Exclude less valuable ZAP rules by default
What does this MR do?
This MR disables the following rules for all scans:
PluginID,Title,Default Enabled
10015,Incomplete or No Cache-control and Pragma HTTP Header Set,false
10020,X-Frame-Options Header,false
10026,HTTP Parameter Override,false
10027,Information Disclosure - Suspicious Comments,false
10044,Big Redirect Detected (Potential Sensitive Information Leak),false
10050,Retrieved from Cache,false
10052,X-ChromeLogger-Data (XCOLD) Header Information Leak,false
10053,Apache Range Header DoS (CVE-2011-3192),false
10096,Timestamp Disclosure,false
10104,User Agent Fuzzer,false
10109,Modern Web Application,false
20017,Source Code Disclosure - CVE-2012-1823,false
20018,Remote Code Execution - CVE-2012-1823,false
30001,Buffer Overflow,false
30002,Format String Error,false
30003,Integer Overflow Error,false
40009,Server Side Include,false
40023,Possible Username Enumeration,false
40028,ELMAH Information Leak,false
40029,Trace.axd Information Leak,false
40034,.env Information Leak,false
43,Source Code Disclosure - File Inclusion,false
90024,Generic Padding Oracle,false
90027,Cookie Slack Detector,falseTechnical Details
- Adds
exclude_rules.yml, which contains the list of rules that will be disabled - Adds the
PyYamlpackage to load and parseexclude_rules.yml
A decision was made to use a YAML file to define the list of rules to be excluded in order to provide a human readable source for users to consult. See gitlab-org/gitlab#327184 (comment 547102779) for more details
What are the relevant issue numbers?
gitlab-org/gitlab#327184 (closed)
GitLab Docs MR
Edited by Avielle Wolfe