Merge pull request #6741 from thc202/validate-refs-state

Validate state of alert references

Author: ricekot

.github/workflows/ci_remote.yml

@@ -0,0 +1,27 @@
+name: CI Remote
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Once a month
+    - cron:  '0 8 18 * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: 17
+      - uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
+        with:
+          gradle-home-cache-includes: |
+            caches
+            notifications
+            wdm
+      - run: ./gradlew -Dorg.gradle.jvmargs=-Xmx4g --continue --no-parallel test
+        env:
+          ZAP_REMOTE_TESTS: 1

addOns/addOns.gradle.kts

@@ -144,6 +144,10 @@ subprojects {
         }
     }
 
+    tasks.withType<Test>().configureEach {
+        inputs.property("ZAP_REMOTE_TESTS", if (System.getenv("ZAP_REMOTE_TESTS") == "1") "1" else "0")
+    }
+
     configurations {
         "compileClasspath" {
             exclude(group = "log4j")

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ActiveScannerTest.java

@@ -19,7 +19,6 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
-import org.junit.jupiter.api.Test;
 import org.parosproxy.paros.core.scanner.AbstractPlugin;
 import org.zaproxy.zap.testutils.ActiveScannerTestUtils;
 
@@ -29,10 +28,4 @@ abstract class ActiveScannerTest<T extends AbstractPlugin> extends ActiveScanner
     protected void setUpMessages() {
         mockMessages(new ExtensionAscanRules());
     }
-
-    @Test
-    @Override
-    public void shouldHaveValidReferences() {
-        super.shouldHaveValidReferences();
-    }
 }

addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ActiveScannerTest.java

@@ -19,7 +19,6 @@
  */
 package org.zaproxy.zap.extension.ascanrulesAlpha;
 
-import org.junit.jupiter.api.Test;
 import org.parosproxy.paros.core.scanner.AbstractPlugin;
 import org.zaproxy.zap.testutils.ActiveScannerTestUtils;
 
@@ -29,10 +28,4 @@ abstract class ActiveScannerTest<T extends AbstractPlugin> extends ActiveScanner
     protected void setUpMessages() {
         mockMessages(new ExtensionAscanRulesAlpha());
     }
-
-    @Test
-    @Override
-    public void shouldHaveValidReferences() {
-        super.shouldHaveValidReferences();
-    }
 }

addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ActiveScannerTest.java

@@ -19,7 +19,6 @@
  */
 package org.zaproxy.zap.extension.ascanrulesBeta;
 
-import org.junit.jupiter.api.Test;
 import org.parosproxy.paros.core.scanner.AbstractPlugin;
 import org.zaproxy.zap.testutils.ActiveScannerTestUtils;
 
@@ -29,10 +28,4 @@ abstract class ActiveScannerTest<T extends AbstractPlugin> extends ActiveScanner
     protected void setUpMessages() {
         mockMessages(new ExtensionAscanRulesBeta());
     }
-
-    @Test
-    @Override
-    public void shouldHaveValidReferences() {
-        super.shouldHaveValidReferences();
-    }
 }

addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRuleUnitTest.java

@@ -29,6 +29,8 @@
 import org.parosproxy.paros.core.scanner.Alert;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
 import org.zaproxy.addon.commonlib.PolicyTag;
+import org.zaproxy.addon.network.common.ZapSocketTimeoutException;
+import org.zaproxy.zap.testutils.AlertReferenceError;
 
 class CrossDomainScanRuleUnitTest extends ActiveScannerTest<CrossDomainScanRule> {
 
@@ -37,6 +39,17 @@ protected CrossDomainScanRule createScanner() {
         return new CrossDomainScanRule();
     }
 
+    @Override
+    public boolean isAllowedReferenceError(
+            AlertReferenceError.Cause cause, String reference, Object detail) {
+        if (reference.startsWith("https://www.adobe.com/")
+                && detail instanceof ZapSocketTimeoutException) {
+            // Reference behind CDN which times out when accessed through CI.
+            return true;
+        }
+        return false;
+    }
+
     @Test
     void shouldReturnExpectedMappings() {
         // Given / When

addOns/graaljs/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Use example links in Active/Passive Rule templates' references.
 
 ## [0.9.0] - 2025-01-09
 ### Changed

addOns/graaljs/src/main/zapHomeFiles/scripts/templates/active/Active default template GraalJS.js

@@ -10,8 +10,8 @@ name: Active Vulnerability Title
 description: Full description
 solution: The solution
 references:
-  - Reference 1
-  - Reference 2
+  - https://www.example.org/reference1
+  - https://www.example.org/reference2
 category: INJECTION  # info_gather, browser, server, misc, injection
 risk: INFO  # info, low, medium, high
 confidence: LOW  # false_positive, low, medium, high, user_confirmed

addOns/graaljs/src/main/zapHomeFiles/scripts/templates/passive/Passive default template GraalJS.js

@@ -13,8 +13,8 @@ name: Passive Vulnerability Title
 description: Full description
 solution: The solution
 references:
-  - Reference 1
-  - Reference 2
+  - https://www.example.org/reference1
+  - https://www.example.org/reference2
 risk: INFO  # info, low, medium, high
 confidence: LOW  # false_positive, low, medium, high, user_confirmed
 cweId: 0

addOns/graaljs/src/test/java/org/zaproxy/zap/extension/graaljs/ActiveDefaultTemplateGraalJsScriptTest.java

@@ -31,6 +31,7 @@
 import java.util.ResourceBundle;
 import org.junit.jupiter.api.Test;
 import org.parosproxy.paros.core.scanner.Alert;
+import org.zaproxy.zap.testutils.AlertReferenceError;
 
 class ActiveDefaultTemplateGraalJsScriptTest extends GraalJsActiveScriptScanRuleTestUtils {
     @Override
@@ -51,6 +52,16 @@ public void shouldHaveI18nNonEmptyName(String name, ResourceBundle extensionReso
         assertThat(name, is(not(emptyOrNullString())));
     }
 
+    @Override
+    public boolean isAllowedReferenceError(
+            AlertReferenceError.Cause cause, String reference, Object detail) {
+        if (cause == AlertReferenceError.Cause.UNEXPECTED_STATUS_CODE && ((int) detail) == 404) {
+            // These are example.org references.
+            return true;
+        }
+        return false;
+    }
+
     @Test
     void shouldRaiseAlert() throws Exception {
         // Given
@@ -65,7 +76,11 @@ void shouldRaiseAlert() throws Exception {
         assertThat(alert.getName(), is(equalTo("Active Vulnerability Title")));
         assertThat(alert.getDescription(), is(equalTo("Full description")));
         assertThat(alert.getSolution(), is(equalTo("The solution")));
-        assertThat(alert.getReference(), is(equalTo("Reference 1\nReference 2")));
+        assertThat(
+                alert.getReference(),
+                is(
+                        equalTo(
+                                "https://www.example.org/reference1\nhttps://www.example.org/reference2")));
         assertThat(alert.getOtherInfo(), is(equalTo("Any other Info")));
         assertThat(alert.getRisk(), is(equalTo(Alert.RISK_INFO)));
         assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW)));