0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
zot/.zap/rules.tsv
Andrei Aaron 5968e7199f
test(ui): add owasp zap scanner in ci/cd (#1224)
(cherry picked from commit 6d03ce5f2d)

Additional changes on top of: 6d03ce5f2d
- Build and use zot from the same branch
do not use a container image as scan target, use the binary
- Fix typo in rules filename
- Add the full rule list to the rules config file
- Ignore some of the specific rules and add reasons
- Add security-related headers to fix some of the issues identified by the scan
- Update UI it includes the latest fixes for zap scan issues

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-02-27 11:25:47 -08:00

63 lines
3.4 KiB
Text

# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
10003 WARN (Vulnerable JS Library (Powered by Retire.js))
10009 WARN (In Page Banner Information Leak)
10010 WARN (Cookie No HttpOnly Flag)
10011 WARN (Cookie Without Secure Flag)
10015 WARN (Re-examine Cache-control Directives)
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
10019 WARN (Content-Type Header Missing)
10020 WARN (Anti-clickjacking Header)
10021 WARN (X-Content-Type-Options Header Missing)
10023 WARN (Information Disclosure - Debug Error Messages)
10024 WARN (Information Disclosure - Sensitive Information in URL)
10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026 WARN (HTTP Parameter Override)
10027 IGNORE (Information Disclosure - Suspicious Comments) The comments have been reviewed and will not help an attacker
10028 WARN (Open Redirect)
10029 WARN (Cookie Poisoning)
10030 WARN (User Controllable Charset)
10031 WARN (User Controllable HTML Element Attribute (Potential XSS))
10032 WARN (Viewstate)
10033 WARN (Directory Browsing)
10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative))
10035 WARN (Strict-Transport-Security Header)
10036 WARN (HTTP Server Response Header)
10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
10038 WARN (Content Security Policy (CSP) Header Not Set)
10039 WARN (X-Backend-Server Header Information Leak)
10040 WARN (Secure Pages Include Mixed Content)
10041 WARN (HTTP to HTTPS Insecure Transition in Form Post)
10042 WARN (HTTPS to HTTP Insecure Transition in Form Post)
10043 WARN (User Controllable JavaScript Event (XSS))
10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak))
10049 IGNORE (Content Cacheability) We'd need to set the non-cacheble headers on content which could potentially be cached
10050 WARN (Retrieved from Cache)
10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak)
10054 WARN (Cookie without SameSite Attribute)
10055 WARN (CSP)
10056 WARN (X-Debug-Token Information Leak)
10057 WARN (Username Hash Found)
10061 WARN (X-AspNet-Version Response Header)
10062 WARN (PII Disclosure)
10063 WARN (Permissions Policy Header Not Set)
10096 IGNORE (Timestamp Disclosure) All existing timestamps are related to container images and are required
10097 WARN (Hash Disclosure)
10098 IGNORE (Cross-Domain Misconfiguration) Cannot know in advance what DN the users will configure for CORS headers
10105 IGNORE (Weak Authentication Method) Cannot package in advance a certificate which would be used for the user's domain, so we cannot use HTTPS
10108 WARN (Reverse Tabnabbing)
10109 IGNORE (Modern Web Application) The Ajax crawler is run using -j command line option
10110 WARN (Dangerous JS Functions)
10202 WARN (Absence of Anti-CSRF Tokens)
2 WARN (Private IP Disclosure)
3 WARN (Session ID in URL Rewrite)
50001 WARN (Script Passive Scan Rules)
90001 WARN (Insecure JSF ViewState)
90002 WARN (Java Serialization Object)
90003 IGNORE (Sub Resource Integrity Attribute Missing) Google Fonts API return dynamic stylesheets depending on OS/Browser and it is not possible to use static identity hashes
90011 WARN (Charset Mismatch)
90022 WARN (Application Error Disclosure)
90030 WARN (WSDL File Detection)
90033 WARN (Loosely Scoped Cookie)