Skip to content

Commit

Permalink
scanpolicies: Add workflow/script to generate updates based on rule tags
Browse files Browse the repository at this point in the history
- generate-scan-policies.js > ZAP standalone script to be used by a
nightly docker image to craft the scan policies.
- generate_policies.yml > The new workflow. Triggered by cron every
Friday morning or manually via workflow_dispatch.

Signed-off-by: kingthorin <[email protected]>
  • Loading branch information
kingthorin committed Dec 2, 2024
1 parent 0f34317 commit 4b67e49
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 0 deletions.
81 changes: 81 additions & 0 deletions .github/scripts/generateScanPolicies.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
// This is a ZAP standalone script - it will only run in ZAP.
// It generates the scan policies for https://github.com/zaproxy/zap-extensions/tree/main/addOns/scanpolicies etc
// The policies are created after starting a ZAP nightly release with the '-addoninstall ascanrulesAlpha' option.

const FileWriter = Java.type("java.io.FileWriter");
const PrintWriter = Java.type("java.io.PrintWriter");
const PolicyTag = Java.type("org.zaproxy.addon.commonlib.PolicyTag");
const UTF_8 = Java.type("java.nio.charset.StandardCharsets").UTF_8;
const StringEscapeUtils = Java.type(
"org.apache.commons.text.StringEscapeUtils"
);

var extAscan = control
.getExtensionLoader()
.getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME);

var plugins = extAscan
.getPolicyManager()
.getDefaultScanPolicy()
.getPluginFactory()
.getAllPlugin()
.toArray()
.sort(function (a, b) {
return a.getId() - b.getId();
});

const INDENT = " ";

PolicyTag.values().forEach((currentTag) => {
var policyFilePath =
"/zap/wrk/zap-extensions/addOns/XXXXX/src/main/zapHomeFiles/policies/".replace(
"XXXXX",
currentTag.getAddonId()
) + currentTag.getFileName();
print(policyFilePath);
// Create the policy
var fw = new FileWriter(policyFilePath, UTF_8);
var pw = new PrintWriter(fw);
pw.println('<?xml version="1.0" encoding="UTF-8" standalone="no"?>');
pw.println("<configuration>");
pw.println(
INDENT +
"<policy>" +
StringEscapeUtils.escapeXml11(currentTag.getPolicyName()) +
"</policy>"
);
pw.println(INDENT + "<scanner>");
pw.println(INDENT.repeat(2) + "<level>OFF</level>");
pw.println(INDENT.repeat(2) + "<strength>MEDIUM</strength>");
pw.println(INDENT + "</scanner>");
pw.println(INDENT + "<plugins>");

plugins.forEach((plugin) => {
try {
if (
plugin.getAlertTags() != null &&
plugin.getAlertTags().keySet().contains(currentTag.getTag())
) {
pw.println(INDENT.repeat(2) + "<p" + plugin.getId() + ">");
pw.println(
INDENT.repeat(3) +
"<name>" +
StringEscapeUtils.escapeXml11(plugin.getName()) +
"</name>"
);
pw.println(INDENT.repeat(3) + "<enabled>true</enabled>");
pw.println(INDENT.repeat(3) + "<level>MEDIUM</level>");
pw.println(INDENT.repeat(2) + "</p" + plugin.getId() + ">");
}
} catch (e) {
print(e);
control.setExitStatus(
1,
"An exception was encountered while generating the scan policy(ies)."
);
}
});
pw.println(INDENT + "</plugins>");
pw.println("</configuration>");
pw.close();
});
54 changes: 54 additions & 0 deletions .github/workflows/generate_policies.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Generate Scan Policies from Policy Tags
on:
schedule: # The start of every Friday
- cron: '0 0 * * 5'
workflow_dispatch:

permissions:
contents: write
pull-requests: write

jobs:
update-policies:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
path: zap-extensions
fetch-depth: 0
- name: Create Policies
run: |
# Run the ZAP script
docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -silent -script /zap/wrk/zap-extensions/.github/scripts/generateScanPolicies.js -cmd
- name: Attach Policies
uses: actions/upload-artifact@v4
with:
name: Policies
path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy'
- name: Update Scan Policies
run: |
export BASE=$(pwd)
# Setup git details
export GITHUB_USER=zapbot
git config --global user.email "[email protected]"
git config --global user.name $GITHUB_USER
BRANCH=scan-policies-updt
cd zap-extensions
git remote add upstream https://github.com/zaproxy/zap-extensions.git
SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h)
export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }}
git checkout -b $BRANCH
# Update the index to be sure git is aware of changes
git update-index -q --refresh
git add .
## If there are changes: comment, commit, PR
if ! git diff-index --quiet HEAD --; then
./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments."
git remote set-url origin https://$GITHUB_USER:[email protected]/$GITHUB_USER/zap-extensions.git
git add .
git commit -m "Update scan policies based on Tags" -m "Updates based on $SRC_BASE" --signoff
git push --set-upstream origin $BRANCH --force
gh pr create -R zaproxy/zap-extensions --fill
fi

0 comments on commit 4b67e49

Please sign in to comment.