Exclude empty request and response from report
What does this MR do?
Problem
@warias
was able to generate a secure report that omitted required fields:
{
"category": "dast",
"confidence": "Medium",
"cve": "10047",
"description": "Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).",
"evidence": {
"request": {
"headers": [],
"method": "",
"url": ""
},
"response": {
"headers": [],
"reason_phrase": "",
"status_code": ""
},
"summary": "http://xxx.nip.io/static/css/5.71be5c0a.chunk.css; ZAP attempted to connect via: http://xxx.nip.io/static/css/5.71be5c0a.chunk.css"
},
"id": "09655f19-5919-4264-934f-5cab657848c1",
"identifiers": [
{
"name": "HTTPS Content Available via HTTP",
"type": "ZAProxy_PluginId",
"url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
"value": "10047"
},
{
"name": "CWE-311",
"type": "CWE",
"url": "https://cwe.mitre.org/data/definitions/311.html",
"value": "311"
}
],
"links": [
{
"url": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html"
},
{
"url": "https://owasp.org/www-community/Security_Headers"
},
{
"url": "http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"
},
{
"url": "http://caniuse.com/stricttransportsecurity"
},
{
"url": "http://tools.ietf.org/html/rfc6797"
}
],
"location": {
"hostname": "https://xxx.nip.io",
"method": "GET",
"param": "",
"path": "/static/css/5.71be5c0a.chunk.css"
},
"message": "HTTPS Content Available via HTTP",
"scanner": {
"id": "zaproxy",
"name": "ZAProxy"
},
"severity": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security."
}
the issues are that method
and url
have a minLength
requirement and status_code
should be of type integer. enabling the strict schema validation by default surfaced the issue.
Proposed Solution
remove code that sets default values when request/response are missing. think this is ok because the only required fields in evidence
are id
and name
.
Alternative Solutions Considered
use bogus default values that conform to the secure report schema.
Edited by Philip Cunningham