Upgrade addons
What does this MR do?
Active scanner rules
to 37.0.0
Upgraded ZAP add-on Changed
- Maintenance changes.
Fixed
- Terminology
Added
- The following scan rules were promoted to Beta: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).
Active scanner rules (beta)
to 32.0.0
Upgraded ZAP add-on Changed
- XML External Entity Attack scan rule changed to parse response body irrespective of the HTTP response status code. (Issue 6203)
- XML External Entity Attack scan rule changed to skip only Remote File Inclusion Attack when Callback extension is not available.
- Maintenance changes.
- The Relative Path Confusion scan rule no longer treats 'href="#"' as a problematic use.
Fixed
- Terminology.
- Correct reason shown when the XML External Entity Attack scan rule is skipped.
- SocketTimeoutException in the Proxy Disclosure scan rule.
Added
- The following scan rules were promoted to Beta: Cloud Meta Data, .env File, Hidden Files, XSLT Injection (Issue 6211).
Removed
- The following scan rules were removed and promoted to Release: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).
Passive scanner rules
to 30.0.0
Upgraded ZAP add-on Changed
- The CSP scan rule now checks if the form-action directive allows wildcards.
- The CSP scan rule now includes further information in the description of allowed wildcard directives alerts when the impacted directive is one (or more) which doesn't fallback to default-src.
- Maintenance changes.
- Changed ViewState and XFrameOption rules to return example alerts for the docs.
- Handle an IllegalArgumentException that could occur in the CSP scan rule if multiple CSP headers were present and one (or more) had a report-uri directive when trying to merge them.
- Allow to ignore cookies in same site and loosely scoped scan rules.
- The Application Error scan rule will not alert on web assembly responses.
Passive scanner rules (beta)
to 23.0.0
Upgraded ZAP add-on Changed
- Update RE2/J library to latest version (1.5).
- Maintenance changes.
- Content Security Policy header missing scan rule changed to Medium risk in order to align with other CSP findings, and confidence to High (Issue 6301).
Ajax Spider
to 23.2.0
Upgraded ZAP add-on Added
- Allow to specify allowed resources (Issue 3236). The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties. By default it allows files with extension .js and .css.
Changed
- Update minimum ZAP version to 2.9.0.
- Maintenance changes.
Fixed
- Unregister the event publisher when the add-on is uninstalled.
- Persist the state of "Remove Without Confirmation" of non-default elements to click.
Linux WebDrivers
to 23.0.0
Upgraded ZAP add-on Changed
- Update ChromeDriver to 87.0.4280.20.
MacOS WebDrivers
to 22.0.0
Upgraded ZAP add-on Changed
- Update ChromeDriver to 87.0.4280.20.
Windows WebDrivers
to 23.0.0
Upgraded ZAP add-on Changed
- Update ChromeDriver to 87.0.4280.20.
Zest - Graphical Security Scripting Language
to 33.0.0
Upgraded ZAP add-on Added
- Allow to create a screenshot from the browser, using the context menu Add Zest Client > Screenshot.
Changed
- Update minimum ZAP version to 2.9.0.
- Update Zest library to 0.15.0:
- Do not follow redirects when disabled;
- Reduce the changes done to the requests sent.
- Maintenance changes.
Fixed
- Make sure the header fields are separated with CRLF when edited in the UI.
- Handle client requests when authenticating (Issue 5940).
What are the relevant issue numbers?
This MR relates to gitlab-org/gitlab#280767 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith