Truncate vulnerability evidence summary to a maximum length
Problem to solve
DAST vulnerabilities contain evidence.summary
. The evidence is produced by ZAP vulnerability checks to help the user determine whether or not the vulnerability is a False Positive.
Examples of evidence include hashed values, cookie values, credit card numbers, and HTML elements (e.g. the form element missing an anti-csrf token).
As HTML elements can be included in the summary, the summary can be very large. An example of this occurring is when the HTML element in question is an inline <script>
that contains a lot of JavaScript. In these cases, the value gained by storing large amounts of text is not worth the cost of storing or displaying it.
Intended users
Proposal
-
evidence.summary
should be truncated to500
characters (500 is an arbitrary limit) - If truncated, the summary should end with
[truncated]
What is the type of buyer?
Links / references
Edited by Cameron Swords