mirror of
https://github.com/project-zot/zot.git
synced 2025-01-13 22:50:38 -05:00
5968e7199f
(cherry picked from commit6d03ce5f2d
) Additional changes on top of:6d03ce5f2d
- Build and use zot from the same branch do not use a container image as scan target, use the binary - Fix typo in rules filename - Add the full rule list to the rules config file - Ignore some of the specific rules and add reasons - Add security-related headers to fix some of the issues identified by the scan - Update UI it includes the latest fixes for zap scan issues Signed-off-by: Andrei Aaron <aaaron@luxoft.com> Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
63 lines
3.4 KiB
Text
63 lines
3.4 KiB
Text
# zap-baseline rule configuration file
|
|
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
|
|
# Only the rule identifiers are used - the names are just for info
|
|
# You can add your own messages to each rule by appending them after a tab on each line.
|
|
10003 WARN (Vulnerable JS Library (Powered by Retire.js))
|
|
10009 WARN (In Page Banner Information Leak)
|
|
10010 WARN (Cookie No HttpOnly Flag)
|
|
10011 WARN (Cookie Without Secure Flag)
|
|
10015 WARN (Re-examine Cache-control Directives)
|
|
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
|
|
10019 WARN (Content-Type Header Missing)
|
|
10020 WARN (Anti-clickjacking Header)
|
|
10021 WARN (X-Content-Type-Options Header Missing)
|
|
10023 WARN (Information Disclosure - Debug Error Messages)
|
|
10024 WARN (Information Disclosure - Sensitive Information in URL)
|
|
10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header)
|
|
10026 WARN (HTTP Parameter Override)
|
|
10027 IGNORE (Information Disclosure - Suspicious Comments) The comments have been reviewed and will not help an attacker
|
|
10028 WARN (Open Redirect)
|
|
10029 WARN (Cookie Poisoning)
|
|
10030 WARN (User Controllable Charset)
|
|
10031 WARN (User Controllable HTML Element Attribute (Potential XSS))
|
|
10032 WARN (Viewstate)
|
|
10033 WARN (Directory Browsing)
|
|
10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative))
|
|
10035 WARN (Strict-Transport-Security Header)
|
|
10036 WARN (HTTP Server Response Header)
|
|
10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
|
|
10038 WARN (Content Security Policy (CSP) Header Not Set)
|
|
10039 WARN (X-Backend-Server Header Information Leak)
|
|
10040 WARN (Secure Pages Include Mixed Content)
|
|
10041 WARN (HTTP to HTTPS Insecure Transition in Form Post)
|
|
10042 WARN (HTTPS to HTTP Insecure Transition in Form Post)
|
|
10043 WARN (User Controllable JavaScript Event (XSS))
|
|
10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak))
|
|
10049 IGNORE (Content Cacheability) We'd need to set the non-cacheble headers on content which could potentially be cached
|
|
10050 WARN (Retrieved from Cache)
|
|
10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak)
|
|
10054 WARN (Cookie without SameSite Attribute)
|
|
10055 WARN (CSP)
|
|
10056 WARN (X-Debug-Token Information Leak)
|
|
10057 WARN (Username Hash Found)
|
|
10061 WARN (X-AspNet-Version Response Header)
|
|
10062 WARN (PII Disclosure)
|
|
10063 WARN (Permissions Policy Header Not Set)
|
|
10096 IGNORE (Timestamp Disclosure) All existing timestamps are related to container images and are required
|
|
10097 WARN (Hash Disclosure)
|
|
10098 IGNORE (Cross-Domain Misconfiguration) Cannot know in advance what DN the users will configure for CORS headers
|
|
10105 IGNORE (Weak Authentication Method) Cannot package in advance a certificate which would be used for the user's domain, so we cannot use HTTPS
|
|
10108 WARN (Reverse Tabnabbing)
|
|
10109 IGNORE (Modern Web Application) The Ajax crawler is run using -j command line option
|
|
10110 WARN (Dangerous JS Functions)
|
|
10202 WARN (Absence of Anti-CSRF Tokens)
|
|
2 WARN (Private IP Disclosure)
|
|
3 WARN (Session ID in URL Rewrite)
|
|
50001 WARN (Script Passive Scan Rules)
|
|
90001 WARN (Insecure JSF ViewState)
|
|
90002 WARN (Java Serialization Object)
|
|
90003 IGNORE (Sub Resource Integrity Attribute Missing) Google Fonts API return dynamic stylesheets depending on OS/Browser and it is not possible to use static identity hashes
|
|
90011 WARN (Charset Mismatch)
|
|
90022 WARN (Application Error Disclosure)
|
|
90030 WARN (WSDL File Detection)
|
|
90033 WARN (Loosely Scoped Cookie)
|