-
-
Notifications
You must be signed in to change notification settings - Fork 708
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
scanpolicies: Add workflow/script to generate updates based on rule tags
- generate-scan-policies.js > ZAP standalone script to be used by a nightly docker image to craft the scan policies. - generate_policies.yml > The new workflow. Triggered by cron every Friday morning or manually via workflow_dispatch. Signed-off-by: kingthorin <[email protected]>
- Loading branch information
1 parent
0f34317
commit 517d5c0
Showing
2 changed files
with
124 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
// This is a ZAP standalone script - it will only run in ZAP. | ||
// It generates the scan policies for https://github.com/zaproxy/zap-extensions/tree/main/addOns/scanpolicies etc | ||
// The policies are created after starting a ZAP weekly release with the '-addoninstall ascanrulesAlpha' option. | ||
|
||
var FileWriter = Java.type("java.io.FileWriter"); | ||
var PrintWriter = Java.type("java.io.PrintWriter"); | ||
var PolicyTag = Java.type("org.zaproxy.addon.commonlib.PolicyTag"); | ||
var activeScanScript = Java.type( | ||
"org.zaproxy.zap.extension.scripts.scanrules.ScriptsActiveScanner" | ||
); | ||
var extAscan = control | ||
.getExtensionLoader() | ||
.getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME); | ||
|
||
var plugins = extAscan | ||
.getPolicyManager() | ||
.getDefaultScanPolicy() | ||
.getPluginFactory() | ||
.getAllPlugin() | ||
.toArray() | ||
.sort(function (a, b) { | ||
return a.getId() - b.getId(); | ||
}); | ||
|
||
var INDENT = " "; | ||
for (var idx = 0; idx < PolicyTag.values().length; idx++) { | ||
var currentTag = PolicyTag.values()[idx]; | ||
var policyFilePath = | ||
"/zap/wrk/zap-extensions/addOns/XXXXX/src/main/zapHomeFiles/policies/".replace( | ||
"XXXXX", | ||
currentTag.getAddonId() | ||
) + currentTag.getFileName(); | ||
print(policyFilePath); | ||
// Create the policy | ||
var fw = new FileWriter(policyFilePath); | ||
var pw = new PrintWriter(fw); | ||
pw.println('<?xml version="1.0" encoding="UTF-8" standalone="no"?>'); | ||
pw.println("<configuration>"); | ||
pw.println(INDENT + "<policy>" + currentTag.getPolicyName() + "</policy>"); | ||
pw.println(INDENT + "<scanner>"); | ||
pw.println(INDENT.repeat(2) + "<strength>MEDIUM</strength>"); | ||
pw.println(INDENT.repeat(2) + "<level>OFF</level>"); | ||
pw.println(INDENT + "</scanner>"); | ||
pw.println(INDENT + "<plugins>"); | ||
|
||
for (var i = 0; i < plugins.length; i++) { | ||
try { | ||
if ( | ||
plugins[i].getAlertTags() != null && | ||
plugins[i] | ||
.getAlertTags() | ||
.keySet() | ||
.contains(PolicyTag.getAllTags().get(idx)) | ||
) { | ||
pw.println(INDENT.repeat(2) + "<p" + plugins[i].getId() + ">"); | ||
pw.println(INDENT.repeat(3) + "<name>" + plugins[i].getName() + "</name>"); | ||
pw.println(INDENT.repeat(3) + "<level>MEDIUM</level>"); | ||
pw.println(INDENT.repeat(3) + "<enabled>true</enabled>"); | ||
pw.println(INDENT.repeat(2) + "</p" + plugins[i].getId() + ">"); | ||
} | ||
} catch (e) { | ||
print(e); | ||
} | ||
} | ||
pw.println(INDENT + "</plugins>"); | ||
pw.println("</configuration>"); | ||
pw.close(); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: Generate Scan Policies from Policy Tags | ||
on: | ||
schedule: # The start of every Friday | ||
- cron: '0 0 * * 5' | ||
workflow_dispatch: | ||
|
||
permissions: | ||
contents: write | ||
pull-requests: write | ||
|
||
jobs: | ||
update-policies: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
persist-credentials: false | ||
path: zap-extensions | ||
fetch-depth: 0 | ||
- name: Create Policies | ||
run: | | ||
# Run the ZAP script | ||
docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -silent -script /zap/wrk/zap-extensions/.github/scripts/generate-scan-policies.js -cmd | ||
- name: Attach Policies | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: Policies | ||
path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy' | ||
- name: Update Scan Policies | ||
run: | | ||
export BASE=$(pwd) | ||
# Setup git details | ||
export GITHUB_USER=zapbot | ||
git config --global user.email "[email protected]" | ||
git config --global user.name $GITHUB_USER | ||
BRANCH=scan-policies-updt | ||
cd zap-extensions | ||
git remote remove origin | ||
git remote add origin https://github.com/zapbot/zap-extensions.git | ||
git remote add upstream https://github.com/zaproxy/zap-extensions.git | ||
SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h) | ||
export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }} | ||
git checkout -b $BRANCH | ||
# Update the index to be sure git is aware of changes | ||
git update-index -q --refresh | ||
git add ./addOns/scanpolicies/src/main/zapHomeFiles/policies/ | ||
## If there are changes: comment, commit, PR | ||
if ! git diff-index --quiet HEAD --; then | ||
./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments." | ||
git remote set-url origin https://$GITHUB_USER:[email protected]/$GITHUB_USER/zap-extensions.git | ||
git add ./addOns/scanpolicies/CHANGELOG.md | ||
git commit -m "scanpolicies: Update policies based on Tags" -m "Updates based on $SRC_BASE" --signoff | ||
git push --set-upstream origin $BRANCH --force | ||
gh pr create -R zaproxy/zap-extensions --fill | ||
fi |