientApi clientApi = new ClientApi(zaproxyHost, zaproxyPort, zaproxyApiKey); + + return new ClientApiFacade(clientApi); + } + + private void assertValidServerConfig(ZapServerConfiguration serverConfig) { + if (serverConfig == null) { + throw new ZapWrapperRuntimeException("Zap server configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + if (serverConfig.getZaproxyHost() == null) { + throw new ZapWrapperRuntimeException("Zap host configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + if (serverConfig.getZaproxyPort() <= 0) { + throw new ZapWrapperRuntimeException("Zap host configuration ahs to be a valid port number!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + if (serverConfig.getZaproxyApiKey() == null) { + throw new ZapWrapperRuntimeException("Zap api-key configuration may not be null!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java new file mode 100644 index 0000000000..b7137e6724 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java @@ -0,0 +1,329 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.config; + +import java.net.URL; +import java.nio.file.Path; +import java.util.HashSet; +import java.util.Set; + +import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; + +public class ZapScanContext { + private ZapServerConfiguration serverConfig; + private boolean verboseOutput = false; + + private boolean ajaxSpiderEnabled; + private boolean activeScanEnabled; + + private Path reportFile; + + private String contextName; + + private URL targetUrl; + + private AuthenticationType authenticationType; + + private long maxScanDurationInMillis; + + private SecHubWebScanConfiguration secHubWebScanConfiguration; + + private ProxyInformation proxyInformation; + + private ZapFullRuleset fullRuleset; + + private DeactivatedRuleReferences deactivatedRuleReferences; + + private Path apiDefinitionFile; + + // Using Set here to avoid duplicates + private Set zapURLsIncludeSet = new HashSet<>(); + private Set zapURLsExcludeSet = new HashSet<>(); + + private boolean connectionCheckEnabled; + + private int maxNumberOfConnectionRetries; + private int retryWaittimeInMilliseconds; + + private ZapProductMessageHelper zapProductMessageHelper; + + private ZapScanContext() { + } + + public ZapServerConfiguration getServerConfig() { + return serverConfig; + } + + public boolean isVerboseOutput() { + return verboseOutput; + } + + public boolean isAjaxSpiderEnabled() { + return ajaxSpiderEnabled; + } + + public boolean isActiveScanEnabled() { + return activeScanEnabled; + } + + public Path getReportFile() { + return reportFile; + } + + public String getContextName() { + return contextName; + } + + public String getTargetUrlAsString() { + return getTargetUrl().toString(); + } + + public URL getTargetUrl() { + return targetUrl; + } + + public AuthenticationType getAuthenticationType() { + return authenticationType; + } + + public long getMaxScanDurationInMillis() { + return maxScanDurationInMillis; + } + + public SecHubWebScanConfiguration getSecHubWebScanConfiguration() { + return secHubWebScanConfiguration; + } + + /** + * Resolves proxy information if available + * + * @return proxy information or null when no proxy information + * available + */ + public ProxyInformation getProxyInformation() { + return proxyInformation; + } + + public ZapFullRuleset getFullRuleset() { + return fullRuleset; + } + + public DeactivatedRuleReferences getDeactivatedRuleReferences() { + return deactivatedRuleReferences; + } + + /** + * + * @return api defintion file or null if not available + */ + public Path getApiDefinitionFile() { + return apiDefinitionFile; + } + + public Set getZapURLsIncludeSet() { + return zapURLsIncludeSet; + } + + public Set getZapURLsExcludeSet() { + return zapURLsExcludeSet; + } + + public boolean connectionCheckEnabled() { + return connectionCheckEnabled; + } + + public int getMaxNumberOfConnectionRetries() { + return maxNumberOfConnectionRetries; + } + + public int getRetryWaittimeInMilliseconds() { + return retryWaittimeInMilliseconds; + } + + public ZapProductMessageHelper getZapProductMessageHelper() { + return zapProductMessageHelper; + } + + public static ZapBasicScanContextBuilder builder() { + return new ZapBasicScanContextBuilder(); + } + + public static class ZapBasicScanContextBuilder { + private ZapServerConfiguration serverConfig; + + private boolean verboseOutput = false; + + private boolean ajaxSpiderEnabled; + private boolean activeScanEnabled; + + private Path reportFile; + + private String contextName; + + private URL targetUrl; + + private AuthenticationType authenticationType; + + private long maxScanDurationInMillis; + + private SecHubWebScanConfiguration secHubWebScanConfiguration; + + private ProxyInformation proxyInformation; + + private ZapFullRuleset fullRuleset; + + private DeactivatedRuleReferences deactivatedRuleReferences; + + private Path apiDefinitionFile; + + // Using Set here to avoid duplicates + private Set zapURLsIncludeSet = new HashSet<>(); + private Set zapURLsExcludeSet = new HashSet<>(); + + private boolean connectionCheckEnabled; + + private int maxNumberOfConnectionRetries; + private int setRetryWaittimeInMilliseconds; + + private ZapProductMessageHelper zapProductMessageHelper; + + public ZapBasicScanContextBuilder setServerConfig(ZapServerConfiguration serverConfig) { + this.serverConfig = serverConfig; + return this; + } + + public ZapBasicScanContextBuilder setVerboseOutput(boolean verboseOutput) { + this.verboseOutput = verboseOutput; + return this; + } + + public ZapBasicScanContextBuilder setAjaxSpiderEnabled(boolean ajaxSpiderEnabled) { + this.ajaxSpiderEnabled = ajaxSpiderEnabled; + return this; + } + + public ZapBasicScanContextBuilder setActiveScanEnabled(boolean activeScanEnabled) { + this.activeScanEnabled = activeScanEnabled; + return this; + } + + public ZapBasicScanContextBuilder setReportFile(Path reportFile) { + this.reportFile = reportFile; + return this; + } + + public ZapBasicScanContextBuilder setContextName(String contextName) { + this.contextName = contextName; + return this; + } + + public ZapBasicScanContextBuilder setTargetUrl(URL targetUrl) { + this.targetUrl = targetUrl; + return this; + } + + public ZapBasicScanContextBuilder setAuthenticationType(AuthenticationType authenticationType) { + this.authenticationType = authenticationType; + return this; + } + + public ZapBasicScanContextBuilder setMaxScanDurationInMillis(long maxScanDurationInMillis) { + this.maxScanDurationInMillis = maxScanDurationInMillis; + return this; + } + + public ZapBasicScanContextBuilder setSecHubWebScanConfiguration(SecHubWebScanConfiguration secHubWebScanConfiguration) { + this.secHubWebScanConfiguration = secHubWebScanConfiguration; + return this; + } + + public ZapBasicScanContextBuilder setProxyInformation(ProxyInformation proxyInformation) { + this.proxyInformation = proxyInformation; + return this; + } + + public ZapBasicScanContextBuilder setFullRuleset(ZapFullRuleset fullRuleset) { + this.fullRuleset = fullRuleset; + return this; + } + + public ZapBasicScanContextBuilder setDeactivatedRuleReferences(DeactivatedRuleReferences deactivatedRuleReferences) { + this.deactivatedRuleReferences = deactivatedRuleReferences; + return this; + } + + public ZapBasicScanContextBuilder setApiDefinitionFile(Path apiDefinitionFile) { + this.apiDefinitionFile = apiDefinitionFile; + return this; + } + + public ZapBasicScanContextBuilder setZapURLsIncludeSet(Set zapURLsIncludeList) { + this.zapURLsIncludeSet.addAll(zapURLsIncludeList); + return this; + } + + public ZapBasicScanContextBuilder setZapURLsExcludeSet(Set zapURLsExcludeList) { + this.zapURLsExcludeSet.addAll(zapURLsExcludeList); + return this; + } + + public ZapBasicScanContextBuilder setConnectionCheckEnabled(boolean connectionCheckEnabled) { + this.connectionCheckEnabled = connectionCheckEnabled; + return this; + } + + public ZapBasicScanContextBuilder setMaxNumberOfConnectionRetries(int maxNumberOfConnectionRetries) { + this.maxNumberOfConnectionRetries = maxNumberOfConnectionRetries; + return this; + } + + public ZapBasicScanContextBuilder setRetryWaittimeInMilliseconds(int retryWaittimeInMilliseconds) { + this.setRetryWaittimeInMilliseconds = retryWaittimeInMilliseconds; + return this; + } + + public ZapBasicScanContextBuilder setZapProductMessageHelper(ZapProductMessageHelper zapProductMessageHelper) { + this.zapProductMessageHelper = zapProductMessageHelper; + return this; + } + + public ZapScanContext build() { + ZapScanContext zapBasicScanConfiguration = new ZapScanContext(); + zapBasicScanConfiguration.serverConfig = this.serverConfig; + zapBasicScanConfiguration.verboseOutput = this.verboseOutput; + zapBasicScanConfiguration.ajaxSpiderEnabled = this.ajaxSpiderEnabled; + zapBasicScanConfiguration.activeScanEnabled = this.activeScanEnabled; + zapBasicScanConfiguration.reportFile = this.reportFile; + zapBasicScanConfiguration.contextName = this.contextName; + zapBasicScanConfiguration.targetUrl = this.targetUrl; + zapBasicScanConfiguration.authenticationType = this.authenticationType; + + zapBasicScanConfiguration.maxScanDurationInMillis = this.maxScanDurationInMillis; + + zapBasicScanConfiguration.secHubWebScanConfiguration = this.secHubWebScanConfiguration; + + zapBasicScanConfiguration.proxyInformation = this.proxyInformation; + + zapBasicScanConfiguration.fullRuleset = this.fullRuleset; + zapBasicScanConfiguration.deactivatedRuleReferences = this.deactivatedRuleReferences; + + zapBasicScanConfiguration.apiDefinitionFile = this.apiDefinitionFile; + + zapBasicScanConfiguration.zapURLsIncludeSet.addAll(this.zapURLsIncludeSet); + zapBasicScanConfiguration.zapURLsExcludeSet.addAll(this.zapURLsExcludeSet); + + zapBasicScanConfiguration.connectionCheckEnabled = this.connectionCheckEnabled; + + zapBasicScanConfiguration.maxNumberOfConnectionRetries = this.maxNumberOfConnectionRetries; + zapBasicScanConfiguration.retryWaittimeInMilliseconds = this.setRetryWaittimeInMilliseconds; + + zapBasicScanConfiguration.zapProductMessageHelper = this.zapProductMessageHelper; + + return zapBasicScanConfiguration; + } + + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java similarity index 74% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactory.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java index 4f15c0ef45..931d7486d3 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import java.net.URL; import java.nio.file.Path; @@ -15,23 +15,23 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.CommandLineSettings; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.BaseTargetUriFactory; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.IncludeExcludeToOwaspZapURLHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapProductMessageHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapURLType; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.SecHubWebScanConfigurationHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableReader; - -public class OwaspZapScanContextFactory { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanContextFactory.class); +import com.mercedesbenz.sechub.zapwrapper.cli.CommandLineSettings; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.RuleReference; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.BaseTargetUriFactory; +import com.mercedesbenz.sechub.zapwrapper.helper.IncludeExcludeToZapURLHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.SecHubWebScanConfigurationHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableReader; + +public class ZapScanContextFactory { + private static final Logger LOG = LoggerFactory.getLogger(ZapScanContextFactory.class); SecHubWebScanConfigurationHelper sechubWebConfigHelper; EnvironmentVariableReader environmentVariableReader; @@ -39,24 +39,24 @@ public class OwaspZapScanContextFactory { RuleProvider ruleProvider; ApiDefinitionFileProvider apiDefinitionFileProvider; SecHubScanConfigProvider secHubScanConfigProvider; - IncludeExcludeToOwaspZapURLHelper includeExcludeToOwaspZapURLHelper; + IncludeExcludeToZapURLHelper includeExcludeToZapURLHelper; - public OwaspZapScanContextFactory() { + public ZapScanContextFactory() { sechubWebConfigHelper = new SecHubWebScanConfigurationHelper(); environmentVariableReader = new EnvironmentVariableReader(); targetUriFactory = new BaseTargetUriFactory(); ruleProvider = new RuleProvider(); apiDefinitionFileProvider = new ApiDefinitionFileProvider(); secHubScanConfigProvider = new SecHubScanConfigProvider(); - includeExcludeToOwaspZapURLHelper = new IncludeExcludeToOwaspZapURLHelper(); + includeExcludeToZapURLHelper = new IncludeExcludeToZapURLHelper(); } - public OwaspZapScanContext create(CommandLineSettings settings) { + public ZapScanContext create(CommandLineSettings settings) { if (settings == null) { throw new ZapWrapperRuntimeException("Command line settings must not be null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); } - /* Owasp Zap rule setup */ - OwaspZapFullRuleset fullRuleset = ruleProvider.fetchFullRuleset(settings.getFullRulesetFile()); + /* Zap rule setup */ + ZapFullRuleset fullRuleset = ruleProvider.fetchFullRuleset(settings.getFullRulesetFile()); DeactivatedRuleReferences deactivatedRuleReferences = createDeactivatedRuleReferencesFromSettingsOrEnv(settings); DeactivatedRuleReferences ruleReferencesFromFile = ruleProvider.fetchDeactivatedRuleReferences(settings.getRulesDeactvationFile()); @@ -65,7 +65,7 @@ public OwaspZapScanContext create(CommandLineSettings settings) { } /* Wrapper settings */ - OwaspZapServerConfiguration serverConfig = createOwaspZapServerConfig(settings); + ZapServerConfiguration serverConfig = createZapServerConfig(settings); ProxyInformation proxyInformation = createProxyInformation(settings); /* SecHub settings */ @@ -79,7 +79,7 @@ public OwaspZapScanContext create(CommandLineSettings settings) { Path apiDefinitionFile = createPathToApiDefinitionFileOrNull(sechubScanConfig); - /* we always use the SecHub job UUID as OWASP Zap context name */ + /* we always use the SecHub job UUID as Zap context name */ String contextName = settings.getJobUUID(); if (contextName == null) { contextName = UUID.randomUUID().toString(); @@ -95,11 +95,11 @@ public OwaspZapScanContext create(CommandLineSettings settings) { throw new IllegalStateException( "PDS configuration invalid. Cannot send user messages, because environment variable PDS_JOB_USER_MESSAGES_FOLDER is not set."); } - OwaspZapProductMessageHelper productMessagehelper = new OwaspZapProductMessageHelper(userMessagesFolder); + ZapProductMessageHelper productMessagehelper = new ZapProductMessageHelper(userMessagesFolder); checkForIncludeExcludeErrors(userMessages, productMessagehelper); /* @formatter:off */ - OwaspZapScanContext scanContext = OwaspZapScanContext.builder() + ZapScanContext scanContext = ZapScanContext.builder() .setTargetUrl(targetUrl) .setVerboseOutput(settings.isVerboseEnabled()) .setReportFile(settings.getReportFile()) @@ -114,12 +114,12 @@ public OwaspZapScanContext create(CommandLineSettings settings) { .setFullRuleset(fullRuleset) .setDeactivatedRuleReferences(deactivatedRuleReferences) .setApiDefinitionFile(apiDefinitionFile) - .setOwaspZapURLsIncludeSet(includeSet) - .setOwaspZapURLsExcludeSet(excludeSet) + .setZapURLsIncludeSet(includeSet) + .setZapURLsExcludeSet(excludeSet) .setConnectionCheckEnabled(settings.isConnectionCheckEnabled()) .setMaxNumberOfConnectionRetries(settings.getMaxNumberOfConnectionRetries()) .setRetryWaittimeInMilliseconds(settings.getRetryWaittimeInMilliseconds()) - .setOwaspZapProductMessageHelper(productMessagehelper) + .setZapProductMessageHelper(productMessagehelper) .build(); /* @formatter:on */ return scanContext; @@ -155,7 +155,7 @@ private DeactivatedRuleReferences createDeactivatedRuleReferencesFromSettingsOrE return deactivatedRuleReferences; } - private OwaspZapServerConfiguration createOwaspZapServerConfig(CommandLineSettings settings) { + private ZapServerConfiguration createZapServerConfig(CommandLineSettings settings) { String zapHost = settings.getZapHost(); int zapPort = settings.getZapPort(); String zapApiKey = settings.getZapApiKey(); @@ -171,19 +171,19 @@ private OwaspZapServerConfiguration createOwaspZapServerConfig(CommandLineSettin } if (zapHost == null) { - throw new ZapWrapperRuntimeException("Owasp Zap host is null. Please set the Owasp Zap host to the host use by the Owasp Zap.", + throw new ZapWrapperRuntimeException("Zap host is null. Please set the Zap host to the host use by the Zap.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } if (zapPort <= 0) { - throw new ZapWrapperRuntimeException("Owasp Zap Port was set to " + zapPort + ". Please set the Owasp Zap port to the port used by the Owasp Zap.", + throw new ZapWrapperRuntimeException("Zap Port was set to " + zapPort + ". Please set the Zap port to the port used by the Zap.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } if (zapApiKey == null) { - throw new ZapWrapperRuntimeException("Owasp Zap API-Key is null. Please set the Owasp Zap API-key to the same value set inside your Owasp Zap.", + throw new ZapWrapperRuntimeException("Zap API-Key is null. Please set the Zap API-key to the same value set inside your Zap.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } - return new OwaspZapServerConfiguration(zapHost, zapPort, zapApiKey); + return new ZapServerConfiguration(zapHost, zapPort, zapApiKey); } private ProxyInformation createProxyInformation(CommandLineSettings settings) { @@ -222,8 +222,7 @@ private Set createUrlsIncludedInContext(URL targetUrl, SecHubWebScanConfigu Set includeSet = new HashSet<>(); includeSet.add(targetUrl); if (sechubWebConfig.getIncludes().isPresent()) { - includeSet.addAll( - includeExcludeToOwaspZapURLHelper.createListOfUrls(OwaspZapURLType.INCLUDE, targetUrl, sechubWebConfig.getIncludes().get(), userMessages)); + includeSet.addAll(includeExcludeToZapURLHelper.createListOfUrls(ZapURLType.INCLUDE, targetUrl, sechubWebConfig.getIncludes().get(), userMessages)); } return includeSet; } @@ -231,13 +230,12 @@ private Set createUrlsIncludedInContext(URL targetUrl, SecHubWebScanConfigu private Set createUrlsExcludedFromContext(URL targetUrl, SecHubWebScanConfiguration sechubWebConfig, List userMessages) { Set excludeSet = new HashSet<>(); if (sechubWebConfig.getExcludes().isPresent()) { - excludeSet.addAll( - includeExcludeToOwaspZapURLHelper.createListOfUrls(OwaspZapURLType.EXCLUDE, targetUrl, sechubWebConfig.getExcludes().get(), userMessages)); + excludeSet.addAll(includeExcludeToZapURLHelper.createListOfUrls(ZapURLType.EXCLUDE, targetUrl, sechubWebConfig.getExcludes().get(), userMessages)); } return excludeSet; } - private void checkForIncludeExcludeErrors(List userMessages, OwaspZapProductMessageHelper productMessageHelper) { + private void checkForIncludeExcludeErrors(List userMessages, ZapProductMessageHelper productMessageHelper) { if (userMessages == null) { return; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapServerConfiguration.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapServerConfiguration.java similarity index 71% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapServerConfiguration.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapServerConfiguration.java index ea8539c2b7..fd4d27bf23 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapServerConfiguration.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapServerConfiguration.java @@ -1,13 +1,13 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; -public class OwaspZapServerConfiguration { +public class ZapServerConfiguration { private String zaproxyAddress; private int zaproxyPort; private String zaproxyApiKey; - OwaspZapServerConfiguration(String zaproxyAddress, int zaproxyPort, String zaproxyApiKey) { + ZapServerConfiguration(String zaproxyAddress, int zaproxyPort, String zaproxyApiKey) { this.zaproxyAddress = zaproxyAddress; this.zaproxyPort = zaproxyPort; this.zaproxyApiKey = zaproxyApiKey; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/AuthenticationType.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/AuthenticationType.java similarity index 65% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/AuthenticationType.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/AuthenticationType.java index 1180836b9f..1cede08ea5 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/auth/AuthenticationType.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/AuthenticationType.java @@ -1,9 +1,9 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.auth; +package com.mercedesbenz.sechub.zapwrapper.config.auth; /** - * Representing the different authentication types available to Owasp Zap. Makes - * the Owasp Zap API easier to use. + * Representing the different authentication types available to Zap. Makes the + * Zap API easier to use. * */ public enum AuthenticationType { @@ -20,10 +20,10 @@ public enum AuthenticationType { ; - private String owaspZapAuthenticationMethod; + private String zapAuthenticationMethod; private AuthenticationType(String methodName) { - this.owaspZapAuthenticationMethod = methodName; + this.zapAuthenticationMethod = methodName; } /** @@ -31,7 +31,7 @@ private AuthenticationType(String methodName) { * @return authentication method name or null in case of * {@link #UNAUTHENTICATED} */ - public String getOwaspZapAuthenticationMethod() { - return owaspZapAuthenticationMethod; + public String getZapAuthenticationMethod() { + return zapAuthenticationMethod; } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/SessionManagementType.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/SessionManagementType.java new file mode 100644 index 0000000000..e5f11ae28e --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/auth/SessionManagementType.java @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.config.auth; + +/** + * Representing the different session management types available to Zap. Makes + * the ZAP API easier to use. + * + */ +public enum SessionManagementType { + + HTTP_AUTH_SESSION_MANAGEMENT("httpAuthSessionManagement"), + + COOKIE_BASED_SESSION_MANAGEMENT("cookieBasedSessionManagement"), + + SCRIPT_BASED_SESSION_MANAGEMENT("scriptBasedSessionManagement"), + + ; + + private String zapSessionManagementMethod; + + private SessionManagementType(String zapSessionManagementMethod) { + this.zapSessionManagementMethod = zapSessionManagementMethod; + } + + public String getZapSessionManagementMethod() { + return zapSessionManagementMethod; + } +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferences.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferences.java similarity index 94% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferences.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferences.java index 75ab40b209..27fbaea855 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferences.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferences.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.data; +package com.mercedesbenz.sechub.zapwrapper.config.data; import java.util.Collections; import java.util.LinkedList; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/Rule.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/Rule.java similarity index 91% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/Rule.