scanpolicies: Add workflow/script to generate updates based on rule tags

- generate-scan-policies.js > ZAP standalone script to be used by a
nightly docker image to craft the scan policies.
- generate_policies.yml > The new workflow. Triggered by cron every
Friday morning or manually via workflow_dispatch.

Signed-off-by: kingthorin <[email protected]>

.github/scripts/generate-scan-policies.js

@@ -0,0 +1,68 @@
+// This is a ZAP standalone script - it will only run in ZAP.
+// It generates the scan policies for https://github.com/zaproxy/zap-extensions/tree/main/addOns/scanpolicies etc
+// The policies are created after starting a ZAP weekly release with the '-addoninstall ascanrulesAlpha' option.
+
+var FileWriter = Java.type("java.io.FileWriter");
+var PrintWriter = Java.type("java.io.PrintWriter");
+var PolicyTag = Java.type("org.zaproxy.addon.commonlib.PolicyTag");
+var activeScanScript = Java.type(
+  "org.zaproxy.zap.extension.scripts.scanrules.ScriptsActiveScanner"
+);
+var extAscan = control
+  .getExtensionLoader()
+  .getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME);
+
+var plugins = extAscan
+  .getPolicyManager()
+  .getDefaultScanPolicy()
+  .getPluginFactory()
+  .getAllPlugin()
+  .toArray()
+  .sort(function (a, b) {
+    return a.getId() - b.getId();
+  });
+
+var INDENT = "    ";
+for (var idx = 0; idx < PolicyTag.values().length; idx++) {
+  var currentTag = PolicyTag.values()[idx];
+  var policyFilePath =
+    "/zap/wrk/zap-extensions/addOns/XXXXX/src/main/zapHomeFiles/policies/".replace(
+      "XXXXX",
+      currentTag.getAddonId()
+    ) + currentTag.getFileName();
+  print(policyFilePath);
+  // Create the policy
+  var fw = new FileWriter(policyFilePath);
+  var pw = new PrintWriter(fw);
+  pw.println('<?xml version="1.0" encoding="UTF-8" standalone="no"?>');
+  pw.println("<configuration>");
+  pw.println(INDENT + "<policy>" + currentTag.getPolicyName() + "</policy>");
+  pw.println(INDENT + "<scanner>");
+  pw.println(INDENT.repeat(2) + "<strength>MEDIUM</strength>");
+  pw.println(INDENT.repeat(2) + "<level>OFF</level>");
+  pw.println(INDENT + "</scanner>");
+  pw.println(INDENT + "<plugins>");
+
+  for (var i = 0; i < plugins.length; i++) {
+    try {
+      if (
+        plugins[i].getAlertTags() != null &&
+        plugins[i]
+          .getAlertTags()
+          .keySet()
+          .contains(PolicyTag.getAllTags().get(idx))
+      ) {
+        pw.println(INDENT.repeat(2) + "<p" + plugins[i].getId() + ">");
+        pw.println(INDENT.repeat(3) + "<name>" + plugins[i].getName() + "</name>");
+        pw.println(INDENT.repeat(3) + "<level>MEDIUM</level>");
+        pw.println(INDENT.repeat(3) + "<enabled>true</enabled>");
+        pw.println(INDENT.repeat(2) + "</p" + plugins[i].getId() + ">");
+      }
+    } catch (e) {
+      print(e);
+    }
+  }
+  pw.println(INDENT + "</plugins>");
+  pw.println("</configuration>");
+  pw.close();
+}

.github/workflows/generate_policies.yml

@@ -0,0 +1,56 @@
+name: Generate Scan Policies from Policy Tags
+on: 
+  schedule: # The start of every Friday
+    - cron: '0 0 * * 5'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-policies:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+        path: zap-extensions
+        fetch-depth: 0
+    - name: Create Policies
+      run: |
+        # Run the ZAP script
+        docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -addoninstall domxss -silent -script /zap/wrk/zap-extensions/.github/scripts/generate-scan-policies.js -cmd
+    - name: Attach Policies
+      uses: actions/upload-artifact@v4
+      with:
+        name: Policies
+        path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy'
+    - name: Update Scan Policies
+      run: |
+        export BASE=$(pwd)
+        # Setup git details
+        export GITHUB_USER=zapbot
+        git config --global user.email "[email protected]"
+        git config --global user.name $GITHUB_USER
+        BRANCH=scan-policies-updt
+        cd zap-extensions
+        git remote remove origin
+        git remote add origin https://github.com/zapbot/zap-extensions.git
+        git remote add upstream https://github.com/zaproxy/zap-extensions.git
+        SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h)
+        export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }}
+        git checkout -b $BRANCH
+        # Update the index to be sure git is aware of changes
+        git update-index -q --refresh
+        git add ./addOns/scanpolicies/src/main/zapHomeFiles/policies/
+        ## If there are changes: comment, commit, PR
+        if ! git diff-index --quiet HEAD --; then
+          ./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments."
+          git remote set-url origin https://$GITHUB_USER:[email protected]/$GITHUB_USER/zap-extensions.git
+          git add ./addOns/scanpolicies/CHANGELOG.md
+          git commit -m "scanpolicies: Update policies based on Tags" -m "Updates based on $SRC_BASE" --signoff
+          git push --set-upstream origin $BRANCH --force
+          gh pr create -R zaproxy/zap-extensions --fill
+        fi