DAST scan rules added to `DAST_EXCLUDE_RULES`are shown as PASS in the logs.
Summary
When DAST_EXCLUDE_RULES is used to exclude scan rules from running, the logs show the rules as runs, which is indicated as PASS. This could be confusing to user who consults the logs, as this gives a wrong impression that the disabled rules are run even though it is not.
Steps to reproduce
- Set
variables:
DAST_EXCLUDE_RULES: "10048"- In the logs it shows
PASS: Remote Code Execution - Shell Shock [10048]Example Project
https://gitlab.com/gitlab-org/gitlab/-/jobs/648092551
What is the current bug behavior?
Scan rules that are excluded to run using DAST_EXCLUDE_RULES is shown as run in the log. e.g. PASS: Remote Code Execution - Shell Shock [10048]
What is the expected correct behavior?
The Scan rules that are excluded to run using DAST_EXCLUDE_RULES should be indicated as SKIP in the logs as it's not executed e.g SKIP: Remote Code Execution - Shell Shock [10048]
Implementation Plan
-
The name of the policy used to return the active scan rules should not be hardcoded -
Add an end-to-end test to verify that the passive and active scan rules logged are correct -
Filter rules by those that are active (if necessary) before printing to the log -
Ensure that excluded passive and active scan rules are not printed in the log -
Show skipped rules in the log -
Refactor ExecutedRulestoRules,ExecutedRuletoRule,printer.ExecutedRulestoservices.Summary -
Add a changelog entry -
Passive scan rules that are skipped should be logged as such in the log file, for example, 10027in thetest_webgoat_full_scan