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/Rule.java index b6a57958ed..6c35739639 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/Rule.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/Rule.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.data; +package com.mercedesbenz.sechub.zapwrapper.config.data; public class Rule { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/RuleReference.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/RuleReference.java similarity index 90% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/RuleReference.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/RuleReference.java index 4719dbd661..8aeccb5531 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/RuleReference.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/RuleReference.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.data; +package com.mercedesbenz.sechub.zapwrapper.config.data; public class RuleReference { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/OwaspZapFullRuleset.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/ZapFullRuleset.java similarity index 84% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/OwaspZapFullRuleset.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/ZapFullRuleset.java index 1c1791b415..6920f5c2d4 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/OwaspZapFullRuleset.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/data/ZapFullRuleset.java @@ -1,21 +1,21 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.data; +package com.mercedesbenz.sechub.zapwrapper.config.data; import java.util.Collections; import java.util.HashMap; import java.util.Map; import com.mercedesbenz.sechub.commons.model.JSONable; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -public class OwaspZapFullRuleset implements JSONable { +public class ZapFullRuleset implements JSONable { private String timestamp; private String origin; private Map rules; - public OwaspZapFullRuleset() { + public ZapFullRuleset() { this.rules = new HashMap<>(); } @@ -73,8 +73,8 @@ public Rule findRuleByReference(String reference) { } @Override - public Class getJSONTargetClass() { - return OwaspZapFullRuleset.class; + public Class getJSONTargetClass() { + return ZapFullRuleset.class; } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactory.java similarity index 92% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactory.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactory.java index bd8f69917e..be0b9151ff 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactory.java @@ -1,13 +1,13 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; public class BaseTargetUriFactory { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURLHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURLHelper.java similarity index 84% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURLHelper.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURLHelper.java index 9b3435eef8..e75ee4570e 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURLHelper.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURLHelper.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import java.net.MalformedURLException; import java.net.URL; @@ -9,9 +9,9 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -public class IncludeExcludeToOwaspZapURLHelper { +public class IncludeExcludeToZapURLHelper { - public List createListOfUrls(OwaspZapURLType urlType, URL targetUrl, List subSites, List userMessages) { + public List createListOfUrls(ZapURLType urlType, URL targetUrl, List subSites, List userMessages) { if (subSites == null) { return new LinkedList(); } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelper.java similarity index 79% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelper.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelper.java index f22dc5cedd..0c9c7dbe8a 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelper.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelper.java @@ -1,14 +1,14 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; -import static com.mercedesbenz.sechub.owaspzapwrapper.helper.ScanPercentageConstants.*; +import static com.mercedesbenz.sechub.zapwrapper.helper.ScanPercentageConstants.*; public class ScanDurationHelper { /** * - * Computes the max duration for the Owasp Zap spider. The computed time depends - * on how many of the other modules are enabled. + * Computes the max duration for the Zap spider. The computed time depends on + * how many of the other modules are enabled. * * @param isActiveScanEnabled * @param isAjaxSpiderEnabled @@ -29,8 +29,8 @@ public long computeSpiderMaxScanDuration(boolean isActiveScanEnabled, boolean is } /** - * Computes the max duration for the Owasp Zap spider. The computed time depends - * on how many of the other modules are enabled. + * Computes the max duration for the Zap spider. The computed time depends on + * how many of the other modules are enabled. * * @param isActiveScanEnabled * @param maxScanDurationInMinutes @@ -48,8 +48,8 @@ public long computeAjaxSpiderMaxScanDuration(boolean isActiveScanEnabled, long m } /** - * Computes the max duration for the Owasp Zap spider. The computed time depends - * on how many of the other modules are enabled. + * Computes the max duration for the Zap spider. The computed time depends on + * how many of the other modules are enabled. * * @param isActiveScanEnabled * @param isAjaxSpiderEnabled diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanPercentageConstants.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanPercentageConstants.java similarity index 96% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanPercentageConstants.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanPercentageConstants.java index 21be5ed46c..9f24480662 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanPercentageConstants.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanPercentageConstants.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; public class ScanPercentageConstants { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelper.java similarity index 94% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelper.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelper.java index bad4e48bbe..b976c6d4ec 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelper.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelper.java @@ -1,10 +1,10 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import com.mercedesbenz.sechub.commons.model.SecHubTimeUnit; import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; public class SecHubWebScanConfigurationHelper { private static final int SECONDS_IN_MS = 1000; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandler.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java similarity index 57% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandler.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java index 5b4dba2217..6fccce041d 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandler.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java @@ -1,18 +1,18 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import java.io.File; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableReader; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableReader; -public class OwaspZapEventHandler { +public class ZapEventHandler { File cancelEventFile; - public OwaspZapEventHandler() { + public ZapEventHandler() { this.cancelEventFile = new File(new EnvironmentVariableReader().readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER), "cancel_requested.json"); } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelper.java similarity index 87% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelper.java index d94451d970..00d6da2d4f 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelper.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelper.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import java.io.IOException; import java.util.List; @@ -11,15 +11,15 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; import com.mercedesbenz.sechub.commons.model.SecHubMessageType; import com.mercedesbenz.sechub.commons.pds.PDSUserMessageSupport; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -public class OwaspZapProductMessageHelper { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapProductMessageHelper.class); +public class ZapProductMessageHelper { + private static final Logger LOG = LoggerFactory.getLogger(ZapProductMessageHelper.class); private PDSUserMessageSupport productMessageSupport; - public OwaspZapProductMessageHelper(String userMessagesFolder) { + public ZapProductMessageHelper(String userMessagesFolder) { productMessageSupport = new PDSUserMessageSupport(userMessagesFolder, new TextFileWriter()); } @@ -88,8 +88,7 @@ private void writeProductErrorForExitCode(ZapWrapperExitCode exitCode) throws IO "Target URL invalid. The target URL, specified inside SecHub configuration, is not a valid URL.")); break; case PRODUCT_EXECUTION_ERROR: - productMessageSupport - .writeMessage(new SecHubMessage(SecHubMessageType.ERROR, "Product error. The DAST scanner OWASP ZAP ended with a product error.")); + productMessageSupport.writeMessage(new SecHubMessage(SecHubMessageType.ERROR, "Product error. The DAST scanner ZAP ended with a product error.")); break; case INVALID_INCLUDE_OR_EXCLUDE_URLS: productMessageSupport.writeMessage(new SecHubMessage(SecHubMessageType.ERROR, diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapURLType.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapURLType.java similarity index 60% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapURLType.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapURLType.java index 7f8def6b9c..c083eb21f9 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapURLType.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapURLType.java @@ -1,7 +1,7 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; -public enum OwaspZapURLType { +public enum ZapURLType { INCLUDE("include"), EXCLUDE("exclude"), @@ -10,7 +10,7 @@ public enum OwaspZapURLType { private String id; - private OwaspZapURLType(String id) { + private ZapURLType(String id) { this.id = id; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java similarity index 95% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java index 34645135c6..f0cda11559 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/ClientApiFacade.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; +package com.mercedesbenz.sechub.zapwrapper.scan; import java.util.ArrayList; import java.util.List; @@ -23,10 +23,10 @@ public ClientApiFacade(ClientApi clientApi) { } /** - * Create new context inside the OWASP ZAP. + * Create new context inside the ZAP. * * @param contextName - * @return contextId returned by OWASP ZAP + * @return contextId returned by ZAP * @throws ClientApiException */ public String createNewContext(String contextName) throws ClientApiException { @@ -183,10 +183,9 @@ public ApiResponse addExcludeUrlPatternToContext(String contextName, String urlP * * @param url * @param followRedirects - * @return ApiResponse of OWASP ZAP or null when URL was not - * accessible. + * @return ApiResponse of ZAP or null when URL was not accessible. */ - public ApiResponse accessUrlViaOwaspZap(String url, String followRedirects) { + public ApiResponse accessUrlViaZap(String url, String followRedirects) { ApiResponse response = null; try { response = clientApi.core.accessUrl(url, followRedirects); @@ -209,9 +208,9 @@ public ApiResponse importOpenApiFile(String openApiFile, String url, String cont } /** - * This method checks if the sites tree is empty. The OWASP ZAP creates this - * sites tree while crawling and detecting pages. The method is necessary since - * the active scanner exits with an exception if the sites tree is empty, when + * This method checks if the sites tree is empty. The ZAP creates this sites + * tree while crawling and detecting pages. The method is necessary since the + * active scanner exits with an exception if the sites tree is empty, when * starting an active scan. * * This can only happen in very few cases, but then we want to be able to inform @@ -376,7 +375,7 @@ public String startSpiderScan(String targetUrlAsString, String maxChildren, Stri * @param inScope * @param contextName * @param subTreeOnly - * @return the response of the OWASP ZAP API call + * @return the response of the ZAP API call * @throws ClientApiException */ public ApiResponse startAjaxSpiderScan(String targetUrlAsString, String inScope, String contextName, String subTreeOnly) throws ClientApiException { @@ -423,7 +422,7 @@ public String startSpiderScanAsUser(String contextId, String userId, String url, * @param username * @param url * @param subtreeonly - * @return the response of the OWASP ZAP API call + * @return the response of the ZAP API call * @throws ClientApiException */ public ApiResponse startAjaxSpiderScanAsUser(String contextname, String username, String url, String subtreeonly) throws ClientApiException { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java new file mode 100644 index 0000000000..90c9228a6c --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.scan; + +public interface ZapScan { + + void scan(); + +} \ No newline at end of file diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java similarity index 75% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java index 6d5d124281..0271689e0b 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScanner.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; +package com.mercedesbenz.sechub.zapwrapper.scan; import java.io.File; import java.io.IOException; @@ -24,40 +24,40 @@ import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiConfiguration; import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.SessionManagementType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.Rule; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapEventHandler; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.ScanDurationHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.util.SystemUtil; -import com.mercedesbenz.sechub.owaspzapwrapper.util.UrlUtil; - -public class OwaspZapScanner implements OwaspZapScan { - private static final Logger LOG = LoggerFactory.getLogger(OwaspZapScanner.class); +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; +import com.mercedesbenz.sechub.zapwrapper.config.auth.SessionManagementType; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.Rule; +import com.mercedesbenz.sechub.zapwrapper.config.data.RuleReference; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.ScanDurationHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.util.SystemUtil; +import com.mercedesbenz.sechub.zapwrapper.util.UrlUtil; + +public class ZapScanner implements ZapScan { + private static final Logger LOG = LoggerFactory.getLogger(ZapScanner.class); static final int CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS = 5000; ClientApiFacade clientApiFacade; - OwaspZapScanContext scanContext; + ZapScanContext scanContext; ScanDurationHelper scanDurationHelper; - OwaspZapEventHandler owaspZapEventHandler; + ZapEventHandler zapEventHandler; UrlUtil urlUtil; SystemUtil systemUtil; long remainingScanTime; - public OwaspZapScanner(ClientApiFacade clientApiFacade, OwaspZapScanContext scanContext) { + public ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext) { this.clientApiFacade = clientApiFacade; this.scanContext = scanContext; this.scanDurationHelper = new ScanDurationHelper(); - this.owaspZapEventHandler = new OwaspZapEventHandler(); + this.zapEventHandler = new ZapEventHandler(); this.urlUtil = new UrlUtil(); this.systemUtil = new SystemUtil(); @@ -67,22 +67,22 @@ public OwaspZapScanner(ClientApiFacade clientApiFacade, OwaspZapScanContext scan @Override public void scan() { try { - /* OWASP ZAP setup on local machine */ + /* ZAP setup on local machine */ setupStandardConfiguration(); deactivateRules(scanContext.getFullRuleset(), scanContext.getDeactivatedRuleReferences()); setupAdditonalProxyConfiguration(scanContext.getProxyInformation()); - String owaspZapContextId = createContext(); + String zapContextId = createContext(); addReplacerRulesForHeaders(); - /* OWASP ZAP setup with access to target */ + /* ZAP setup with access to target */ addIncludedAndExcludedUrlsToContext(); - loadApiDefinitions(owaspZapContextId); + loadApiDefinitions(zapContextId); - /* OWASP ZAP scan */ - executeScan(owaspZapContextId); + /* ZAP scan */ + executeScan(zapContextId); /* After scan */ - generateOwaspZapReport(); + generateZapReport(); cleanUp(); } catch (ClientApiException e) { cleanUp(); @@ -92,11 +92,11 @@ public void scan() { } void setupStandardConfiguration() throws ClientApiException { - LOG.info("Creating new session inside the Owasp Zap"); + LOG.info("Creating new session inside the Zap"); // to ensure parts from previous scan are deleted clientApiFacade.createNewSession(scanContext.getContextName(), "true"); - LOG.info("Setting default of how many alerts of the same rule will be inside the report to unlimited."); + LOG.info("Setting default maximum number of alerts for each rule."); // setting this value to zero means unlimited clientApiFacade.configureMaximumAlertsForEachRule("0"); @@ -114,7 +114,7 @@ void setupStandardConfiguration() throws ClientApiException { clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless"); } - void deactivateRules(OwaspZapFullRuleset fullRuleset, DeactivatedRuleReferences deactivatedRuleReferences) throws ClientApiException { + void deactivateRules(ZapFullRuleset fullRuleset, DeactivatedRuleReferences deactivatedRuleReferences) throws ClientApiException { if (fullRuleset == null || deactivatedRuleReferences == null) { return; } @@ -151,9 +151,9 @@ void setupAdditonalProxyConfiguration(ProxyInformation proxyInformation) throws } /** - * Creates new context in the current OWASP ZAP session. + * Creates new context in the current ZAP session. * - * @return the context id returned by the OWASP ZAP API + * @return the context id returned by the ZAP API * @throws ClientApiException */ String createContext() throws ClientApiException { @@ -208,25 +208,25 @@ void addReplacerRulesForHeaders() throws ClientApiException { } /** - * Adds all included and excluded URL into scan context. + * Adds all included and excluded URLs into scan context. * * @throws ClientApiException */ void addIncludedAndExcludedUrlsToContext() throws ClientApiException { LOG.info("For scan {}: Adding include parts.", scanContext.getContextName()); - for (URL url : scanContext.getOwaspZapURLsIncludeSet()) { + for (URL url : scanContext.getZapURLsIncludeSet()) { clientApiFacade.addIncludeUrlPatternToContext(scanContext.getContextName(), url + ".*"); String followRedirects = "false"; - clientApiFacade.accessUrlViaOwaspZap(url.toString(), followRedirects); + clientApiFacade.accessUrlViaZap(url.toString(), followRedirects); } LOG.info("For scan {}: Adding exclude parts.", scanContext.getContextName()); - for (URL url : scanContext.getOwaspZapURLsExcludeSet()) { + for (URL url : scanContext.getZapURLsExcludeSet()) { clientApiFacade.addExcludeUrlPatternToContext(scanContext.getContextName(), url + ".*"); } } - void loadApiDefinitions(String owaspZapContextId) throws ClientApiException { + void loadApiDefinitions(String zapContextId) throws ClientApiException { if (scanContext.getApiDefinitionFile() == null) { LOG.info("For scan {}: No file with API definition found!", scanContext.getContextName()); return; @@ -239,7 +239,7 @@ void loadApiDefinitions(String owaspZapContextId) throws ClientApiException { switch (apiConfig.get().getType()) { case OPEN_API: - clientApiFacade.importOpenApiFile(scanContext.getApiDefinitionFile().toString(), scanContext.getTargetUrlAsString(), owaspZapContextId); + clientApiFacade.importOpenApiFile(scanContext.getApiDefinitionFile().toString(), scanContext.getTargetUrlAsString(), zapContextId); break; default: // should never happen since API type is an Enum @@ -249,16 +249,16 @@ void loadApiDefinitions(String owaspZapContextId) throws ClientApiException { } } - void executeScan(String owaspZapContextId) throws ClientApiException { - UserInformation userInfo = configureLoginInsideOwaspZapContext(owaspZapContextId); + void executeScan(String zapContextId) throws ClientApiException { + UserInformation userInfo = configureLoginInsideZapContext(zapContextId); if (userInfo != null) { if (scanContext.isAjaxSpiderEnabled()) { runAjaxSpiderAsUser(userInfo.userName); } - runSpiderAsUser(owaspZapContextId, userInfo.owaspZapuserId); + runSpiderAsUser(zapContextId, userInfo.zapuserId); passiveScan(); if (scanContext.isActiveScanEnabled()) { - runActiveScanAsUser(owaspZapContextId, userInfo.owaspZapuserId); + runActiveScanAsUser(zapContextId, userInfo.zapuserId); } } else { if (scanContext.isAjaxSpiderEnabled()) { @@ -275,12 +275,12 @@ void executeScan(String owaspZapContextId) throws ClientApiException { /** * Configure login according to the sechub webscan config. * - * @param owaspZapContextId - * @return UserInformation containing userName and owaspZapUserId or + * @param zapContextId + * @return UserInformation containing userName and zapUserId or * null if nothing could be configured. * @throws ClientApiException */ - UserInformation configureLoginInsideOwaspZapContext(String owaspZapContextId) throws ClientApiException { + UserInformation configureLoginInsideZapContext(String zapContextId) throws ClientApiException { if (scanContext.getSecHubWebScanConfiguration().getLogin().isEmpty()) { LOG.info("For scan {}: No login section detected.", scanContext.getContextName()); return null; @@ -289,7 +289,7 @@ UserInformation configureLoginInsideOwaspZapContext(String owaspZapContextId) th WebLoginConfiguration webLoginConfiguration = scanContext.getSecHubWebScanConfiguration().getLogin().get(); if (webLoginConfiguration.getBasic().isPresent()) { LOG.info("For scan {}: Applying basic authentication config.", scanContext.getContextName()); - return initBasicAuthentication(owaspZapContextId, webLoginConfiguration.getBasic().get()); + return initBasicAuthentication(zapContextId, webLoginConfiguration.getBasic().get()); } return null; @@ -301,7 +301,7 @@ UserInformation configureLoginInsideOwaspZapContext(String owaspZapContextId) th * * @throws ClientApiException */ - void generateOwaspZapReport() throws ClientApiException { + void generateZapReport() throws ClientApiException { LOG.info("For scan {}: Writing results to report...", scanContext.getContextName()); Path reportFile = scanContext.getReportFile(); @@ -319,25 +319,25 @@ void generateOwaspZapReport() throws ClientApiException { String reportdir = resolveParentDirectoryPath(reportFile); String display = null; /* @formatter:off */ - // we use the context name as report title + // we use the context name as report title clientApiFacade.generateReport( - title, - template, - theme, - description, - contexts, - sites, - sections, - includedconfidences, - includedrisks, - reportfilename, - reportfilenamepattern, - reportdir, - display - ); + title, + template, + theme, + description, + contexts, + sites, + sections, + includedconfidences, + includedrisks, + reportfilename, + reportfilenamepattern, + reportdir, + display + ); /* @formatter:on */ - // rename is necessary if the file extension is not .json, because Owasp Zap + // rename is necessary if the file extension is not .json, because Zap // adds the file extension .json since we create a json report. Might not be // necessary anymore if we have the sarif support renameReportFileToOriginalNameIfNecessary(); @@ -350,9 +350,9 @@ void cleanUp() { try { LOG.info("Cleaning up by starting new and empty session...", scanContext.getContextName()); clientApiFacade.createNewSession("Cleaned after scan", "true"); - LOG.info("New and empty session inside Owasp Zap created."); + LOG.info("New and empty session inside Zap created."); - // Replacer rules are persistent even after restarting OWASP ZAP + // Replacer rules are persistent even after restarting ZAP // This means we need to cleanUp after every scan. LOG.info("Start cleaning up replacer rules."); cleanUpReplacerRules(); @@ -370,12 +370,13 @@ void runSpider() throws ClientApiException { String targetUrlAsString = scanContext.getTargetUrlAsString(); LOG.info("For scan {}: Starting Spider.", contextName); /* @formatter:off */ - String scanId = clientApiFacade.startSpiderScan( - targetUrlAsString, - maxChildren, - recurse, - contextName, - subTreeOnly); + String scanId = + clientApiFacade.startSpiderScan( + targetUrlAsString, + maxChildren, + recurse, + contextName, + subTreeOnly); /* @formatter:on */ waitForSpiderResults(scanId); } @@ -388,10 +389,10 @@ void runAjaxSpider() throws ClientApiException { LOG.info("For scan {}: Starting AjaxSpider.", scanContext.getContextName()); /* @formatter:off */ clientApiFacade.startAjaxSpiderScan( - targetUrlAsString, - inScope, - contextName, - subTreeOnly); + targetUrlAsString, + inScope, + contextName, + subTreeOnly); /* @formatter:on */ waitForAjaxSpiderResults(); } @@ -401,7 +402,7 @@ void runActiveScan() throws ClientApiException { // if no URLs to scan where detected by the spider/ajaxSpider before if (!clientApiFacade.atLeastOneURLDetected()) { LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( + scanContext.getZapProductMessageHelper().writeSingleProductMessage( new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " + "Please check if the URL you specified or any of the includes are accessible.")); return; @@ -414,13 +415,14 @@ void runActiveScan() throws ClientApiException { String postData = null; LOG.info("For scan {}: Starting ActiveScan.", scanContext.getContextName()); /* @formatter:off */ - String scanId = clientApiFacade.startActiveScan( - targetUrlAsString, - recurse, - inScopeOnly, - scanPolicyName, - method, - postData); + String scanId = + clientApiFacade.startActiveScan( + targetUrlAsString, + recurse, + inScopeOnly, + scanPolicyName, + method, + postData); /* @formatter:on */ waitForActiveScanResults(scanId); } @@ -432,13 +434,14 @@ void runSpiderAsUser(String contextId, String userId) throws ClientApiException String subtreeonly = "true"; LOG.info("For scan {}: Starting authenticated Spider.", scanContext.getContextName()); /* @formatter:off */ - String scanId = clientApiFacade.startSpiderScanAsUser( - contextId, - userId, - url, - maxchildren, - recurse, - subtreeonly); + String scanId = + clientApiFacade.startSpiderScanAsUser( + contextId, + userId, + url, + maxchildren, + recurse, + subtreeonly); /* @formatter:on */ waitForSpiderResults(scanId); } @@ -450,10 +453,10 @@ void runAjaxSpiderAsUser(String username) throws ClientApiException { LOG.info("For scan {}: Starting authenticated Ajax Spider.", scanContext.getContextName()); /* @formatter:off */ clientApiFacade.startAjaxSpiderScanAsUser( - contextname, - username, - url, - subtreeonly); + contextname, + username, + url, + subtreeonly); /* @formatter:on */ waitForAjaxSpiderResults(); } @@ -463,7 +466,7 @@ void runActiveScanAsUser(String contextId, String userId) throws ClientApiExcept // if no URLs to scan where detected by the spider/ajaxSpider before if (!clientApiFacade.atLeastOneURLDetected()) { LOG.warn("For {} skipping active scan, since no URLs where detected by spider or ajaxSpider!", scanContext.getContextName()); - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage( + scanContext.getZapProductMessageHelper().writeSingleProductMessage( new SecHubMessage(SecHubMessageType.WARNING, "Skipped the active scan, because no URLs were detected by the crawler! " + "Please check if the URL you specified or any of the includes are accessible.")); return; @@ -475,14 +478,15 @@ void runActiveScanAsUser(String contextId, String userId) throws ClientApiExcept String postdata = null; LOG.info("For scan {}: Starting authenticated ActiveScan.", scanContext.getContextName()); /* @formatter:off */ - String scanId = clientApiFacade.startActiveScanAsUser( - url, - contextId, - userId, - recurse, - scanpolicyname, - method, - postdata); + String scanId = + clientApiFacade.startActiveScanAsUser( + url, + contextId, + userId, + recurse, + scanpolicyname, + method, + postdata); /* @formatter:on */ waitForActiveScanResults(scanId); } @@ -502,9 +506,9 @@ void waitForAjaxSpiderResults() throws ClientApiException { boolean timeOut = false; while (!isAjaxSpiderStopped(ajaxSpiderStatus) && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { + if (zapEventHandler.isScanCancelled()) { clientApiFacade.stopAjaxSpider(); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); + zapEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); ajaxSpiderStatus = clientApiFacade.getAjaxSpiderStatus(); @@ -534,9 +538,9 @@ void waitForSpiderResults(String scanId) throws ClientApiException { boolean timeOut = false; while (progressSpider < 100 && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { + if (zapEventHandler.isScanCancelled()) { clientApiFacade.stopSpiderScan(scanId); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); + zapEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); progressSpider = clientApiFacade.getSpiderStatusForScan(scanId); @@ -546,7 +550,7 @@ void waitForSpiderResults(String scanId) throws ClientApiException { /* stop spider - otherwise running in background */ clientApiFacade.stopSpiderScan(scanId); - scanContext.getOwaspZapProductMessageHelper().writeUserMessagesWithScannedURLs(clientApiFacade.getAllSpiderUrls()); + scanContext.getZapProductMessageHelper().writeUserMessagesWithScannedURLs(clientApiFacade.getAllSpiderUrls()); LOG.info("For scan {}: Spider completed.", scanContext.getContextName()); remainingScanTime = remainingScanTime - (systemUtil.getCurrentTimeInMilliseconds() - startTime); } @@ -567,8 +571,8 @@ void passiveScan() throws ClientApiException { boolean timeOut = false; while (numberOfRecords > 0 && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { - owaspZapEventHandler.cancelScan(scanContext.getContextName()); + if (zapEventHandler.isScanCancelled()) { + zapEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); @@ -593,9 +597,9 @@ void waitForActiveScanResults(String scanId) throws ClientApiException { long maxDuration = remainingScanTime; boolean timeOut = false; while (progressActive < 100 && !timeOut) { - if (owaspZapEventHandler.isScanCancelled()) { + if (zapEventHandler.isScanCancelled()) { clientApiFacade.stopActiveScan(scanId); - owaspZapEventHandler.cancelScan(scanContext.getContextName()); + zapEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); progressActive = clientApiFacade.getActiveScannerStatusForScan(scanId); @@ -615,7 +619,7 @@ private boolean isActiveRule(String type) { return "active".equals(type.toLowerCase()); } - private UserInformation initBasicAuthentication(String owaspZapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { + private UserInformation initBasicAuthentication(String zapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { String realm = ""; if (basicLoginConfiguration.getRealm().isPresent()) { realm = basicLoginConfiguration.getRealm().get(); @@ -628,24 +632,24 @@ private UserInformation initBasicAuthentication(String owaspZapContextId, BasicL .append("&port=").append(urlEncodeUTF8(port)); /* @formatter:on */ LOG.info("For scan {}: Setting basic authentication.", scanContext.getContextName()); - String authMethodName = scanContext.getAuthenticationType().getOwaspZapAuthenticationMethod(); - clientApiFacade.configureAuthenticationMethod(owaspZapContextId, authMethodName, authMethodConfigParams.toString()); + String authMethodName = scanContext.getAuthenticationType().getZapAuthenticationMethod(); + clientApiFacade.configureAuthenticationMethod(zapContextId, authMethodName, authMethodConfigParams.toString()); - String methodName = SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod(); + String methodName = SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod(); // methodconfigparams in case of http basic auth is null, because it is // configured automatically String methodconfigparams = null; - clientApiFacade.sessionManagementMethod(owaspZapContextId, methodName, methodconfigparams); + clientApiFacade.sessionManagementMethod(zapContextId, methodName, methodconfigparams); - return initBasicAuthScanUser(owaspZapContextId, basicLoginConfiguration); + return initBasicAuthScanUser(zapContextId, basicLoginConfiguration); } - private UserInformation initBasicAuthScanUser(String owaspZapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { + private UserInformation initBasicAuthScanUser(String zapContextId, BasicLoginConfiguration basicLoginConfiguration) throws ClientApiException { String username = new String(basicLoginConfiguration.getUser()); String password = new String(basicLoginConfiguration.getPassword()); - String userId = clientApiFacade.createNewUser(owaspZapContextId, username); + String userId = clientApiFacade.createNewUser(zapContextId, username); /* @formatter:off */ StringBuilder authCredentialsConfigParams = new StringBuilder(); @@ -654,16 +658,14 @@ private UserInformation initBasicAuthScanUser(String owaspZapContextId, BasicLog /* @formatter:on */ LOG.info("For scan {}: Setting up user.", scanContext.getContextName()); - clientApiFacade.configureAuthenticationCredentials(owaspZapContextId, userId, authCredentialsConfigParams.toString()); + clientApiFacade.configureAuthenticationCredentials(zapContextId, userId, authCredentialsConfigParams.toString()); String enabled = "true"; - clientApiFacade.setUserEnabled(owaspZapContextId, userId, enabled); + clientApiFacade.setUserEnabled(zapContextId, userId, enabled); - clientApiFacade.setForcedUser(owaspZapContextId, userId); + clientApiFacade.setForcedUser(zapContextId, userId); clientApiFacade.setForcedUserModeEnabled(true); - UserInformation userInfo = new UserInformation(); - userInfo.owaspZapuserId = userId; - userInfo.userName = username; + UserInformation userInfo = new UserInformation(username, userId); return userInfo; } @@ -677,7 +679,7 @@ private String resolveParentDirectoryPath(Path reportFile) { ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } if (Files.isDirectory(reportFile)) { - throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file must not be a directory!", + throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". Report file cannot be a directory!", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } @@ -691,20 +693,19 @@ private String resolveParentDirectoryPath(Path reportFile) { * This method is used to rename the file back to the specified name in case the * file did not end with .json. * - * The reason for this method is that the Owasp Zap appends ".json" to the - * result file if we generate a report in json format. The PDS result.txt will - * then be called result.txt.json. Because of this behaviour the file will be - * renamed. + * The reason for this method is that the Zap appends ".json" to the result file + * if we generate a report in json format. The PDS result.txt will then be + * called result.txt.json. Because of this behaviour the file will be renamed. */ private void renameReportFileToOriginalNameIfNecessary() { String specifiedReportFile = scanContext.getReportFile().toAbsolutePath().toFile().getAbsolutePath(); - // If the Owasp Zap creates the file below, it will be renamed to the originally + // If the Zap creates the file below, it will be renamed to the originally // specified name - File owaspZapCreatedFile = new File(specifiedReportFile + ".json"); - if (owaspZapCreatedFile.exists()) { + File zapCreatedFile = new File(specifiedReportFile + ".json"); + if (zapCreatedFile.exists()) { try { - Path owaspzapReport = Paths.get(specifiedReportFile + ".json"); - Files.move(owaspzapReport, owaspzapReport.resolveSibling(scanContext.getReportFile().toAbsolutePath()), StandardCopyOption.REPLACE_EXISTING); + Path zapReport = Paths.get(specifiedReportFile + ".json"); + Files.move(zapReport, zapReport.resolveSibling(scanContext.getReportFile().toAbsolutePath()), StandardCopyOption.REPLACE_EXISTING); } catch (IOException e) { throw new ZapWrapperRuntimeException("For scan: " + scanContext.getContextName() + ". An error occurred renaming the report file", e, ZapWrapperExitCode.IO_ERROR); @@ -739,18 +740,6 @@ private String urlEncodeUTF8(String stringToEncode) { } } - class UserInformation { - private String userName; - private String owaspZapuserId; - - // for testing - String getUserName() { - return userName; - } - - // for testing - String getOwaspZapuserId() { - return owaspZapuserId; - } + record UserInformation(String userName, String zapuserId) { } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableConstants.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableConstants.java similarity index 93% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableConstants.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableConstants.java index f7dd50462e..3db406a115 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableConstants.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableConstants.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; public class EnvironmentVariableConstants { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableReader.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableReader.java similarity index 96% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableReader.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableReader.java index a9ceec1a8c..dfac1d2beb 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/EnvironmentVariableReader.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/EnvironmentVariableReader.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; public class EnvironmentVariableReader { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilities.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilities.java similarity index 71% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilities.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilities.java index a56f9e75c5..08684b940f 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilities.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilities.java @@ -1,11 +1,11 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; import java.io.File; import java.io.IOException; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; public class FileUtilities { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/SystemUtil.java similarity index 66% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/SystemUtil.java index a1e3819e4f..480335657d 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/SystemUtil.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/SystemUtil.java @@ -1,8 +1,14 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; public class SystemUtil { + /** + * Use Thread.sleep(milliseconds) to wait for the specified amount of + * milliseconds. + * + * @param milliseconds + */ public void waitForMilliseconds(int milliseconds) { try { Thread.sleep(milliseconds); diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionChecker.java similarity index 88% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionChecker.java index 3c817f2c0a..6bc270a096 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionChecker.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionChecker.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; import java.io.IOException; import java.net.HttpURLConnection; @@ -24,10 +24,10 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; /** * This class is used to test if a target URI is reachable. This way we can stop @@ -38,9 +38,9 @@ public class TargetConnectionChecker { private static final Logger LOG = LoggerFactory.getLogger(TargetConnectionChecker.class); private static final String TLS = "TLS"; - public void assertApplicationIsReachable(OwaspZapScanContext scanContext) { + public void assertApplicationIsReachable(ZapScanContext scanContext) { boolean isReachable = false; - Iterator iterator = scanContext.getOwaspZapURLsIncludeSet().iterator(); + Iterator iterator = scanContext.getZapURLsIncludeSet().iterator(); while (iterator.hasNext() && isReachable == false) { // trying to reach the target URL and all includes until the first reachable // URL is found. @@ -58,7 +58,7 @@ boolean isReponseCodeValid(int responseCode) { return responseCode < 500 && responseCode != 404; } - private boolean isSiteCurrentlyReachable(OwaspZapScanContext scanContext, URL url, int maxNumberOfConnectionRetries, int retryWaittimeInMilliseconds) { + private boolean isSiteCurrentlyReachable(ZapScanContext scanContext, URL url, int maxNumberOfConnectionRetries, int retryWaittimeInMilliseconds) { if (isTargetReachable(url, scanContext.getProxyInformation())) { return true; } @@ -70,7 +70,7 @@ private boolean isSiteCurrentlyReachable(OwaspZapScanContext scanContext, URL ur } } // write message to the user for each URL that was not reachable - scanContext.getOwaspZapProductMessageHelper().writeSingleProductMessage(new SecHubMessage(SecHubMessageType.WARNING, + scanContext.getZapProductMessageHelper().writeSingleProductMessage(new SecHubMessage(SecHubMessageType.WARNING, "The URL " + url + " was not reachable after trying " + maxNumberOfConnectionRetries + 1 + " times. It might cannot be scanned.")); return false; } @@ -123,7 +123,7 @@ private void wait(int waittimeInMilliseconds) { } } - private String createErrorMessage(OwaspZapScanContext scanContext) { + private String createErrorMessage(ZapScanContext scanContext) { ProxyInformation proxyInformation = scanContext.getProxyInformation(); String errorMessage = "Target url: " + scanContext.getTargetUrl() + " is not reachable"; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtil.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtil.java similarity index 94% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtil.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtil.java index 187ab84f5e..683ce8f43a 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtil.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtil.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; import java.util.regex.Pattern; diff --git a/sechub-wrapper-owasp-zap/src/main/resources/full-rulesets/owasp-zap-full-ruleset-all-release-status.json b/sechub-wrapper-owasp-zap/src/main/resources/full-rulesets/zap-full-ruleset-all-release-status.json similarity index 100% rename from sechub-wrapper-owasp-zap/src/main/resources/full-rulesets/owasp-zap-full-ruleset-all-release-status.json rename to sechub-wrapper-owasp-zap/src/main/resources/full-rulesets/zap-full-ruleset-all-release-status.json diff --git a/sechub-wrapper-owasp-zap/src/main/resources/owaspzap-ruleset-helper/requirements.txt b/sechub-wrapper-owasp-zap/src/main/resources/zap-ruleset-helper/requirements.txt similarity index 100% rename from sechub-wrapper-owasp-zap/src/main/resources/owaspzap-ruleset-helper/requirements.txt rename to sechub-wrapper-owasp-zap/src/main/resources/zap-ruleset-helper/requirements.txt diff --git a/sechub-wrapper-owasp-zap/src/main/resources/owaspzap-ruleset-helper/owaspzap_ruleset_helper.py b/sechub-wrapper-owasp-zap/src/main/resources/zap-ruleset-helper/zap_ruleset_helper.py similarity index 100% rename from sechub-wrapper-owasp-zap/src/main/resources/owaspzap-ruleset-helper/owaspzap_ruleset_helper.py rename to sechub-wrapper-owasp-zap/src/main/resources/zap-ruleset-helper/zap_ruleset_helper.py diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProviderTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProviderTest.java similarity index 97% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProviderTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProviderTest.java index 3b431c8b8a..0628a29ff6 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/ApiDefinitionFileProviderTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ApiDefinitionFileProviderTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -14,8 +14,8 @@ import org.junit.jupiter.params.provider.MethodSource; import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; class ApiDefinitionFileProviderTest { diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProviderTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProviderTest.java similarity index 79% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProviderTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProviderTest.java index 6c2fa3fec3..9bb12204d3 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/RuleProviderTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/RuleProviderTest.java @@ -1,7 +1,9 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.File; import java.util.stream.Stream; @@ -11,8 +13,8 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; class RuleProviderTest { @@ -27,7 +29,7 @@ void beforeEach() { @MethodSource("invalidParams") void null_as_files_returns_new_empty_objects(File file) { /* execute */ - OwaspZapFullRuleset fullRuleset = rulesProvider.fetchFullRuleset(file); + ZapFullRuleset fullRuleset = rulesProvider.fetchFullRuleset(file); DeactivatedRuleReferences deactivatedRuleReferences = rulesProvider.fetchDeactivatedRuleReferences(file); /* test */ @@ -45,10 +47,10 @@ void null_as_files_returns_new_empty_objects(File file) { @Test void valid_fullruleset_file_returns_valid_object() { /* prepare */ - File testFile = new File("src/test/resources/zap-available-rules/owaspzap-full-ruleset.json"); + File testFile = new File("src/test/resources/zap-available-rules/zap-full-ruleset.json"); /* execute */ - OwaspZapFullRuleset fullRuleset = rulesProvider.fetchFullRuleset(testFile); + ZapFullRuleset fullRuleset = rulesProvider.fetchFullRuleset(testFile); /* test */ assertNotNull(fullRuleset); @@ -61,7 +63,7 @@ void valid_fullruleset_file_returns_valid_object() { @Test void valid_deactivatedrulereferences_file_returns_valid_object() { /* prepare */ - File testFile = new File("src/test/resources/wrapper-deactivated-rule-examples/owaspzap-rules-to-deactivate.json"); + File testFile = new File("src/test/resources/wrapper-deactivated-rule-examples/zap-rules-to-deactivate.json"); /* execute */ DeactivatedRuleReferences deactivatedRuleReferences = rulesProvider.fetchDeactivatedRuleReferences(testFile); diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProviderTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProviderTest.java similarity index 94% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProviderTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProviderTest.java index c0fbee0ecc..d3fea5ff4f 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/SecHubScanConfigProviderTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/SecHubScanConfigProviderTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -13,7 +13,7 @@ import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; class SecHubScanConfigProviderTest { diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java similarity index 67% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java index 516183ed61..a7de1f3ee7 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapClientApiFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java @@ -1,7 +1,8 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; +package com.mercedesbenz.sechub.zapwrapper.config; -import static org.junit.Assert.*; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThrows; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -9,16 +10,16 @@ import org.junit.jupiter.params.provider.CsvSource; import org.zaproxy.clientapi.core.ClientApiException; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; -class OwaspZapClientApiFactoryTest { +class ZapClientApiFactoryTest { - private OwaspZapClientApiFactory factoryToTest; + private ZapClientApiFactory factoryToTest; @BeforeEach void beforeEach() { - factoryToTest = new OwaspZapClientApiFactory(); + factoryToTest = new ZapClientApiFactory(); } @Test @@ -30,7 +31,7 @@ void server_config_is_null_throws_mustexcitruntimeexception() throws ClientApiEx @Test void valid_configuration_returns_clientapi_object() throws ClientApiException { /* prepare */ - OwaspZapServerConfiguration serverConfig = new OwaspZapServerConfiguration("127.0.0.1", 8080, "secret-key"); + ZapServerConfiguration serverConfig = new ZapServerConfiguration("127.0.0.1", 8080, "secret-key"); /* execute */ ClientApiFacade clientApiFacade = factoryToTest.create(serverConfig); @@ -49,7 +50,7 @@ void valid_configuration_returns_clientapi_object() throws ClientApiException { /* @formatter:on */ void configuration_where_one_field_is_null_or_invalid_throws_mustexitruntimeexception(String host, int port, String apiKey) throws ClientApiException { /* prepare */ - OwaspZapServerConfiguration serverConfig = new OwaspZapServerConfiguration(host, port, apiKey); + ZapServerConfiguration serverConfig = new ZapServerConfiguration(host, port, apiKey); /* execute + test */ assertThrows(ZapWrapperRuntimeException.class, () -> factoryToTest.create(serverConfig)); diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java similarity index 85% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java index 8bdd8c280c..786e051ba9 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/OwaspZapScanContextFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java @@ -1,14 +1,14 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config; - -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.PDS_JOB_EXTRACTED_SOURCES_FOLDER; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.PROXY_HOST_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.PROXY_PORT_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.ZAP_API_KEY_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.ZAP_DEACTIVATED_RULE_REFERENCES; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.ZAP_HOST_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableConstants.ZAP_PORT_ENV_VARIABLE_NAME; +package com.mercedesbenz.sechub.zapwrapper.config; + +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PDS_JOB_EXTRACTED_SOURCES_FOLDER; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PROXY_HOST_ENV_VARIABLE_NAME; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PROXY_PORT_ENV_VARIABLE_NAME; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_API_KEY_ENV_VARIABLE_NAME; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_DEACTIVATED_RULE_REFERENCES; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_HOST_ENV_VARIABLE_NAME; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_PORT_ENV_VARIABLE_NAME; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; @@ -33,17 +33,17 @@ import org.junit.jupiter.params.provider.NullSource; import org.junit.jupiter.params.provider.ValueSource; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.CommandLineSettings; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.SecHubWebScanConfigurationHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.util.EnvironmentVariableReader; +import com.mercedesbenz.sechub.zapwrapper.cli.CommandLineSettings; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.SecHubWebScanConfigurationHelper; +import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableReader; -class OwaspZapScanContextFactoryTest { +class ZapScanContextFactoryTest { - private OwaspZapScanContextFactory factoryToTest; + private ZapScanContextFactory factoryToTest; private SecHubWebScanConfigurationHelper sechubWebConfigHelper; private EnvironmentVariableReader environmentVariableReader; @@ -60,7 +60,7 @@ class OwaspZapScanContextFactoryTest { void beforeEach() { // create object to test - factoryToTest = new OwaspZapScanContextFactory(); + factoryToTest = new ZapScanContextFactory(); // create mocks sechubWebConfigHelper = mock(SecHubWebScanConfigurationHelper.class); @@ -73,8 +73,8 @@ void beforeEach() { factoryToTest.ruleProvider = ruleProvider; // create test data - fullRulesetFile = new File("src/test/resources/zap-available-rules/owaspzap-full-ruleset.json"); - deactivationFile = new File("src/test/resources/wrapper-deactivated-rule-examples/owaspzap-rules-to-deactivate.json"); + fullRulesetFile = new File("src/test/resources/zap-available-rules/zap-full-ruleset.json"); + deactivationFile = new File("src/test/resources/wrapper-deactivated-rule-examples/zap-rules-to-deactivate.json"); when(environmentVariableReader.readAsString(PDS_JOB_USER_MESSAGES_FOLDER)).thenReturn(tempDir.getAbsolutePath()); } @@ -94,7 +94,7 @@ void created_configuration_has_max_scan_duration_from_sechub_webconfig() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.getMaxScanDurationInMillis(), maxScanDuration); @@ -111,7 +111,7 @@ void context_name_is_used_from_settings_when_defined() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.getContextName(), jobUUID); @@ -126,7 +126,7 @@ void context_name_is_created_as_UUID_when_not_defined() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ String contextName = result.getContextName(); @@ -148,10 +148,10 @@ void result_contains_server_config_with_arguments_from_command_line_settings_no_ when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ - OwaspZapServerConfiguration serverConfig = result.getServerConfig(); + ZapServerConfiguration serverConfig = result.getServerConfig(); assertNotNull(serverConfig); assertEquals(host, serverConfig.getZaproxyHost()); assertEquals(port, serverConfig.getZaproxyPort()); @@ -184,10 +184,10 @@ void result_contains_server_config_with_arguments_from_environment_when_command_ when(environmentVariableReader.readAsInt(PROXY_PORT_ENV_VARIABLE_NAME)).thenReturn(proxyPort); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ - OwaspZapServerConfiguration serverConfig = result.getServerConfig(); + ZapServerConfiguration serverConfig = result.getServerConfig(); assertNotNull(serverConfig); assertEquals(host, serverConfig.getZaproxyHost()); assertEquals(port, serverConfig.getZaproxyPort()); @@ -208,7 +208,7 @@ void proxy_set_or_not_is_valid_result_returned_contains_null_as_proxyinformation when(environmentVariableReader.readAsInt(PROXY_PORT_ENV_VARIABLE_NAME)).thenReturn(0); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertNotNull(result); @@ -249,7 +249,7 @@ void authentication_type_from_config_is_in_result() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.getAuthenticationType(), type); @@ -271,7 +271,7 @@ void targetURI_calculated_by_factory_is_in_result() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.getTargetUrl().toString(), createdUri.toString()); @@ -287,7 +287,7 @@ void verbose_from_settings_is_in_result(boolean verboseEnabled) { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.isVerboseOutput(), verboseEnabled); @@ -303,7 +303,7 @@ void ajaxspider_enabled_from_settings_is_in_result(boolean enabled) { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.isAjaxSpiderEnabled(), enabled); @@ -319,7 +319,7 @@ void active_scan_enabled_from_settings_is_in_result(boolean enabled) { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.isActiveScanEnabled(), enabled); @@ -335,7 +335,7 @@ void report_file_from_setting_is_used_in_result() { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.getReportFile(), path); @@ -352,13 +352,13 @@ void commandline_settings_null_throws_zap_wrapper_runtime_exception() { void fullruleset_returned_by_provider_is_in_result() { /* prepare */ CommandLineSettings settings = createSettingsMockWithNecessaryParts(); - when(ruleProvider.fetchFullRuleset(fullRulesetFile)).thenReturn(createOwaspZapFullRuleset()); + when(ruleProvider.fetchFullRuleset(fullRulesetFile)).thenReturn(createZapFullRuleset()); when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); - OwaspZapFullRuleset fullRuleset = result.getFullRuleset(); + ZapFullRuleset fullRuleset = result.getFullRuleset(); /* test */ verify(ruleProvider, times(1)).fetchFullRuleset(any()); @@ -376,7 +376,7 @@ void rules_to_deactivate_returned_by_provider_is_inside_result() { when(ruleProvider.fetchDeactivatedRuleReferences(deactivationFile)).thenReturn(createDeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); DeactivatedRuleReferences deactivatedRuleReferences = result.getDeactivatedRuleReferences(); /* test */ @@ -403,7 +403,7 @@ void rules_to_deactivate_returned_by_env_variable_is_inside_result(String value) } /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); DeactivatedRuleReferences deactivatedRuleReferences = result.getDeactivatedRuleReferences(); /* test */ @@ -427,7 +427,7 @@ void rules_to_deactivate_returned_by_command_line_parameter_is_inside_result(Str } /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); DeactivatedRuleReferences deactivatedRuleReferences = result.getDeactivatedRuleReferences(); /* test */ @@ -467,7 +467,7 @@ void api_definition_file_from_sechub_scan_config_is_inside_result() { Path expectedPathToApiDefinitionFile = new File(extractedSourcesPath, "openapi3.json").toPath(); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ verify(environmentVariableReader, times(1)).readAsString(PDS_JOB_EXTRACTED_SOURCES_FOLDER); @@ -484,11 +484,11 @@ void includes_and_excludes_from_sechub_json_are_inside_result() { when(settings.getSecHubConfigFile()).thenReturn(sechubScanConfigFile); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ - assertEquals(3, result.getOwaspZapURLsIncludeSet().size()); - assertEquals(2, result.getOwaspZapURLsExcludeSet().size()); + assertEquals(3, result.getZapURLsIncludeSet().size()); + assertEquals(2, result.getZapURLsExcludeSet().size()); } @ParameterizedTest @@ -500,7 +500,7 @@ void connection_check_from_settings_is_in_result(boolean enabled) { when(ruleProvider.fetchDeactivatedRuleReferences(any())).thenReturn(new DeactivatedRuleReferences()); /* execute */ - OwaspZapScanContext result = factoryToTest.create(settings); + ZapScanContext result = factoryToTest.create(settings); /* test */ assertEquals(result.connectionCheckEnabled(), enabled); @@ -533,7 +533,7 @@ private CommandLineSettings createSettingsMockWithNecessaryPartsWithoutRuleFiles return settings; } - private OwaspZapFullRuleset createOwaspZapFullRuleset() { + private ZapFullRuleset createZapFullRuleset() { RuleProvider provider = new RuleProvider(); return provider.fetchFullRuleset(fullRulesetFile); } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferencesTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferencesTest.java similarity index 95% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferencesTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferencesTest.java index 1e959087b4..760c5cf265 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/config/data/DeactivatedRuleReferencesTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/data/DeactivatedRuleReferencesTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.config.data; +package com.mercedesbenz.sechub.zapwrapper.config.data; import static org.junit.Assert.assertTrue; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactoryTest.java similarity index 95% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactoryTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactoryTest.java index 1206ae8c7d..6371247c32 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/BaseTargetUriFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/BaseTargetUriFactoryTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -12,7 +12,7 @@ import org.junit.jupiter.params.provider.CsvSource; import org.junit.jupiter.params.provider.NullSource; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; class BaseTargetUriFactoryTest { diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURIHelperTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURIHelperTest.java similarity index 76% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURIHelperTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURIHelperTest.java index d43ff3a664..450189a0c3 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/IncludeExcludeToOwaspZapURIHelperTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/IncludeExcludeToZapURIHelperTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -14,15 +14,15 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; -class IncludeExcludeToOwaspZapURIHelperTest { +class IncludeExcludeToZapURIHelperTest { - private IncludeExcludeToOwaspZapURLHelper helperToTest; + private IncludeExcludeToZapURLHelper helperToTest; private List userMessages; @BeforeEach void beforeEach() { - helperToTest = new IncludeExcludeToOwaspZapURLHelper(); + helperToTest = new IncludeExcludeToZapURLHelper(); userMessages = new LinkedList<>(); } @@ -33,7 +33,7 @@ void returns_empty_list_if_list_of_subSites_is_null() throws MalformedURLExcepti List sites = null; /* execute */ - List urls = helperToTest.createListOfUrls(OwaspZapURLType.INCLUDE, targetUrl, sites, userMessages); + List urls = helperToTest.createListOfUrls(ZapURLType.INCLUDE, targetUrl, sites, userMessages); /* test */ assertTrue(urls.isEmpty()); @@ -47,7 +47,7 @@ void returns_empty_list_if_list_of_subSites_is_empty() throws MalformedURLExcept List sites = new ArrayList<>(); /* execute */ - List urls = helperToTest.createListOfUrls(OwaspZapURLType.INCLUDE, targetUrl, sites, userMessages); + List urls = helperToTest.createListOfUrls(ZapURLType.INCLUDE, targetUrl, sites, userMessages); /* test */ assertTrue(urls.isEmpty()); @@ -55,13 +55,13 @@ void returns_empty_list_if_list_of_subSites_is_empty() throws MalformedURLExcept } @Test - void returns_list_of_url_conform_for_owasp_zap_includes_or_excludes() throws MalformedURLException { + void returns_list_of_url_conform_for_zap_includes_or_excludes() throws MalformedURLException { /* prepare */ URL targetUrl = new URL("https://127.0.0.1:8080"); List sites = createExampleListOfSites(); /* execute */ - List urls = helperToTest.createListOfUrls(OwaspZapURLType.EXCLUDE, targetUrl, sites, userMessages); + List urls = helperToTest.createListOfUrls(ZapURLType.EXCLUDE, targetUrl, sites, userMessages); /* test */ assertTrue(urls.contains(new URL("https://127.0.0.1:8080/sub"))); diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelperTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelperTest.java similarity index 97% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelperTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelperTest.java index 95ec1462aa..d00297004f 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/ScanDurationHelperTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ScanDurationHelperTest.java @@ -1,7 +1,7 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertEquals; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelperTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelperTest.java similarity index 90% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelperTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelperTest.java index 599e65087e..2a95c6c398 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/SecHubWebScanConfigurationHelperTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/SecHubWebScanConfigurationHelperTest.java @@ -1,7 +1,7 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.File; @@ -9,8 +9,8 @@ import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; import com.mercedesbenz.sechub.test.TestFileReader; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; class SecHubWebScanConfigurationHelperTest { diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandlerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java similarity index 59% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandlerTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java index ee6adcd0c2..b8f88b6e59 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapEventHandlerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -14,15 +14,15 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.io.TempDir; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -class OwaspZapEventHandlerTest { +class ZapEventHandlerTest { - private OwaspZapEventHandler owaspZapEventHandler; + private ZapEventHandler zapEventHandler; @BeforeEach void beforeEach() { - owaspZapEventHandler = new OwaspZapEventHandler(); + zapEventHandler = new ZapEventHandler(); } @Test @@ -31,19 +31,19 @@ void file_does_not_exist_and_so_no_scan_is_cancelled() throws IOException { String scanContextName = UUID.randomUUID().toString(); /* execute + test */ - assertFalse(owaspZapEventHandler.isScanCancelled()); - assertDoesNotThrow(() -> owaspZapEventHandler.cancelScan(scanContextName)); + assertFalse(zapEventHandler.isScanCancelled()); + assertDoesNotThrow(() -> zapEventHandler.cancelScan(scanContextName)); } @Test void file_does_exist_and_so_scan_is_cancelled(@TempDir File tempDir) throws IOException { /* prepare */ - owaspZapEventHandler.cancelEventFile = tempDir; + zapEventHandler.cancelEventFile = tempDir; String scanContextName = UUID.randomUUID().toString(); /* execute + test */ - assertTrue(owaspZapEventHandler.isScanCancelled()); - assertThrows(ZapWrapperRuntimeException.class, () -> owaspZapEventHandler.cancelScan(scanContextName)); + assertTrue(zapEventHandler.isScanCancelled()); + assertThrows(ZapWrapperRuntimeException.class, () -> zapEventHandler.cancelScan(scanContextName)); } } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelperTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelperTest.java similarity index 90% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelperTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelperTest.java index 2e0b3e2bab..bc7a9e5387 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/helper/OwaspZapProductMessageHelperTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapProductMessageHelperTest.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.helper; +package com.mercedesbenz.sechub.zapwrapper.helper; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.fail; @@ -21,19 +21,19 @@ import com.mercedesbenz.sechub.commons.model.SecHubMessage; import com.mercedesbenz.sechub.commons.model.SecHubMessageType; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -class OwaspZapProductMessageHelperTest { +class ZapProductMessageHelperTest { private TemporaryFolder testFolder; - private OwaspZapProductMessageHelper helperToTest; + private ZapProductMessageHelper helperToTest; @BeforeEach void beforeEach() throws IOException { testFolder = new TemporaryFolder(); testFolder.create(); - helperToTest = new OwaspZapProductMessageHelper(testFolder.getRoot().getAbsolutePath()); + helperToTest = new ZapProductMessageHelper(testFolder.getRoot().getAbsolutePath()); } @AfterEach @@ -123,7 +123,7 @@ private void verifyMessageFileContent(File file, ZapWrapperExitCode exitCode) th assertEquals("Target URL invalid. The target URL, specified inside SecHub configuration, is not a valid URL.", messageContent, errorMessage); break; case PRODUCT_EXECUTION_ERROR: - assertEquals("Product error. The DAST scanner OWASP ZAP ended with a product error.", messageContent, errorMessage); + assertEquals("Product error. The DAST scanner ZAP ended with a product error.", messageContent, errorMessage); break; default: fail("Unsupported ZapWrapperExitCode, this should never occur!"); diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java similarity index 76% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java index 15b60fe432..b5e47c6090 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/scan/OwaspZapScannerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java @@ -1,9 +1,18 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.scan; - -import static org.junit.jupiter.api.Assertions.*; -import static org.mockito.ArgumentMatchers.*; -import static org.mockito.Mockito.