search

OtherDevOpsGene / zap-sonar-plugin

Integrates OWASP Zed Attack Proxy reports into SonarQube
GNU General Public License v3.0
69 stars 31 forks source link

how to use rulesFilePath? #10

Open schamp opened 6 years ago

schamp commented 6 years ago

The documentation for rulesFilePath:

# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

along side reportPath such as it is with the Jenkins WORKSPACE reference seems to imply that custom rules may be defined in this at analysis time. Is this the intention?

I am trying to develop my own plugin that can pass new rules in and a report that triggers them at the same time, and this looked like it might do what I want.

Am I missing how this is supposed to work? Do I have the wrong idea or am I doing it wrong? Is there an example I can follow?

For reference, here is the properties and file I am passing with the Jenkins plugin:

sonar.zaproxy.rulesFilePath=reports/test-rules.xml
sonar.zaproxy.reportPath=reports/test-report.xml

test-rules.xml

<rules>
    <rule>
        <key>1234567890</key>
        <name>Just some dynamic rule</name>
        <description>
            <![CDATA[<h3>Solution :</h3>
                <p>There is a problem, please fix it.</p>
        <h3>References:</h3>
        <ul>
        <li>No Reference.</li>
        </ul>]]>
        </description>
        <severity>MAJOR</severity>
        <status>READY</status>
        <tag>onetag</tag>
        <tag>anothertag</tag>
    </rule>
</rules>

test-report.xml:

<?xml version="1.0" encoding="UTF-8"?><OWASPZAPReport generated="jeu., 7 mai 2015 16:14:12" version="2.4.0">
    <site host="localhost" name="http://localhost:8180" port="8180" ssl="false"><alerts><alertitem>
        <pluginid>0</pluginid>
        <alert>Existing test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem><alertitem>
        <pluginid>1234567890</pluginid>
        <alert>Dynamic rule test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem>
    </alerts></site></OWASPZAPReport>

When I run this analysis with SonarQube 6.6, I get this warning about the rule I am trying to create:

WARN: The rule ZAProxy:1234567890 doesn't exist.