*; +package com.mercedesbenz.sechub.zapwrapper.scan; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.atLeast; +import static org.mockito.Mockito.doCallRealMethod; +import static org.mockito.Mockito.doNothing; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; import java.net.MalformedURLException; import java.net.URI; @@ -29,82 +38,82 @@ import com.mercedesbenz.sechub.commons.model.SecHubScanConfiguration; import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration; import com.mercedesbenz.sechub.commons.model.login.BasicLoginConfiguration; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperExitCode; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.owaspzapwrapper.config.OwaspZapScanContext; -import com.mercedesbenz.sechub.owaspzapwrapper.config.ProxyInformation; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.AuthenticationType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.auth.SessionManagementType; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.DeactivatedRuleReferences; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.OwaspZapFullRuleset; -import com.mercedesbenz.sechub.owaspzapwrapper.config.data.RuleReference; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.IncludeExcludeToOwaspZapURLHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapEventHandler; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapProductMessageHelper; -import com.mercedesbenz.sechub.owaspzapwrapper.helper.OwaspZapURLType; -import com.mercedesbenz.sechub.owaspzapwrapper.scan.OwaspZapScanner.UserInformation; -import com.mercedesbenz.sechub.owaspzapwrapper.util.SystemUtil; import com.mercedesbenz.sechub.test.TestFileReader; - -class OwaspZapScannerTest { - - private OwaspZapScanner scannerToTest; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; +import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; +import com.mercedesbenz.sechub.zapwrapper.config.auth.SessionManagementType; +import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; +import com.mercedesbenz.sechub.zapwrapper.config.data.RuleReference; +import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.IncludeExcludeToZapURLHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; +import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner.UserInformation; +import com.mercedesbenz.sechub.zapwrapper.util.SystemUtil; + +class ZapScannerTest { + + private ZapScanner scannerToTest; private ClientApiFacade clientApiFacade; - private OwaspZapScanContext scanContext; - private OwaspZapEventHandler owaspZapEventHandler; + private ZapScanContext scanContext; + private ZapEventHandler zapEventHandler; private SystemUtil systemUtil; - private OwaspZapProductMessageHelper helper; + private ZapProductMessageHelper helper; private String contextName = "context-name"; @BeforeEach void beforeEach() { // create mocks clientApiFacade = mock(ClientApiFacade.class); - scanContext = mock(OwaspZapScanContext.class); + scanContext = mock(ZapScanContext.class); systemUtil = mock(SystemUtil.class); - helper = mock(OwaspZapProductMessageHelper.class); + helper = mock(ZapProductMessageHelper.class); - owaspZapEventHandler = mock(OwaspZapEventHandler.class); + zapEventHandler = mock(ZapEventHandler.class); // assign mocks - scannerToTest = new OwaspZapScanner(clientApiFacade, scanContext); + scannerToTest = new ZapScanner(clientApiFacade, scanContext); scannerToTest.systemUtil = systemUtil; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; + scannerToTest.zapEventHandler = zapEventHandler; // set global behavior when(scanContext.getContextName()).thenReturn(contextName); - when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(helper); + when(scanContext.getZapProductMessageHelper()).thenReturn(helper); doNothing().when(helper).writeProductError(any()); doNothing().when(helper).writeProductMessages(any()); doNothing().when(helper).writeSingleProductMessage(any()); doNothing().when(helper).writeUserMessagesWithScannedURLs(any()); - doNothing().when(systemUtil).waitForMilliseconds(OwaspZapScanner.CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); + doNothing().when(systemUtil).waitForMilliseconds(ZapScanner.CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); when(systemUtil.getCurrentTimeInMilliseconds()).thenCallRealMethod(); } @Test - void setup_standard_configuration_results_in_expected_calls() throws ClientApiException { - /* prepare */ - when(clientApiFacade.createNewSession(scanContext.getContextName(), "true")).thenReturn(null); - when(clientApiFacade.configureMaximumAlertsForEachRule("0")).thenReturn(null); - when(clientApiFacade.enableAllPassiveScannerRules()).thenReturn(null); - when(clientApiFacade.enableAllActiveScannerRulesForPolicy(null)).thenReturn(null); - when(clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless")).thenReturn(null); - - /* execute */ - scannerToTest.setupStandardConfiguration(); - - /* test */ - verify(clientApiFacade, times(1)).createNewSession(scanContext.getContextName(), "true"); - verify(clientApiFacade, times(1)).configureMaximumAlertsForEachRule("0"); - verify(clientApiFacade, times(1)).enableAllPassiveScannerRules(); - verify(clientApiFacade, times(1)).enableAllActiveScannerRulesForPolicy(null); - verify(clientApiFacade, times(1)).configureAjaxSpiderBrowserId("firefox-headless"); - } + void setup_standard_configuration_results_in_expected_calls() throws ClientApiException { + /* prepare */ + when(clientApiFacade.createNewSession(scanContext.getContextName(), "true")).thenReturn(null); + when(clientApiFacade.configureMaximumAlertsForEachRule("0")).thenReturn(null); + when(clientApiFacade.enableAllPassiveScannerRules()).thenReturn(null); + when(clientApiFacade.enableAllActiveScannerRulesForPolicy(null)).thenReturn(null); + when(clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless")).thenReturn(null); + + /* execute */ + scannerToTest.setupStandardConfiguration(); + + /* test */ + verify(clientApiFacade, times(1)).createNewSession(scanContext.getContextName(), "true"); + verify(clientApiFacade, times(1)).configureMaximumAlertsForEachRule("0"); + verify(clientApiFacade, times(1)).enableAllPassiveScannerRules(); + verify(clientApiFacade, times(1)).enableAllActiveScannerRulesForPolicy(null); + verify(clientApiFacade, times(1)).configureAjaxSpiderBrowserId("firefox-headless"); + } @Test void deactivate_rules_ruleset_or_rules_to_deactivate_null_results_in_nothing_is_configured() throws ClientApiException { @@ -114,9 +123,9 @@ void deactivate_rules_ruleset_or_rules_to_deactivate_null_results_in_nothing_is_ /* execute */ scannerToTest.deactivateRules(null, null); - scannerToTest.deactivateRules(new OwaspZapFullRuleset(), null); + scannerToTest.deactivateRules(new ZapFullRuleset(), null); scannerToTest.deactivateRules(null, new DeactivatedRuleReferences()); - scannerToTest.deactivateRules(new OwaspZapFullRuleset(), deactivatedReferences); + scannerToTest.deactivateRules(new ZapFullRuleset(), deactivatedReferences); /* test */ verify(clientApiFacade, never()).disablePassiveScannerRule(any()); @@ -133,8 +142,8 @@ void deactivate_rules_results_in_rules_are_deactivated() throws ClientApiExcepti deactivatedReferences.addRuleReference(new RuleReference("Cross-Site-Scripting-(Reflected)-40012", "second-info")); deactivatedReferences.addRuleReference(new RuleReference("Path-Traversal-6", "third-info")); - String json = TestFileReader.loadTextFile("src/test/resources/zap-available-rules/owaspzap-full-ruleset.json"); - OwaspZapFullRuleset ruleSet = new OwaspZapFullRuleset().fromJSON(json); + String json = TestFileReader.loadTextFile("src/test/resources/zap-available-rules/zap-full-ruleset.json"); + ZapFullRuleset ruleSet = new ZapFullRuleset().fromJSON(json); when(clientApiFacade.disablePassiveScannerRule(any())).thenReturn(null); when(clientApiFacade.disableActiveScannerRuleForPolicy(any(), any())).thenReturn(null); @@ -148,26 +157,27 @@ void deactivate_rules_results_in_rules_are_deactivated() throws ClientApiExcepti } @Test - void setup_addtional_proxy_information_with_proxy_information_null_results_in_proxy_disabled() - throws ClientApiException { - /* prepare */ - when(clientApiFacade.setHttpProxyEnabled("false")).thenReturn(null); + void setup_addtional_proxy_information_with_proxy_information_null_results_in_proxy_disabled() + throws ClientApiException { + /* prepare */ + when(clientApiFacade.setHttpProxyEnabled("false")).thenReturn(null); - /* execute */ - scannerToTest.setupAdditonalProxyConfiguration(null); + /* execute */ + scannerToTest.setupAdditonalProxyConfiguration(null); - /* test */ - verify(clientApiFacade, times(1)).setHttpProxyEnabled("false"); - } + /* test */ + verify(clientApiFacade, times(1)).setHttpProxyEnabled("false"); + } @Test void setup_addtional_proxy_information_results_in_proxy_enabled() throws ClientApiException { /* prepare */ String host = "127.0.0.1"; int port = 8000; + var portAsString = String.valueOf(port); ProxyInformation proxyInformation = new ProxyInformation(host, port); - when(clientApiFacade.configureHttpProxy(host, "" + port, null, null, null)).thenReturn(null); + when(clientApiFacade.configureHttpProxy(host, portAsString, null, null, null)).thenReturn(null); when(clientApiFacade.setHttpProxyEnabled("true")).thenReturn(null); when(clientApiFacade.setHttpProxyAuthEnabled("false")).thenReturn(null); @@ -175,7 +185,7 @@ void setup_addtional_proxy_information_results_in_proxy_enabled() throws ClientA scannerToTest.setupAdditonalProxyConfiguration(proxyInformation); /* test */ - verify(clientApiFacade, times(1)).configureHttpProxy(host, "" + port, null, null, null); + verify(clientApiFacade, times(1)).configureHttpProxy(host, portAsString, null, null, null); verify(clientApiFacade, times(1)).setHttpProxyEnabled("true"); verify(clientApiFacade, times(1)).setHttpProxyAuthEnabled("false"); } @@ -263,20 +273,20 @@ void set_includes_and_excludes_api_facade_is_called_once_for_each_include_and_on String json = TestFileReader.loadTextFile(sechubConfigFile); SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get(); - IncludeExcludeToOwaspZapURLHelper helper = new IncludeExcludeToOwaspZapURLHelper(); + IncludeExcludeToZapURLHelper helper = new IncludeExcludeToZapURLHelper(); URL targetUrl = sechubWebScanConfig.getUrl().toURL(); List includesList = sechubWebScanConfig.getIncludes().get(); - Set includes = new HashSet<>(helper.createListOfUrls(OwaspZapURLType.INCLUDE, targetUrl, includesList, new ArrayList<>())); - when(scanContext.getOwaspZapURLsIncludeSet()).thenReturn(includes); + Set includes = new HashSet<>(helper.createListOfUrls(ZapURLType.INCLUDE, targetUrl, includesList, new ArrayList<>())); + when(scanContext.getZapURLsIncludeSet()).thenReturn(includes); List excludesList = sechubWebScanConfig.getExcludes().get(); - Set excludes = new HashSet<>(helper.createListOfUrls(OwaspZapURLType.EXCLUDE, targetUrl, excludesList, new ArrayList<>())); - when(scanContext.getOwaspZapURLsExcludeSet()).thenReturn(excludes); + Set excludes = new HashSet<>(helper.createListOfUrls(ZapURLType.EXCLUDE, targetUrl, excludesList, new ArrayList<>())); + when(scanContext.getZapURLsExcludeSet()).thenReturn(excludes); ApiResponse response = mock(ApiResponse.class); when(clientApiFacade.addIncludeUrlPatternToContext(any(), any())).thenReturn(response); - when(clientApiFacade.accessUrlViaOwaspZap(any(), any())).thenReturn(response); + when(clientApiFacade.accessUrlViaZap(any(), any())).thenReturn(response); when(clientApiFacade.addExcludeUrlPatternToContext(any(), any())).thenReturn(response); /* execute */ @@ -284,7 +294,7 @@ void set_includes_and_excludes_api_facade_is_called_once_for_each_include_and_on /* test */ verify(clientApiFacade, times(includes.size())).addIncludeUrlPatternToContext(any(), any()); - verify(clientApiFacade, times(includes.size())).accessUrlViaOwaspZap(any(), any()); + verify(clientApiFacade, times(includes.size())).accessUrlViaZap(any(), any()); verify(clientApiFacade, times(excludes.size())).addExcludeUrlPatternToContext(any(), any()); } @@ -328,7 +338,7 @@ void import_openapi_file_api_facade_is_called_once(String sechubConfigFile) thro @ParameterizedTest @ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json", "src/test/resources/sechub-config-examples/form-based-auth.json" }) - void configure_login_inside_owasp_zap_using_no_auth_and_unsupported_auth_return_null(String sechubConfigFile) throws ClientApiException { + void configure_login_inside_zap_using_no_auth_and_unsupported_auth_return_null(String sechubConfigFile) throws ClientApiException { /* prepare */ String contextId = "context-id"; String json = TestFileReader.loadTextFile(sechubConfigFile); @@ -337,14 +347,14 @@ void configure_login_inside_owasp_zap_using_no_auth_and_unsupported_auth_return_ when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); /* execute */ - UserInformation userInformation = scannerToTest.configureLoginInsideOwaspZapContext(contextId); + UserInformation userInformation = scannerToTest.configureLoginInsideZapContext(contextId); /* test */ assertEquals(null, userInformation); } @Test - void configure_login_inside_owasp_zap_using_basic_auth_results_in_expected_calls() throws ClientApiException, MalformedURLException { + void configure_login_inside_zap_using_basic_auth_results_in_expected_calls() throws ClientApiException, MalformedURLException { /* prepare */ String contextId = "context-id"; String userId = "user-id"; @@ -360,9 +370,9 @@ void configure_login_inside_owasp_zap_using_basic_auth_results_in_expected_calls when(scanContext.getAuthenticationType()).thenReturn(AuthenticationType.HTTP_BASIC_AUTHENTICATION); when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig); - when(clientApiFacade.configureAuthenticationMethod(eq(contextId), eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getOwaspZapAuthenticationMethod()), - any())).thenReturn(response); - when(clientApiFacade.sessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod()), + when(clientApiFacade.configureAuthenticationMethod(eq(contextId), eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getZapAuthenticationMethod()), any())) + .thenReturn(response); + when(clientApiFacade.sessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod()), any())).thenReturn(response); when(clientApiFacade.createNewUser(contextId, userName)).thenReturn(userId); when(clientApiFacade.configureAuthenticationCredentials(eq(contextId), eq(userId), any())).thenReturn(response); @@ -370,19 +380,19 @@ void configure_login_inside_owasp_zap_using_basic_auth_results_in_expected_calls when(clientApiFacade.setForcedUserModeEnabled(true)).thenReturn(response); /* execute */ - UserInformation userInformation = scannerToTest.configureLoginInsideOwaspZapContext(contextId); + UserInformation userInformation = scannerToTest.configureLoginInsideZapContext(contextId); /* test */ - assertEquals(userName, userInformation.getUserName()); - assertEquals(userId, userInformation.getOwaspZapuserId()); + assertEquals(userName, userInformation.userName()); + assertEquals(userId, userInformation.zapuserId()); verify(scanContext, times(2)).getTargetUrl(); verify(scanContext, times(1)).getAuthenticationType(); verify(clientApiFacade, times(1)).configureAuthenticationMethod(eq(contextId), - eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getOwaspZapAuthenticationMethod()), any()); + eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getZapAuthenticationMethod()), any()); verify(clientApiFacade, times(1)).sessionManagementMethod(eq(contextId), - eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getOwaspZapSessionManagementMethod()), any()); + eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod()), any()); verify(clientApiFacade, times(1)).createNewUser(contextId, userName); verify(clientApiFacade, times(1)).configureAuthenticationCredentials(eq(contextId), eq(userId), any()); verify(clientApiFacade, times(1)).setForcedUser(contextId, userId); @@ -390,21 +400,21 @@ void configure_login_inside_owasp_zap_using_basic_auth_results_in_expected_calls } @Test - void generate_report_calls_api_facade_once() throws ClientApiException { - /* prepare */ - when(scanContext.getReportFile()) - .thenReturn(Paths.get("src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json")); - ApiResponse response = mock(ApiResponse.class); - when(clientApiFacade.generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), - any(), any())).thenReturn(response); - - /* execute */ - scannerToTest.generateOwaspZapReport(); - - /* test */ - verify(clientApiFacade, times(1)).generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), - any(), any(), any(), any()); - } + void generate_report_calls_api_facade_once() throws ClientApiException { + /* prepare */ + when(scanContext.getReportFile()) + .thenReturn(Paths.get("src/test/resources/sechub-config-examples/no-auth-with-openapi-file.json")); + ApiResponse response = mock(ApiResponse.class); + when(clientApiFacade.generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), + any(), any())).thenReturn(response); + + /* execute */ + scannerToTest.generateZapReport(); + + /* test */ + verify(clientApiFacade, times(1)).generateReport(any(), any(), any(), any(), any(), any(), any(), any(), any(), + any(), any(), any(), any()); + } @Test void cleanup_after_scan() throws ClientApiException { @@ -467,9 +477,9 @@ void cleanup_after_scan_with_onylForUrls_headers_set_cleans_up_all_replacer_rule @Test void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapEventHandler).cancelScan(contextName); when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); @@ -483,7 +493,7 @@ void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_e /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(zapEventHandler, times(2)).isScanCancelled(); verify(scanContext, times(1)).getMaxScanDurationInMillis(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, times(1)).stopAjaxSpider(); @@ -492,8 +502,8 @@ void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_e @Test void wait_for_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); @@ -516,9 +526,9 @@ void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_ /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapEventHandler).cancelScan(contextName); when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); @@ -532,7 +542,7 @@ void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_ /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(zapEventHandler, times(2)).isScanCancelled(); verify(scanContext, times(1)).getMaxScanDurationInMillis(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, times(1)).stopSpiderScan(scanId); @@ -543,13 +553,13 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); - OwaspZapProductMessageHelper messageHelper = mock(OwaspZapProductMessageHelper.class); - when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(messageHelper); + ZapProductMessageHelper messageHelper = mock(ZapProductMessageHelper.class); + when(scanContext.getZapProductMessageHelper()).thenReturn(messageHelper); doNothing().when(messageHelper).writeUserMessagesWithScannedURLs(any()); when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); @@ -562,7 +572,7 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce /* test */ verify(scanContext, times(1)).getMaxScanDurationInMillis(); verify(scanContext, times(1)).isActiveScanEnabled(); - verify(scanContext, times(1)).getOwaspZapProductMessageHelper(); + verify(scanContext, times(1)).getZapProductMessageHelper(); verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); verify(clientApiFacade, atLeast(1)).getSpiderStatusForScan(scanId); verify(clientApiFacade, times(1)).stopSpiderScan(scanId); @@ -572,9 +582,9 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce @Test void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapEventHandler).cancelScan(contextName); when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(false); @@ -589,7 +599,7 @@ void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_ /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(zapEventHandler, times(2)).isScanCancelled(); verify(scanContext, times(1)).getMaxScanDurationInMillis(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(scanContext, times(1)).isAjaxSpiderEnabled(); @@ -599,8 +609,8 @@ void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_ @Test void wait_for_passiveScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(false); @@ -623,9 +633,9 @@ void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_e /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(owaspZapEventHandler).cancelScan(contextName); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapEventHandler).cancelScan(contextName); when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(42); when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); @@ -637,7 +647,7 @@ void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_e /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(owaspZapEventHandler, times(2)).isScanCancelled(); + verify(zapEventHandler, times(2)).isScanCancelled(); verify(clientApiFacade, never()).getActiveScannerStatusForScan(scanId); verify(clientApiFacade, times(1)).stopActiveScan(scanId); } @@ -647,8 +657,8 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(100); when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); @@ -664,8 +674,8 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client @Test void run_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); @@ -688,13 +698,13 @@ void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); - OwaspZapProductMessageHelper messageHelper = mock(OwaspZapProductMessageHelper.class); - when(scanContext.getOwaspZapProductMessageHelper()).thenReturn(messageHelper); + ZapProductMessageHelper messageHelper = mock(ZapProductMessageHelper.class); + when(scanContext.getZapProductMessageHelper()).thenReturn(messageHelper); doNothing().when(messageHelper).writeUserMessagesWithScannedURLs(any()); when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); @@ -708,7 +718,7 @@ void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException /* test */ verify(scanContext, times(1)).getMaxScanDurationInMillis(); verify(scanContext, times(1)).isActiveScanEnabled(); - verify(scanContext, times(1)).getOwaspZapProductMessageHelper(); + verify(scanContext, times(1)).getZapProductMessageHelper(); verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); verify(clientApiFacade, atLeast(1)).getSpiderStatusForScan(scanId); verify(clientApiFacade, times(1)).stopSpiderScan(scanId); @@ -721,8 +731,8 @@ void run_activeScan_scan_is_ended_results_in_expected_calls() throws ClientApiEx /* prepare */ String scanId = "12345"; - scannerToTest.owaspZapEventHandler = owaspZapEventHandler; - when(owaspZapEventHandler.isScanCancelled()).thenReturn(false); + scannerToTest.zapEventHandler = zapEventHandler; + when(zapEventHandler.isScanCancelled()).thenReturn(false); scannerToTest.remainingScanTime = 100L; diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilitiesTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilitiesTest.java similarity index 68% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilitiesTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilitiesTest.java index 18d3cc8d06..d56274df02 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/FileUtilitiesTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/FileUtilitiesTest.java @@ -1,13 +1,15 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.File; import org.junit.jupiter.api.Test; -import com.mercedesbenz.sechub.owaspzapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; class FileUtilitiesTest { diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionCheckerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionCheckerTest.java similarity index 83% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionCheckerTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionCheckerTest.java index 0df27c89a0..cb05f10038 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/TargetConnectionCheckerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/TargetConnectionCheckerTest.java @@ -1,7 +1,8 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.params.ParameterizedTest; diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtilTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtilTest.java similarity index 93% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtilTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtilTest.java index 29ab684f34..b258d37fc1 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/owaspzapwrapper/util/UrlUtilTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/UrlUtilTest.java @@ -1,7 +1,7 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.owaspzapwrapper.util; +package com.mercedesbenz.sechub.zapwrapper.util; -import static org.junit.jupiter.api.Assertions.*; +import static org.junit.jupiter.api.Assertions.assertEquals; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; diff --git a/sechub-wrapper-owasp-zap/src/test/resources/wrapper-deactivated-rule-examples/owaspzap-rules-to-deactivate.json b/sechub-wrapper-owasp-zap/src/test/resources/wrapper-deactivated-rule-examples/zap-rules-to-deactivate.json similarity index 100% rename from sechub-wrapper-owasp-zap/src/test/resources/wrapper-deactivated-rule-examples/owaspzap-rules-to-deactivate.json rename to sechub-wrapper-owasp-zap/src/test/resources/wrapper-deactivated-rule-examples/zap-rules-to-deactivate.json diff --git a/sechub-wrapper-owasp-zap/src/test/resources/zap-available-rules/owaspzap-full-ruleset.json b/sechub-wrapper-owasp-zap/src/test/resources/zap-available-rules/zap-full-ruleset.json similarity index 100% rename from sechub-wrapper-owasp-zap/src/test/resources/zap-available-rules/owaspzap-full-ruleset.json rename to sechub-wrapper-owasp-zap/src/test/resources/zap-available-rules/zap-full-ruleset.json From b3d4feeefaa699a3f155d23554c20ea36ef9d617 Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Fri, 25 Aug 2023 13:18:33 +0200 Subject: [PATCH 05/11] PR review changes #2436 - refactor and format classes - add static from method to ZapScanner - improve error handling --- .../zapwrapper/cli/ZapScanExecutor.java | 10 +++--- .../config/ZapScanContextFactory.java | 5 +-- ...ApiFactory.java => ZapScannerFactory.java} | 17 +++++++--- .../zapwrapper/helper/ZapEventHandler.java | 9 +++-- .../{ => internal}/scan/ClientApiFacade.java | 2 +- .../sechub/zapwrapper/scan/ZapScanner.java | 33 ++++++++++++++++--- ...ryTest.java => ZapScannerFactoryTest.java} | 22 +++++++++---- .../zapwrapper/scan/ZapScannerTest.java | 3 +- 8 files changed, 72 insertions(+), 29 deletions(-) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/{ZapClientApiFactory.java => ZapScannerFactory.java} (71%) rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/{ => internal}/scan/ClientApiFacade.java (99%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/{ZapClientApiFactoryTest.java => ZapScannerFactoryTest.java} (69%) diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java index 0877dedd96..076eac6fe0 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZapScanExecutor.java @@ -4,21 +4,20 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.mercedesbenz.sechub.zapwrapper.config.ZapClientApiFactory; import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; -import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.config.ZapScannerFactory; import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner; import com.mercedesbenz.sechub.zapwrapper.util.TargetConnectionChecker; public class ZapScanExecutor { private static final Logger LOG = LoggerFactory.getLogger(ZapScanExecutor.class); - ZapClientApiFactory clientApiFactory; + ZapScannerFactory zapScannerFactory; TargetConnectionChecker connectionChecker; public ZapScanExecutor() { - clientApiFactory = new ZapClientApiFactory(); + zapScannerFactory = new ZapScannerFactory(); connectionChecker = new TargetConnectionChecker(); } @@ -27,9 +26,8 @@ public void execute(ZapScanContext scanContext) throws ZapWrapperRuntimeExceptio connectionChecker.assertApplicationIsReachable(scanContext); } - ClientApiFacade clientApiFacade = clientApiFactory.create(scanContext.getServerConfig()); + ZapScanner zapScanner = zapScannerFactory.create(scanContext); - ZapScanner zapScanner = new ZapScanner(clientApiFacade, scanContext); LOG.info("Starting Zap scan."); zapScanner.scan(); } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java index 931d7486d3..64f3e3a62b 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java @@ -92,8 +92,9 @@ public ZapScanContext create(CommandLineSettings settings) { String userMessagesFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER); if (userMessagesFolder == null) { - throw new IllegalStateException( - "PDS configuration invalid. Cannot send user messages, because environment variable PDS_JOB_USER_MESSAGES_FOLDER is not set."); + throw new ZapWrapperRuntimeException( + "PDS configuration invalid. Cannot send user messages, because environment variable PDS_JOB_USER_MESSAGES_FOLDER is not set.", + ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } ZapProductMessageHelper productMessagehelper = new ZapProductMessageHelper(userMessagesFolder); checkForIncludeExcludeErrors(userMessages, productMessagehelper); diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactory.java similarity index 71% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactory.java index b2f507829e..568f0ac176 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactory.java @@ -7,21 +7,28 @@ import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.internal.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner; -public class ZapClientApiFactory { - private static final Logger LOG = LoggerFactory.getLogger(ZapClientApiFactory.class); +public class ZapScannerFactory { + private static final Logger LOG = LoggerFactory.getLogger(ZapScannerFactory.class); + + public ZapScanner create(ZapScanContext scanContext) { + if (scanContext == null) { + throw new ZapWrapperRuntimeException("Zap scan configuration may not be null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); + } - public ClientApiFacade create(ZapServerConfiguration serverConfig) { LOG.info("Creating Zap ClientApi."); + ZapServerConfiguration serverConfig = scanContext.getServerConfig(); assertValidServerConfig(serverConfig); String zaproxyHost = serverConfig.getZaproxyHost(); int zaproxyPort = serverConfig.getZaproxyPort(); String zaproxyApiKey = serverConfig.getZaproxyApiKey(); ClientApi clientApi = new ClientApi(zaproxyHost, zaproxyPort, zaproxyApiKey); + ClientApiFacade clientApiFacade = new ClientApiFacade(clientApi); - return new ClientApiFacade(clientApi); + return ZapScanner.from(clientApiFacade, scanContext); } private void assertValidServerConfig(ZapServerConfiguration serverConfig) { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java index 6fccce041d..3ebedbd793 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java @@ -11,10 +11,15 @@ public class ZapEventHandler { File cancelEventFile; + EnvironmentVariableReader environmentVariableReader = new EnvironmentVariableReader(); public ZapEventHandler() { - this.cancelEventFile = new File(new EnvironmentVariableReader().readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER), - "cancel_requested.json"); + String pdsJobEventsFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER); + if (pdsJobEventsFolder == null) { + throw new ZapWrapperRuntimeException("PDS configuration invalid. Cannot send user messages, because environment variable " + + EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER + " is not set.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + this.cancelEventFile = new File(pdsJobEventsFolder, "cancel_requested.json"); } public boolean isScanCancelled() { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java similarity index 99% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java index f0cda11559..39099254ba 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ClientApiFacade.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -package com.mercedesbenz.sechub.zapwrapper.scan; +package com.mercedesbenz.sechub.zapwrapper.internal.scan; import java.util.ArrayList; import java.util.List; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java index 0271689e0b..bc65a858a7 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java @@ -35,6 +35,7 @@ import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; import com.mercedesbenz.sechub.zapwrapper.helper.ScanDurationHelper; import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.internal.scan.ClientApiFacade; import com.mercedesbenz.sechub.zapwrapper.util.SystemUtil; import com.mercedesbenz.sechub.zapwrapper.util.UrlUtil; @@ -52,14 +53,36 @@ public class ZapScanner implements ZapScan { long remainingScanTime; - public ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext) { + public static ZapScanner from(ClientApiFacade clientApiFacade, ZapScanContext scanContext) { + if (clientApiFacade == null) { + throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ClientApiFacade is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); + } + + if (scanContext == null) { + throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ClientApiFacade is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); + } + + if (scanContext.getMaxScanDurationInMillis() == 0) { + throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ClientApiFacade is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); + } + + ScanDurationHelper scanDurationHelper = new ScanDurationHelper(); + ZapEventHandler zapEventHandler = new ZapEventHandler(); + UrlUtil urlUtil = new UrlUtil(); + SystemUtil systemUtil = new SystemUtil(); + + return new ZapScanner(clientApiFacade, scanContext, scanDurationHelper, zapEventHandler, urlUtil, systemUtil); + } + + private ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext, ScanDurationHelper scanDurationHelper, ZapEventHandler zapEventHandler, + UrlUtil urlUtil, SystemUtil systemUtil) { this.clientApiFacade = clientApiFacade; this.scanContext = scanContext; - this.scanDurationHelper = new ScanDurationHelper(); - this.zapEventHandler = new ZapEventHandler(); - this.urlUtil = new UrlUtil(); - this.systemUtil = new SystemUtil(); + this.scanDurationHelper = scanDurationHelper; + this.zapEventHandler = zapEventHandler; + this.urlUtil = urlUtil; + this.systemUtil = systemUtil; this.remainingScanTime = scanContext.getMaxScanDurationInMillis(); } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactoryTest.java similarity index 69% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactoryTest.java index a7de1f3ee7..3cbfc889c4 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapClientApiFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScannerFactoryTest.java @@ -3,6 +3,8 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThrows; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -11,15 +13,15 @@ import org.zaproxy.clientapi.core.ClientApiException; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.zapwrapper.scan.ClientApiFacade; +import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner; -class ZapClientApiFactoryTest { +class ZapScannerFactoryTest { - private ZapClientApiFactory factoryToTest; + private ZapScannerFactory factoryToTest; @BeforeEach void beforeEach() { - factoryToTest = new ZapClientApiFactory(); + factoryToTest = new ZapScannerFactory(); } @Test @@ -33,11 +35,14 @@ void valid_configuration_returns_clientapi_object() throws ClientApiException { /* prepare */ ZapServerConfiguration serverConfig = new ZapServerConfiguration("127.0.0.1", 8080, "secret-key"); + ZapScanContext scanContext = mock(ZapScanContext.class); + when(scanContext.getServerConfig()).thenReturn(serverConfig); + /* execute */ - ClientApiFacade clientApiFacade = factoryToTest.create(serverConfig); + ZapScanner zapScanner = factoryToTest.create(scanContext); /* test */ - assertNotNull(clientApiFacade); + assertNotNull(zapScanner); } /* @formatter:off */ @@ -52,8 +57,11 @@ void configuration_where_one_field_is_null_or_invalid_throws_mustexitruntimeexce /* prepare */ ZapServerConfiguration serverConfig = new ZapServerConfiguration(host, port, apiKey); + ZapScanContext scanContext = mock(ZapScanContext.class); + when(scanContext.getServerConfig()).thenReturn(serverConfig); + /* execute + test */ - assertThrows(ZapWrapperRuntimeException.class, () -> factoryToTest.create(serverConfig)); + assertThrows(ZapWrapperRuntimeException.class, () -> factoryToTest.create(scanContext)); } } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java index b5e47c6090..8a64ed40e3 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java @@ -52,6 +52,7 @@ import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; +import com.mercedesbenz.sechub.zapwrapper.internal.scan.ClientApiFacade; import com.mercedesbenz.sechub.zapwrapper.scan.ZapScanner.UserInformation; import com.mercedesbenz.sechub.zapwrapper.util.SystemUtil; @@ -78,7 +79,7 @@ void beforeEach() { zapEventHandler = mock(ZapEventHandler.class); // assign mocks - scannerToTest = new ZapScanner(clientApiFacade, scanContext); + scannerToTest = ZapScanner.from(clientApiFacade, scanContext); scannerToTest.systemUtil = systemUtil; scannerToTest.zapEventHandler = zapEventHandler; From 53678996c9e81679401623dd2fa9fbab1f083995 Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Fri, 25 Aug 2023 15:09:31 +0200 Subject: [PATCH 06/11] Add command line parameters for PDS env variable data #2371 --- .../zapwrapper/cli/CommandLineSettings.java | 20 ++++++++++ .../zapwrapper/config/ZapScanContext.java | 15 ++++++++ .../config/ZapScanContextFactory.java | 37 +++++++++++++++---- .../zapwrapper/helper/ZapEventHandler.java | 11 +----- .../sechub/zapwrapper/scan/ZapScanner.java | 22 +++++------ .../config/ZapScanContextFactoryTest.java | 23 +++--------- .../helper/ZapEventHandlerTest.java | 2 +- .../zapwrapper/scan/ZapScannerTest.java | 13 +------ 8 files changed, 85 insertions(+), 58 deletions(-) diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java index 3bf94d8db1..99624d951c 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java @@ -155,4 +155,24 @@ public int getRetryWaittimeInMilliseconds() { } return retryWaittimeInMilliseconds; } + + @Parameter(names = { + "--pdsUserMessageFolder" }, description = "Folder where the user messages are written to. When using with SecHub+PDS solution this is not needed since the PDS provides the env variable: " + + EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER + + ". This env variable is automatically used if this command line parameter is not set.", required = false) + private String pdsUserMessageFolder; + + public String getPDSUserMessageFolder() { + return pdsUserMessageFolder; + } + + @Parameter(names = { + "--pdsEventFolder" }, description = "Folder where the ZAP wrapper listens for events of the PDS, like cancel requests for the current job. When using with SecHub+PDS solution this is not needed since the PDS provides the env variable: " + + EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER + + ". This env variable is automatically used if this command line parameter is not set.", required = false) + private String pdsEventFolder; + + public String getPDSEventFolder() { + return pdsEventFolder; + } } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java index b7137e6724..64c2108e69 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java @@ -10,6 +10,7 @@ import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; public class ZapScanContext { @@ -49,6 +50,7 @@ public class ZapScanContext { private int retryWaittimeInMilliseconds; private ZapProductMessageHelper zapProductMessageHelper; + private ZapEventHandler zapEventHandler; private ZapScanContext() { } @@ -147,6 +149,10 @@ public ZapProductMessageHelper getZapProductMessageHelper() { return zapProductMessageHelper; } + public ZapEventHandler getZapEventHandler() { + return zapEventHandler; + } + public static ZapBasicScanContextBuilder builder() { return new ZapBasicScanContextBuilder(); } @@ -190,6 +196,8 @@ public static class ZapBasicScanContextBuilder { private ZapProductMessageHelper zapProductMessageHelper; + private ZapEventHandler zapEventHandler; + public ZapBasicScanContextBuilder setServerConfig(ZapServerConfiguration serverConfig) { this.serverConfig = serverConfig; return this; @@ -290,6 +298,11 @@ public ZapBasicScanContextBuilder setZapProductMessageHelper(ZapProductMessageHe return this; } + public ZapBasicScanContextBuilder setZapEventHandler(ZapEventHandler zapEventHandler) { + this.zapEventHandler = zapEventHandler; + return this; + } + public ZapScanContext build() { ZapScanContext zapBasicScanConfiguration = new ZapScanContext(); zapBasicScanConfiguration.serverConfig = this.serverConfig; @@ -322,6 +335,8 @@ public ZapScanContext build() { zapBasicScanConfiguration.zapProductMessageHelper = this.zapProductMessageHelper; + zapBasicScanConfiguration.zapEventHandler = this.zapEventHandler; + return zapBasicScanConfiguration; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java index 64f3e3a62b..7b15f865a3 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java @@ -25,6 +25,7 @@ import com.mercedesbenz.sechub.zapwrapper.helper.BaseTargetUriFactory; import com.mercedesbenz.sechub.zapwrapper.helper.IncludeExcludeToZapURLHelper; import com.mercedesbenz.sechub.zapwrapper.helper.SecHubWebScanConfigurationHelper; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; @@ -90,13 +91,9 @@ public ZapScanContext create(CommandLineSettings settings) { Set includeSet = createUrlsIncludedInContext(targetUrl, sechubWebConfig, userMessages); Set excludeSet = createUrlsExcludedFromContext(targetUrl, sechubWebConfig, userMessages); - String userMessagesFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER); - if (userMessagesFolder == null) { - throw new ZapWrapperRuntimeException( - "PDS configuration invalid. Cannot send user messages, because environment variable PDS_JOB_USER_MESSAGES_FOLDER is not set.", - ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } - ZapProductMessageHelper productMessagehelper = new ZapProductMessageHelper(userMessagesFolder); + ZapProductMessageHelper productMessagehelper = createZapProductMessageHelper(settings); + ZapEventHandler zapEventHandler = createZapEventhandler(settings); + checkForIncludeExcludeErrors(userMessages, productMessagehelper); /* @formatter:off */ @@ -121,6 +118,7 @@ public ZapScanContext create(CommandLineSettings settings) { .setMaxNumberOfConnectionRetries(settings.getMaxNumberOfConnectionRetries()) .setRetryWaittimeInMilliseconds(settings.getRetryWaittimeInMilliseconds()) .setZapProductMessageHelper(productMessagehelper) + .setZapEventHandler(zapEventHandler) .build(); /* @formatter:on */ return scanContext; @@ -236,6 +234,31 @@ private Set createUrlsExcludedFromContext(URL targetUrl, SecHubWebScanConfi return excludeSet; } + private ZapProductMessageHelper createZapProductMessageHelper(CommandLineSettings settings) { + String userMessagesFolder = settings.getPDSUserMessageFolder(); + if (userMessagesFolder == null) { + userMessagesFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER); + } + if (userMessagesFolder == null) { + throw new ZapWrapperRuntimeException("PDS configuration invalid. Cannot send user messages, because environment variable " + + EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER + " is not set.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + return new ZapProductMessageHelper(userMessagesFolder); + } + + private ZapEventHandler createZapEventhandler(CommandLineSettings settings) { + String pdsJobEventsFolder = settings.getPDSEventFolder(); + if (pdsJobEventsFolder == null) { + pdsJobEventsFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER); + } + + if (pdsJobEventsFolder == null) { + throw new ZapWrapperRuntimeException("PDS configuration invalid. Cannot send check for job events, because environment variable " + + EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER + " is not set.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); + } + return new ZapEventHandler(pdsJobEventsFolder); + } + private void checkForIncludeExcludeErrors(List userMessages, ZapProductMessageHelper productMessageHelper) { if (userMessages == null) { return; diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java index 3ebedbd793..c2a84a7285 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java @@ -5,20 +5,11 @@ import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; -import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableReader; public class ZapEventHandler { - File cancelEventFile; - EnvironmentVariableReader environmentVariableReader = new EnvironmentVariableReader(); - public ZapEventHandler() { - String pdsJobEventsFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER); - if (pdsJobEventsFolder == null) { - throw new ZapWrapperRuntimeException("PDS configuration invalid. Cannot send user messages, because environment variable " - + EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER + " is not set.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); - } + public ZapEventHandler(String pdsJobEventsFolder) { this.cancelEventFile = new File(pdsJobEventsFolder, "cancel_requested.json"); } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java index bc65a858a7..0ce9802f67 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java @@ -47,7 +47,6 @@ public class ZapScanner implements ZapScan { ZapScanContext scanContext; ScanDurationHelper scanDurationHelper; - ZapEventHandler zapEventHandler; UrlUtil urlUtil; SystemUtil systemUtil; @@ -59,28 +58,22 @@ public static ZapScanner from(ClientApiFacade clientApiFacade, ZapScanContext sc } if (scanContext == null) { - throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ClientApiFacade is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); - } - - if (scanContext.getMaxScanDurationInMillis() == 0) { - throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ClientApiFacade is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); + throw new ZapWrapperRuntimeException("Cannot create Zap Scanner because ZapScanContext is null!", ZapWrapperExitCode.UNSUPPORTED_CONFIGURATION); } ScanDurationHelper scanDurationHelper = new ScanDurationHelper(); - ZapEventHandler zapEventHandler = new ZapEventHandler(); UrlUtil urlUtil = new UrlUtil(); SystemUtil systemUtil = new SystemUtil(); - return new ZapScanner(clientApiFacade, scanContext, scanDurationHelper, zapEventHandler, urlUtil, systemUtil); + return new ZapScanner(clientApiFacade, scanContext, scanDurationHelper, urlUtil, systemUtil); } - private ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext, ScanDurationHelper scanDurationHelper, ZapEventHandler zapEventHandler, - UrlUtil urlUtil, SystemUtil systemUtil) { + private ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext, ScanDurationHelper scanDurationHelper, UrlUtil urlUtil, + SystemUtil systemUtil) { this.clientApiFacade = clientApiFacade; this.scanContext = scanContext; this.scanDurationHelper = scanDurationHelper; - this.zapEventHandler = zapEventHandler; this.urlUtil = urlUtil; this.systemUtil = systemUtil; @@ -528,6 +521,8 @@ void waitForAjaxSpiderResults() throws ClientApiException { boolean timeOut = false; + ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + while (!isAjaxSpiderStopped(ajaxSpiderStatus) && !timeOut) { if (zapEventHandler.isScanCancelled()) { clientApiFacade.stopAjaxSpider(); @@ -559,6 +554,7 @@ void waitForSpiderResults(String scanId) throws ClientApiException { remainingScanTime); boolean timeOut = false; + ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); while (progressSpider < 100 && !timeOut) { if (zapEventHandler.isScanCancelled()) { @@ -592,6 +588,7 @@ void passiveScan() throws ClientApiException { int numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); boolean timeOut = false; + ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); while (numberOfRecords > 0 && !timeOut) { if (zapEventHandler.isScanCancelled()) { @@ -619,6 +616,9 @@ void waitForActiveScanResults(String scanId) throws ClientApiException { long startTime = systemUtil.getCurrentTimeInMilliseconds(); long maxDuration = remainingScanTime; boolean timeOut = false; + + ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + while (progressActive < 100 && !timeOut) { if (zapEventHandler.isScanCancelled()) { clientApiFacade.stopActiveScan(scanId); diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java index 786e051ba9..3cc894ff9d 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java @@ -1,24 +1,10 @@ // SPDX-License-Identifier: MIT package com.mercedesbenz.sechub.zapwrapper.config; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PDS_JOB_EXTRACTED_SOURCES_FOLDER; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PDS_JOB_USER_MESSAGES_FOLDER; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PROXY_HOST_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.PROXY_PORT_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_API_KEY_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_DEACTIVATED_RULE_REFERENCES; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_HOST_ENV_VARIABLE_NAME; -import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.ZAP_PORT_ENV_VARIABLE_NAME; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.assertNull; -import static org.junit.jupiter.api.Assertions.assertThrows; +import static com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants.*; +import static org.junit.jupiter.api.Assertions.*; import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.never; -import static org.mockito.Mockito.times; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; +import static org.mockito.Mockito.*; import java.io.File; import java.net.URI; @@ -77,6 +63,7 @@ void beforeEach() { deactivationFile = new File("src/test/resources/wrapper-deactivated-rule-examples/zap-rules-to-deactivate.json"); when(environmentVariableReader.readAsString(PDS_JOB_USER_MESSAGES_FOLDER)).thenReturn(tempDir.getAbsolutePath()); + when(environmentVariableReader.readAsString(PDS_JOB_EVENTS_FOLDER)).thenReturn(""); } @Test @@ -529,6 +516,8 @@ private CommandLineSettings createSettingsMockWithNecessaryPartsWithoutRuleFiles when(settings.getFullRulesetFile()).thenReturn(null); when(settings.getRulesDeactvationFile()).thenReturn(null); + when(settings.getPDSUserMessageFolder()).thenReturn(""); + when(settings.getPDSEventFolder()).thenReturn(""); return settings; } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java index b8f88b6e59..c71af454ac 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java @@ -22,7 +22,7 @@ class ZapEventHandlerTest { @BeforeEach void beforeEach() { - zapEventHandler = new ZapEventHandler(); + zapEventHandler = new ZapEventHandler(""); } @Test diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java index 8a64ed40e3..ecb051ba36 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java @@ -81,11 +81,11 @@ void beforeEach() { // assign mocks scannerToTest = ZapScanner.from(clientApiFacade, scanContext); scannerToTest.systemUtil = systemUtil; - scannerToTest.zapEventHandler = zapEventHandler; // set global behavior when(scanContext.getContextName()).thenReturn(contextName); when(scanContext.getZapProductMessageHelper()).thenReturn(helper); + when(scanContext.getZapEventHandler()).thenReturn(zapEventHandler); doNothing().when(helper).writeProductError(any()); doNothing().when(helper).writeProductMessages(any()); @@ -478,7 +478,6 @@ void cleanup_after_scan_with_onylForUrls_headers_set_cleans_up_all_replacer_rule @Test void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(true); doCallRealMethod().when(zapEventHandler).cancelScan(contextName); @@ -503,7 +502,6 @@ void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_e @Test void wait_for_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); @@ -527,7 +525,6 @@ void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_ /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(true); doCallRealMethod().when(zapEventHandler).cancelScan(contextName); @@ -554,7 +551,6 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); @@ -583,7 +579,6 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce @Test void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(true); doCallRealMethod().when(zapEventHandler).cancelScan(contextName); @@ -610,7 +605,6 @@ void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_ @Test void wait_for_passiveScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); @@ -634,7 +628,6 @@ void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_e /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(true); doCallRealMethod().when(zapEventHandler).cancelScan(contextName); @@ -658,7 +651,6 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(100); @@ -675,7 +667,6 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client @Test void run_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); @@ -699,7 +690,6 @@ void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); @@ -732,7 +722,6 @@ void run_activeScan_scan_is_ended_results_in_expected_calls() throws ClientApiEx /* prepare */ String scanId = "12345"; - scannerToTest.zapEventHandler = zapEventHandler; when(zapEventHandler.isScanCancelled()).thenReturn(false); scannerToTest.remainingScanTime = 100L; From de87f7ec23a12bcafa8d7236ccf7c88d6731782d Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Tue, 29 Aug 2023 15:01:56 +0200 Subject: [PATCH 07/11] make sure the Helm chart is built #1337 --- .../workflows/release-client-server-pds.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index 6668cf370e..f70d4d340a 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -304,6 +304,15 @@ jobs: echo "Pull Request Number - ${{ steps.pr_release_documentation.outputs.pull-request-number }}" echo "Pull Request URL - ${{ steps.pr_release_documentation.outputs.pull-request-url }}" + - name: Build Server Helm chart + push to ghcr + if: inputs.server-version != '' + shell: bash + run: | + cd "sechub-solution/helm" + echo "# Building Helm chart for sechub-server" + helm package sechub-server + helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY + # ----------------------------------------- # Assert releaseable, so no dirty flags on releases # even when all artifact creation parts are done! @@ -475,15 +484,6 @@ jobs: echo "# Pushing image $DOCKER_REGISTRY:$VERSION_TAG (latest)" ./20-push-image.sh $DOCKER_REGISTRY $VERSION_TAG yes - - name: Build Server Helm chart + push to ghcr - if: inputs.server-version != '' - shell: bash - run: | - cd "sechub-solution/helm" - echo "# Building Helm chart for sechub-server" - helm package sechub-server - helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY - # ****************************************** # C l i e n t release From a17e61c37bb9b8dfd4cb1e2f5e81e077aa4f5f70 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Tue, 29 Aug 2023 15:31:09 +0200 Subject: [PATCH 08/11] make sure the Helm chart is built #1337 --- .../workflows/release-client-server-pds.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index f70d4d340a..f2da69c0e6 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -238,6 +238,15 @@ jobs: path: sechub-cli/build/go retention-days: 14 + - name: Build Server Helm chart + push to ghcr + if: inputs.server-version != '' + shell: bash + run: | + cd "sechub-solution/helm" + echo "# Building Helm chart for sechub-server" + helm package sechub-server + helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY + - name: Install graphviz (asciidoc diagrams) run: sudo apt-get -qq --assume-yes install graphviz @@ -304,15 +313,6 @@ jobs: echo "Pull Request Number - ${{ steps.pr_release_documentation.outputs.pull-request-number }}" echo "Pull Request URL - ${{ steps.pr_release_documentation.outputs.pull-request-url }}" - - name: Build Server Helm chart + push to ghcr - if: inputs.server-version != '' - shell: bash - run: | - cd "sechub-solution/helm" - echo "# Building Helm chart for sechub-server" - helm package sechub-server - helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY - # ----------------------------------------- # Assert releaseable, so no dirty flags on releases # even when all artifact creation parts are done! From a93cc2126242bf26b8bc38269946da03543b308b Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Tue, 29 Aug 2023 15:57:18 +0200 Subject: [PATCH 09/11] revert Helm chart build position #1337 unintentionally pushed to `develop` instead of feature branch --- .../workflows/release-client-server-pds.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-client-server-pds.yml b/.github/workflows/release-client-server-pds.yml index f2da69c0e6..6668cf370e 100644 --- a/.github/workflows/release-client-server-pds.yml +++ b/.github/workflows/release-client-server-pds.yml @@ -238,15 +238,6 @@ jobs: path: sechub-cli/build/go retention-days: 14 - - name: Build Server Helm chart + push to ghcr - if: inputs.server-version != '' - shell: bash - run: | - cd "sechub-solution/helm" - echo "# Building Helm chart for sechub-server" - helm package sechub-server - helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY - - name: Install graphviz (asciidoc diagrams) run: sudo apt-get -qq --assume-yes install graphviz @@ -484,6 +475,15 @@ jobs: echo "# Pushing image $DOCKER_REGISTRY:$VERSION_TAG (latest)" ./20-push-image.sh $DOCKER_REGISTRY $VERSION_TAG yes + - name: Build Server Helm chart + push to ghcr + if: inputs.server-version != '' + shell: bash + run: | + cd "sechub-solution/helm" + echo "# Building Helm chart for sechub-server" + helm package sechub-server + helm push sechub-server-*.tgz $ACTIONS_HELM_REGISTRY + # ****************************************** # C l i e n t release From 0b86454ad3f6f78bedcc3195430df80b384b0934 Mon Sep 17 00:00:00 2001 From: Jan Winz Date: Thu, 31 Aug 2023 13:00:38 +0200 Subject: [PATCH 10/11] PR Review Changes #2436 - update javadoc - rename event handler - add throws declaration --- .../sechub/zapwrapper/config/BrowserId.java | 20 +++++ .../zapwrapper/config/ZapScanContext.java | 30 +++---- .../config/ZapScanContextFactory.java | 12 +-- ...ntHandler.java => ZapPDSEventHandler.java} | 4 +- .../internal/scan/ClientApiFacade.java | 60 ++++++++++++-- .../sechub/zapwrapper/scan/ZapScan.java | 4 +- .../sechub/zapwrapper/scan/ZapScanner.java | 35 ++++---- .../config/ZapScanContextFactoryTest.java | 2 +- ...rTest.java => ZapPDSEventHandlerTest.java} | 16 ++-- .../zapwrapper/scan/ZapScannerTest.java | 82 +++++++++---------- 10 files changed, 167 insertions(+), 98 deletions(-) create mode 100644 sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/BrowserId.java rename sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/{ZapEventHandler.java => ZapPDSEventHandler.java} (88%) rename sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/{ZapEventHandlerTest.java => ZapPDSEventHandlerTest.java} (72%) diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/BrowserId.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/BrowserId.java new file mode 100644 index 0000000000..4df1ff7439 --- /dev/null +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/BrowserId.java @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: MIT +package com.mercedesbenz.sechub.zapwrapper.config; + +public enum BrowserId { + + FIREFOX_HEADLESS("firefox-headless"), + + ; + + private String browserId; + + private BrowserId(String browserId) { + this.browserId = browserId; + } + + public String getBrowserId() { + return browserId; + } + +} diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java index 64c2108e69..1a27376ba7 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java @@ -10,7 +10,7 @@ import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType; import com.mercedesbenz.sechub.zapwrapper.config.data.DeactivatedRuleReferences; import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; -import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapPDSEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; public class ZapScanContext { @@ -28,7 +28,7 @@ public class ZapScanContext { private AuthenticationType authenticationType; - private long maxScanDurationInMillis; + private long maxScanDurationInMilliSeconds; private SecHubWebScanConfiguration secHubWebScanConfiguration; @@ -50,7 +50,7 @@ public class ZapScanContext { private int retryWaittimeInMilliseconds; private ZapProductMessageHelper zapProductMessageHelper; - private ZapEventHandler zapEventHandler; + private ZapPDSEventHandler zapPDSEventHandler; private ZapScanContext() { } @@ -91,8 +91,8 @@ public AuthenticationType getAuthenticationType() { return authenticationType; } - public long getMaxScanDurationInMillis() { - return maxScanDurationInMillis; + public long getMaxScanDurationInMilliSeconds() { + return maxScanDurationInMilliSeconds; } public SecHubWebScanConfiguration getSecHubWebScanConfiguration() { @@ -149,8 +149,8 @@ public ZapProductMessageHelper getZapProductMessageHelper() { return zapProductMessageHelper; } - public ZapEventHandler getZapEventHandler() { - return zapEventHandler; + public ZapPDSEventHandler getZapPDSEventHandler() { + return zapPDSEventHandler; } public static ZapBasicScanContextBuilder builder() { @@ -173,7 +173,7 @@ public static class ZapBasicScanContextBuilder { private AuthenticationType authenticationType; - private long maxScanDurationInMillis; + private long maxScanDurationInMilliSeconds; private SecHubWebScanConfiguration secHubWebScanConfiguration; @@ -196,7 +196,7 @@ public static class ZapBasicScanContextBuilder { private ZapProductMessageHelper zapProductMessageHelper; - private ZapEventHandler zapEventHandler; + private ZapPDSEventHandler zapPDSEventHandler; public ZapBasicScanContextBuilder setServerConfig(ZapServerConfiguration serverConfig) { this.serverConfig = serverConfig; @@ -238,8 +238,8 @@ public ZapBasicScanContextBuilder setAuthenticationType(AuthenticationType authe return this; } - public ZapBasicScanContextBuilder setMaxScanDurationInMillis(long maxScanDurationInMillis) { - this.maxScanDurationInMillis = maxScanDurationInMillis; + public ZapBasicScanContextBuilder setMaxScanDurationInMilliSeconds(long maxScanDurationInMilliSeconds) { + this.maxScanDurationInMilliSeconds = maxScanDurationInMilliSeconds; return this; } @@ -298,8 +298,8 @@ public ZapBasicScanContextBuilder setZapProductMessageHelper(ZapProductMessageHe return this; } - public ZapBasicScanContextBuilder setZapEventHandler(ZapEventHandler zapEventHandler) { - this.zapEventHandler = zapEventHandler; + public ZapBasicScanContextBuilder setZapPDSEventHandler(ZapPDSEventHandler zapPDSEventHandler) { + this.zapPDSEventHandler = zapPDSEventHandler; return this; } @@ -314,7 +314,7 @@ public ZapScanContext build() { zapBasicScanConfiguration.targetUrl = this.targetUrl; zapBasicScanConfiguration.authenticationType = this.authenticationType; - zapBasicScanConfiguration.maxScanDurationInMillis = this.maxScanDurationInMillis; + zapBasicScanConfiguration.maxScanDurationInMilliSeconds = this.maxScanDurationInMilliSeconds; zapBasicScanConfiguration.secHubWebScanConfiguration = this.secHubWebScanConfiguration; @@ -335,7 +335,7 @@ public ZapScanContext build() { zapBasicScanConfiguration.zapProductMessageHelper = this.zapProductMessageHelper; - zapBasicScanConfiguration.zapEventHandler = this.zapEventHandler; + zapBasicScanConfiguration.zapPDSEventHandler = this.zapPDSEventHandler; return zapBasicScanConfiguration; } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java index 7b15f865a3..9aabb6da90 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java @@ -25,7 +25,7 @@ import com.mercedesbenz.sechub.zapwrapper.helper.BaseTargetUriFactory; import com.mercedesbenz.sechub.zapwrapper.helper.IncludeExcludeToZapURLHelper; import com.mercedesbenz.sechub.zapwrapper.helper.SecHubWebScanConfigurationHelper; -import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapPDSEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants; @@ -92,7 +92,7 @@ public ZapScanContext create(CommandLineSettings settings) { Set excludeSet = createUrlsExcludedFromContext(targetUrl, sechubWebConfig, userMessages); ZapProductMessageHelper productMessagehelper = createZapProductMessageHelper(settings); - ZapEventHandler zapEventHandler = createZapEventhandler(settings); + ZapPDSEventHandler zapEventHandler = createZapEventhandler(settings); checkForIncludeExcludeErrors(userMessages, productMessagehelper); @@ -106,7 +106,7 @@ public ZapScanContext create(CommandLineSettings settings) { .setActiveScanEnabled(settings.isActiveScanEnabled()) .setServerConfig(serverConfig) .setAuthenticationType(authType) - .setMaxScanDurationInMillis(maxScanDurationInMillis) + .setMaxScanDurationInMilliSeconds(maxScanDurationInMillis) .setSecHubWebScanConfiguration(sechubWebConfig) .setProxyInformation(proxyInformation) .setFullRuleset(fullRuleset) @@ -118,7 +118,7 @@ public ZapScanContext create(CommandLineSettings settings) { .setMaxNumberOfConnectionRetries(settings.getMaxNumberOfConnectionRetries()) .setRetryWaittimeInMilliseconds(settings.getRetryWaittimeInMilliseconds()) .setZapProductMessageHelper(productMessagehelper) - .setZapEventHandler(zapEventHandler) + .setZapPDSEventHandler(zapEventHandler) .build(); /* @formatter:on */ return scanContext; @@ -246,7 +246,7 @@ private ZapProductMessageHelper createZapProductMessageHelper(CommandLineSetting return new ZapProductMessageHelper(userMessagesFolder); } - private ZapEventHandler createZapEventhandler(CommandLineSettings settings) { + private ZapPDSEventHandler createZapEventhandler(CommandLineSettings settings) { String pdsJobEventsFolder = settings.getPDSEventFolder(); if (pdsJobEventsFolder == null) { pdsJobEventsFolder = environmentVariableReader.readAsString(EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER); @@ -256,7 +256,7 @@ private ZapEventHandler createZapEventhandler(CommandLineSettings settings) { throw new ZapWrapperRuntimeException("PDS configuration invalid. Cannot send check for job events, because environment variable " + EnvironmentVariableConstants.PDS_JOB_EVENTS_FOLDER + " is not set.", ZapWrapperExitCode.PDS_CONFIGURATION_ERROR); } - return new ZapEventHandler(pdsJobEventsFolder); + return new ZapPDSEventHandler(pdsJobEventsFolder); } private void checkForIncludeExcludeErrors(List userMessages, ZapProductMessageHelper productMessageHelper) { diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandler.java similarity index 88% rename from sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java rename to sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandler.java index c2a84a7285..f772ffebe5 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandler.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandler.java @@ -6,10 +6,10 @@ import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -public class ZapEventHandler { +public class ZapPDSEventHandler { File cancelEventFile; - public ZapEventHandler(String pdsJobEventsFolder) { + public ZapPDSEventHandler(String pdsJobEventsFolder) { this.cancelEventFile = new File(pdsJobEventsFolder, "cancel_requested.json"); } diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java index 39099254ba..4208482aa0 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java @@ -23,7 +23,7 @@ public ClientApiFacade(ClientApi clientApi) { } /** - * Create new context inside the ZAP. + * Create new context inside the ZAP with the given name. * * @param contextName * @return contextId returned by ZAP @@ -35,6 +35,8 @@ public String createNewContext(String contextName) throws ClientApiException { } /** + * Create a new session inside the ZAP. Overwriting files if the parameter is + * set. * * @param contextName * @param overwrite @@ -46,6 +48,7 @@ public ApiResponse createNewSession(String contextName, String overwrite) throws } /** + * Set maximum alerts for rule. * * @param maximum * @return @@ -56,6 +59,7 @@ public ApiResponse configureMaximumAlertsForEachRule(String maximum) throws Clie } /** + * Enables all passive rules. * * @return * @throws ClientApiException @@ -65,6 +69,7 @@ public ApiResponse enableAllPassiveScannerRules() throws ClientApiException { } /** + * Enable all active rules for the given policy. * * @param policy * @return @@ -75,6 +80,7 @@ public ApiResponse enableAllActiveScannerRulesForPolicy(String policy) throws Cl } /** + * Set the Browser used by the AjaxSpider. * * @param browserId * @return @@ -95,6 +101,7 @@ public ApiResponse disablePassiveScannerRule(String ruleId) throws ClientApiExce } /** + * Disable the given rule by ID inside the given policy. * * @param ruleId * @param policy @@ -106,6 +113,7 @@ public ApiResponse disableActiveScannerRuleForPolicy(String ruleId, String polic } /** + * Set HTTP proxy with the given parameters. * * @param host * @param port @@ -120,6 +128,7 @@ public ApiResponse configureHttpProxy(String host, String port, String realm, St } /** + * Set usage of a HTTP proxy. * * @param enabled * @return @@ -130,6 +139,7 @@ public ApiResponse setHttpProxyEnabled(String enabled) throws ClientApiException } /** + * Set usage of HTTP proxy authentication. * * @param enabled * @return @@ -140,6 +150,8 @@ public ApiResponse setHttpProxyAuthEnabled(String enabled) throws ClientApiExcep } /** + * Add replacer rule. If a entry already exists from the last scan it is + * replaced. * * @param description * @param enabled @@ -154,10 +166,19 @@ public ApiResponse setHttpProxyAuthEnabled(String enabled) throws ClientApiExcep */ public ApiResponse addReplacerRule(String description, String enabled, String matchtype, String matchregex, String matchstring, String replacement, String initiators, String url) throws ClientApiException { - return clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + try { + return clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + } catch (ClientApiException e) { + String message = e.getMessage(); + if ("already exists".equalsIgnoreCase(message)) { + clientApi.replacer.removeRule(description); + } + return clientApi.replacer.addRule(description, enabled, matchtype, matchregex, matchstring, replacement, initiators, url); + } } /** + * Include URL pattern to the given context. * * @param contextName * @param urlPattern @@ -169,6 +190,7 @@ public ApiResponse addIncludeUrlPatternToContext(String contextName, String urlP } /** + * Exclude URL pattern from the given context. * * @param contextName * @param urlPattern @@ -180,6 +202,8 @@ public ApiResponse addExcludeUrlPatternToContext(String contextName, String urlP } /** + * Access an URL through the ZAP. Successfully accessing the site will add it to + * the site tree. * * @param url * @param followRedirects @@ -196,6 +220,9 @@ public ApiResponse accessUrlViaZap(String url, String followRedirects) { } /** + * Import the given openApi file in the context with the given ID. While + * importing the file the ZAP tries to access all API endpoints via the given + * URL and adds them to the sites tree if they could be accessed. * * @param openApiFile * @param url @@ -208,10 +235,10 @@ public ApiResponse importOpenApiFile(String openApiFile, String url, String cont } /** - * This method checks if the sites tree is empty. The ZAP creates this sites - * tree while crawling and detecting pages. The method is necessary since the - * active scanner exits with an exception if the sites tree is empty, when - * starting an active scan. + * This method checks if the site tree is empty. The ZAP creates the site tree + * while crawling and detecting pages. The method is necessary since the active + * scanner exits with an exception if the site tree is empty, when starting an + * active scan. * * This can only happen in very few cases, but then we want to be able to inform * the user and write a report which is empty or contains at least the passively @@ -226,6 +253,8 @@ public boolean atLeastOneURLDetected() throws ClientApiException { } /** + * Removes a replacer rule by the given description. (Description is the ID for + * the replacer rule) * * @param description * @return @@ -236,6 +265,7 @@ public ApiResponse removeReplacerRule(String description) throws ClientApiExcept } /** + * Generate a report for the given parameters. * * @param title * @param template @@ -272,6 +302,7 @@ public String getAjaxSpiderStatus() throws ClientApiException { } /** + * Stop the ajax spider. * * @return * @throws ClientApiException @@ -281,6 +312,7 @@ public ApiResponse stopAjaxSpider() throws ClientApiException { } /** + * Stop the spider for the given scan ID. * * @param scanId * @return @@ -331,6 +363,7 @@ public int getNumberOfPassiveScannerRecordsToScan() throws ClientApiException { } /** + * Stop the active scanner for the given scan ID. * * @param scanId * @return @@ -354,6 +387,7 @@ public int getActiveScannerStatusForScan(String scanId) throws ClientApiExceptio } /** + * Start the spider with the given parameters. * * @param targetUrlAsString * @param maxChildren @@ -370,6 +404,7 @@ public String startSpiderScan(String targetUrlAsString, String maxChildren, Stri } /** + * Start the ajax spider with the given parameters. * * @param targetUrlAsString * @param inScope @@ -383,6 +418,7 @@ public ApiResponse startAjaxSpiderScan(String targetUrlAsString, String inScope, } /** + * Start the active scanner with the given parameters. * * @param targetUrlAsString * @param recurse @@ -400,6 +436,7 @@ public String startActiveScan(String targetUrlAsString, String recurse, String i } /** + * Start the spider with the given parameters as the given user. * * @param contextId * @param userId @@ -417,6 +454,7 @@ public String startSpiderScanAsUser(String contextId, String userId, String url, } /** + * Start the ajax spider with the given parameters as the given user. * * @param contextname * @param username @@ -430,6 +468,7 @@ public ApiResponse startAjaxSpiderScanAsUser(String contextname, String username } /** + * Start the active scanner with the given parameters as the given user. * * @param url * @param contextId @@ -448,6 +487,7 @@ public String startActiveScanAsUser(String url, String contextId, String userId, } /** + * Configure the given authentication method for the given context. * * @param contextId * @param authMethodName @@ -460,6 +500,7 @@ public ApiResponse configureAuthenticationMethod(String contextId, String authMe } /** + * Set session management method for the given context. * * @param contextId * @param methodName @@ -467,11 +508,12 @@ public ApiResponse configureAuthenticationMethod(String contextId, String authMe * @return * @throws ClientApiException */ - public ApiResponse sessionManagementMethod(String contextId, String methodName, String methodconfigparams) throws ClientApiException { + public ApiResponse setSessionManagementMethod(String contextId, String methodName, String methodconfigparams) throws ClientApiException { return clientApi.sessionManagement.setSessionManagementMethod(contextId, methodName, methodconfigparams); } /** + * Create a new user inside the given context. * * @param contextId * @param username @@ -484,6 +526,7 @@ public String createNewUser(String contextId, String username) throws ClientApiE } /** + * Set authentication credentials for the given user inside the given context. * * @param contextId * @param userId @@ -496,6 +539,7 @@ public ApiResponse configureAuthenticationCredentials(String contextId, String u } /** + * Sets whether or not the user, should be enabled inside the given context. * * @param contextId * @param userId @@ -508,6 +552,7 @@ public ApiResponse setUserEnabled(String contextId, String userId, String enable } /** + * Set the user that will be used in forced user mode for the given context. * * @param contextId * @param userId @@ -519,6 +564,7 @@ public ApiResponse setForcedUser(String contextId, String userId) throws ClientA } /** + * Set if the forced user mode should be enabled or not. * * @param enabled * @return diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java index 90c9228a6c..9e774f4599 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScan.java @@ -1,8 +1,10 @@ // SPDX-License-Identifier: MIT package com.mercedesbenz.sechub.zapwrapper.scan; +import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; + public interface ZapScan { - void scan(); + void scan() throws ZapWrapperRuntimeException; } \ No newline at end of file diff --git a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java index 0ce9802f67..4988a01e3c 100644 --- a/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java +++ b/sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java @@ -26,6 +26,7 @@ import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode; import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; +import com.mercedesbenz.sechub.zapwrapper.config.BrowserId; import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation; import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext; import com.mercedesbenz.sechub.zapwrapper.config.auth.SessionManagementType; @@ -34,7 +35,7 @@ import com.mercedesbenz.sechub.zapwrapper.config.data.RuleReference; import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; import com.mercedesbenz.sechub.zapwrapper.helper.ScanDurationHelper; -import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapPDSEventHandler; import com.mercedesbenz.sechub.zapwrapper.internal.scan.ClientApiFacade; import com.mercedesbenz.sechub.zapwrapper.util.SystemUtil; import com.mercedesbenz.sechub.zapwrapper.util.UrlUtil; @@ -77,11 +78,11 @@ private ZapScanner(ClientApiFacade clientApiFacade, ZapScanContext scanContext, this.urlUtil = urlUtil; this.systemUtil = systemUtil; - this.remainingScanTime = scanContext.getMaxScanDurationInMillis(); + this.remainingScanTime = scanContext.getMaxScanDurationInMilliSeconds(); } @Override - public void scan() { + public void scan() throws ZapWrapperRuntimeException { try { /* ZAP setup on local machine */ setupStandardConfiguration(); @@ -127,7 +128,7 @@ void setupStandardConfiguration() throws ClientApiException { LOG.info("Set browser for ajaxSpider."); // use firefox in headless mode by default - clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless"); + clientApiFacade.configureAjaxSpiderBrowserId(BrowserId.FIREFOX_HEADLESS.getBrowserId()); } void deactivateRules(ZapFullRuleset fullRuleset, DeactivatedRuleReferences deactivatedRuleReferences) throws ClientApiException { @@ -521,12 +522,12 @@ void waitForAjaxSpiderResults() throws ClientApiException { boolean timeOut = false; - ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + ZapPDSEventHandler zapPDSEventHandler = scanContext.getZapPDSEventHandler(); while (!isAjaxSpiderStopped(ajaxSpiderStatus) && !timeOut) { - if (zapEventHandler.isScanCancelled()) { + if (zapPDSEventHandler.isScanCancelled()) { clientApiFacade.stopAjaxSpider(); - zapEventHandler.cancelScan(scanContext.getContextName()); + zapPDSEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); ajaxSpiderStatus = clientApiFacade.getAjaxSpiderStatus(); @@ -554,12 +555,12 @@ void waitForSpiderResults(String scanId) throws ClientApiException { remainingScanTime); boolean timeOut = false; - ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + ZapPDSEventHandler zapPDSEventHandler = scanContext.getZapPDSEventHandler(); while (progressSpider < 100 && !timeOut) { - if (zapEventHandler.isScanCancelled()) { + if (zapPDSEventHandler.isScanCancelled()) { clientApiFacade.stopSpiderScan(scanId); - zapEventHandler.cancelScan(scanContext.getContextName()); + zapPDSEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); progressSpider = clientApiFacade.getSpiderStatusForScan(scanId); @@ -588,11 +589,11 @@ void passiveScan() throws ClientApiException { int numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); boolean timeOut = false; - ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + ZapPDSEventHandler zapPDSEventHandler = scanContext.getZapPDSEventHandler(); while (numberOfRecords > 0 && !timeOut) { - if (zapEventHandler.isScanCancelled()) { - zapEventHandler.cancelScan(scanContext.getContextName()); + if (zapPDSEventHandler.isScanCancelled()) { + zapPDSEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); numberOfRecords = clientApiFacade.getNumberOfPassiveScannerRecordsToScan(); @@ -617,12 +618,12 @@ void waitForActiveScanResults(String scanId) throws ClientApiException { long maxDuration = remainingScanTime; boolean timeOut = false; - ZapEventHandler zapEventHandler = scanContext.getZapEventHandler(); + ZapPDSEventHandler zapPDSEventHandler = scanContext.getZapPDSEventHandler(); while (progressActive < 100 && !timeOut) { - if (zapEventHandler.isScanCancelled()) { + if (zapPDSEventHandler.isScanCancelled()) { clientApiFacade.stopActiveScan(scanId); - zapEventHandler.cancelScan(scanContext.getContextName()); + zapPDSEventHandler.cancelScan(scanContext.getContextName()); } systemUtil.waitForMilliseconds(CHECK_SCAN_STATUS_TIME_IN_MILLISECONDS); progressActive = clientApiFacade.getActiveScannerStatusForScan(scanId); @@ -663,7 +664,7 @@ private UserInformation initBasicAuthentication(String zapContextId, BasicLoginC // methodconfigparams in case of http basic auth is null, because it is // configured automatically String methodconfigparams = null; - clientApiFacade.sessionManagementMethod(zapContextId, methodName, methodconfigparams); + clientApiFacade.setSessionManagementMethod(zapContextId, methodName, methodconfigparams); return initBasicAuthScanUser(zapContextId, basicLoginConfiguration); } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java index 3cc894ff9d..6fd38da859 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactoryTest.java @@ -84,7 +84,7 @@ void created_configuration_has_max_scan_duration_from_sechub_webconfig() { ZapScanContext result = factoryToTest.create(settings); /* test */ - assertEquals(result.getMaxScanDurationInMillis(), maxScanDuration); + assertEquals(result.getMaxScanDurationInMilliSeconds(), maxScanDuration); } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandlerTest.java similarity index 72% rename from sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java rename to sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandlerTest.java index c71af454ac..0002a37e9d 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapEventHandlerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandlerTest.java @@ -16,13 +16,13 @@ import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException; -class ZapEventHandlerTest { +class ZapPDSEventHandlerTest { - private ZapEventHandler zapEventHandler; + private ZapPDSEventHandler zapPDSEventHandler; @BeforeEach void beforeEach() { - zapEventHandler = new ZapEventHandler(""); + zapPDSEventHandler = new ZapPDSEventHandler(""); } @Test @@ -31,19 +31,19 @@ void file_does_not_exist_and_so_no_scan_is_cancelled() throws IOException { String scanContextName = UUID.randomUUID().toString(); /* execute + test */ - assertFalse(zapEventHandler.isScanCancelled()); - assertDoesNotThrow(() -> zapEventHandler.cancelScan(scanContextName)); + assertFalse(zapPDSEventHandler.isScanCancelled()); + assertDoesNotThrow(() -> zapPDSEventHandler.cancelScan(scanContextName)); } @Test void file_does_exist_and_so_scan_is_cancelled(@TempDir File tempDir) throws IOException { /* prepare */ - zapEventHandler.cancelEventFile = tempDir; + zapPDSEventHandler.cancelEventFile = tempDir; String scanContextName = UUID.randomUUID().toString(); /* execute + test */ - assertTrue(zapEventHandler.isScanCancelled()); - assertThrows(ZapWrapperRuntimeException.class, () -> zapEventHandler.cancelScan(scanContextName)); + assertTrue(zapPDSEventHandler.isScanCancelled()); + assertThrows(ZapWrapperRuntimeException.class, () -> zapPDSEventHandler.cancelScan(scanContextName)); } } diff --git a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java index ecb051ba36..24f043ad7b 100644 --- a/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java +++ b/sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java @@ -49,7 +49,7 @@ import com.mercedesbenz.sechub.zapwrapper.config.data.RuleReference; import com.mercedesbenz.sechub.zapwrapper.config.data.ZapFullRuleset; import com.mercedesbenz.sechub.zapwrapper.helper.IncludeExcludeToZapURLHelper; -import com.mercedesbenz.sechub.zapwrapper.helper.ZapEventHandler; +import com.mercedesbenz.sechub.zapwrapper.helper.ZapPDSEventHandler; import com.mercedesbenz.sechub.zapwrapper.helper.ZapProductMessageHelper; import com.mercedesbenz.sechub.zapwrapper.helper.ZapURLType; import com.mercedesbenz.sechub.zapwrapper.internal.scan.ClientApiFacade; @@ -62,7 +62,7 @@ class ZapScannerTest { private ClientApiFacade clientApiFacade; private ZapScanContext scanContext; - private ZapEventHandler zapEventHandler; + private ZapPDSEventHandler zapPDSEventHandler; private SystemUtil systemUtil; private ZapProductMessageHelper helper; @@ -76,7 +76,7 @@ void beforeEach() { systemUtil = mock(SystemUtil.class); helper = mock(ZapProductMessageHelper.class); - zapEventHandler = mock(ZapEventHandler.class); + zapPDSEventHandler = mock(ZapPDSEventHandler.class); // assign mocks scannerToTest = ZapScanner.from(clientApiFacade, scanContext); @@ -85,7 +85,7 @@ void beforeEach() { // set global behavior when(scanContext.getContextName()).thenReturn(contextName); when(scanContext.getZapProductMessageHelper()).thenReturn(helper); - when(scanContext.getZapEventHandler()).thenReturn(zapEventHandler); + when(scanContext.getZapPDSEventHandler()).thenReturn(zapPDSEventHandler); doNothing().when(helper).writeProductError(any()); doNothing().when(helper).writeProductMessages(any()); @@ -373,7 +373,7 @@ void configure_login_inside_zap_using_basic_auth_results_in_expected_calls() thr when(clientApiFacade.configureAuthenticationMethod(eq(contextId), eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getZapAuthenticationMethod()), any())) .thenReturn(response); - when(clientApiFacade.sessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod()), + when(clientApiFacade.setSessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod()), any())).thenReturn(response); when(clientApiFacade.createNewUser(contextId, userName)).thenReturn(userId); when(clientApiFacade.configureAuthenticationCredentials(eq(contextId), eq(userId), any())).thenReturn(response); @@ -392,7 +392,7 @@ void configure_login_inside_zap_using_basic_auth_results_in_expected_calls() thr verify(clientApiFacade, times(1)).configureAuthenticationMethod(eq(contextId), eq(AuthenticationType.HTTP_BASIC_AUTHENTICATION.getZapAuthenticationMethod()), any()); - verify(clientApiFacade, times(1)).sessionManagementMethod(eq(contextId), + verify(clientApiFacade, times(1)).setSessionManagementMethod(eq(contextId), eq(SessionManagementType.HTTP_AUTH_SESSION_MANAGEMENT.getZapSessionManagementMethod()), any()); verify(clientApiFacade, times(1)).createNewUser(contextId, userName); verify(clientApiFacade, times(1)).configureAuthenticationCredentials(eq(contextId), eq(userId), any()); @@ -478,10 +478,10 @@ void cleanup_after_scan_with_onylForUrls_headers_set_cleans_up_all_replacer_rule @Test void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - when(zapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(zapEventHandler).cancelScan(contextName); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapPDSEventHandler).cancelScan(contextName); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); when(clientApiFacade.stopAjaxSpider()).thenReturn(null); @@ -493,8 +493,8 @@ void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_e /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(zapEventHandler, times(2)).isScanCancelled(); - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(zapPDSEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, times(1)).stopAjaxSpider(); } @@ -502,9 +502,9 @@ void wait_for_ajaxSpider_scan_is_cancelled_results_in_exception_with_dedicated_e @Test void wait_for_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); when(clientApiFacade.stopAjaxSpider()).thenReturn(null); @@ -514,7 +514,7 @@ void wait_for_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApi scannerToTest.waitForAjaxSpiderResults(); /* test */ - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, atLeast(1)).getAjaxSpiderStatus(); verify(clientApiFacade, times(1)).stopAjaxSpider(); @@ -525,10 +525,10 @@ void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_ /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(zapEventHandler).cancelScan(contextName); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapPDSEventHandler).cancelScan(contextName); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); when(clientApiFacade.stopSpiderScan(scanId)).thenReturn(null); @@ -540,8 +540,8 @@ void wait_for_spider_scan_is_cancelled_results_in_exception_with_dedicated_exit_ /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(zapEventHandler, times(2)).isScanCancelled(); - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(zapPDSEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, times(1)).stopSpiderScan(scanId); } @@ -551,9 +551,9 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); ZapProductMessageHelper messageHelper = mock(ZapProductMessageHelper.class); when(scanContext.getZapProductMessageHelper()).thenReturn(messageHelper); @@ -567,7 +567,7 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce scannerToTest.waitForSpiderResults(scanId); /* test */ - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(scanContext, times(1)).getZapProductMessageHelper(); verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); @@ -579,10 +579,10 @@ void wait_for_spider_scan_ended_results_in_expected_calls() throws ClientApiExce @Test void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_exit_code() throws ClientApiException { /* prepare */ - when(zapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(zapEventHandler).cancelScan(contextName); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapPDSEventHandler).cancelScan(contextName); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(false); when(scanContext.isAjaxSpiderEnabled()).thenReturn(false); @@ -595,8 +595,8 @@ void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_ /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(zapEventHandler, times(2)).isScanCancelled(); - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(zapPDSEventHandler, times(2)).isScanCancelled(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(scanContext, times(1)).isAjaxSpiderEnabled(); verify(clientApiFacade, atLeast(1)).getNumberOfPassiveScannerRecordsToScan(); @@ -605,9 +605,9 @@ void wait_for_passiveScan_scan_is_cancelled_results_in_exception_with_dedicated_ @Test void wait_for_passiveScan_scan_is_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(20000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(20000L); when(scanContext.isActiveScanEnabled()).thenReturn(false); when(scanContext.isAjaxSpiderEnabled()).thenReturn(false); @@ -617,7 +617,7 @@ void wait_for_passiveScan_scan_is_ended_results_in_expected_calls() throws Clien scannerToTest.passiveScan(); /* test */ - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(scanContext, times(1)).isAjaxSpiderEnabled(); verify(clientApiFacade, times(1)).getNumberOfPassiveScannerRecordsToScan(); @@ -628,8 +628,8 @@ void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_e /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(true); - doCallRealMethod().when(zapEventHandler).cancelScan(contextName); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(true); + doCallRealMethod().when(zapPDSEventHandler).cancelScan(contextName); when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(42); when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); @@ -641,7 +641,7 @@ void wait_for_activeScan_scan_is_cancelled_results_in_exception_with_dedicated_e /* test */ assertEquals(ZapWrapperExitCode.SCAN_JOB_CANCELLED, exception.getExitCode()); - verify(zapEventHandler, times(2)).isScanCancelled(); + verify(zapPDSEventHandler, times(2)).isScanCancelled(); verify(clientApiFacade, never()).getActiveScannerStatusForScan(scanId); verify(clientApiFacade, times(1)).stopActiveScan(scanId); } @@ -651,7 +651,7 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); when(clientApiFacade.getActiveScannerStatusForScan(scanId)).thenReturn(100); when(clientApiFacade.stopActiveScan(scanId)).thenReturn(null); @@ -667,9 +667,9 @@ void wait_for_activeScan_scan_is_ended_results_in_expected_calls() throws Client @Test void run_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiException { /* prepare */ - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); when(clientApiFacade.stopAjaxSpider()).thenReturn(null); @@ -679,7 +679,7 @@ void run_ajaxSpider_scan_ended_results_in_expected_calls() throws ClientApiExcep scannerToTest.runAjaxSpider(); /* test */ - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(clientApiFacade, atLeast(1)).getAjaxSpiderStatus(); verify(clientApiFacade, times(1)).stopAjaxSpider(); @@ -690,9 +690,9 @@ void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); - when(scanContext.getMaxScanDurationInMillis()).thenReturn(1000L); + when(scanContext.getMaxScanDurationInMilliSeconds()).thenReturn(1000L); when(scanContext.isActiveScanEnabled()).thenReturn(true); ZapProductMessageHelper messageHelper = mock(ZapProductMessageHelper.class); when(scanContext.getZapProductMessageHelper()).thenReturn(messageHelper); @@ -707,7 +707,7 @@ void run_spider_scan_ended_results_in_expected_calls() throws ClientApiException scannerToTest.runSpider(); /* test */ - verify(scanContext, times(1)).getMaxScanDurationInMillis(); + verify(scanContext, times(1)).getMaxScanDurationInMilliSeconds(); verify(scanContext, times(1)).isActiveScanEnabled(); verify(scanContext, times(1)).getZapProductMessageHelper(); verify(messageHelper, times(1)).writeUserMessagesWithScannedURLs(any()); @@ -722,7 +722,7 @@ void run_activeScan_scan_is_ended_results_in_expected_calls() throws ClientApiEx /* prepare */ String scanId = "12345"; - when(zapEventHandler.isScanCancelled()).thenReturn(false); + when(zapPDSEventHandler.isScanCancelled()).thenReturn(false); scannerToTest.remainingScanTime = 100L; From c301278e15e04542ec51ad09b00f2f8e2b53daf1 Mon Sep 17 00:00:00 2001 From: lorriborri Date: Wed, 6 Sep 2023 12:30:46 +0200 Subject: [PATCH 11/11] Added new contributor #2530 --- MAINTAINERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS.md b/MAINTAINERS.md index c8130080ab..cb450ab197 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -10,6 +10,7 @@ | Jeremias Eppler | | [jeeppler](https://github.com/jeeppler) | Mercedes-Benz Tech Innovation GmbH, [imprint](https://github.com/mercedes-benz/foss/blob/master/PROVIDER_INFORMATION.md) | 2021-01-01 | | Jan Winz | | [winzj](https://github.com/winzj) | Mercedes-Benz Tech Innovation GmbH, [imprint](https://github.com/mercedes-benz/foss/blob/master/PROVIDER_INFORMATION.md) | 2021-07-01 | | Rouven Härtel | | [haerter-tss](https://github.com/haerter-tss) | Mercedes-Benz Tech Innovation GmbH, [imprint](https://github.com/mercedes-benz/foss/blob/master/PROVIDER_INFORMATION.md) | 2022-02-01 | +| Laura Bottner | | [lorriborri](hhttps://github.com/lorriborri) | Mercedes-Benz Tech Innovation GmbH, [imprint](https://github.com/mercedes-benz/foss/blob/master/PROVIDER_INFORMATION.md) | 2023-09-06 | ## Emeritus Maintainers