Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to use rulesFilePath? #10

Open
schamp opened this issue Dec 7, 2017 · 0 comments
Open

how to use rulesFilePath? #10

schamp opened this issue Dec 7, 2017 · 0 comments

Comments

@schamp
Copy link

schamp commented Dec 7, 2017

The documentation for rulesFilePath:

# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

along side reportPath such as it is with the Jenkins WORKSPACE reference seems to imply that custom rules may be defined in this at analysis time. Is this the intention?

I am trying to develop my own plugin that can pass new rules in and a report that triggers them at the same time, and this looked like it might do what I want.

Am I missing how this is supposed to work? Do I have the wrong idea or am I doing it wrong? Is there an example I can follow?

For reference, here is the properties and file I am passing with the Jenkins plugin:

sonar.zaproxy.rulesFilePath=reports/test-rules.xml
sonar.zaproxy.reportPath=reports/test-report.xml

test-rules.xml

<rules>
    <rule>
        <key>1234567890</key>
        <name>Just some dynamic rule</name>
        <description>
            <![CDATA[<h3>Solution :</h3>
                <p>There is a problem, please fix it.</p>
		<h3>References:</h3>
		<ul>
		<li>No Reference.</li>
		</ul>]]>
        </description>
        <severity>MAJOR</severity>
        <status>READY</status>
        <tag>onetag</tag>
        <tag>anothertag</tag>
    </rule>
</rules>

test-report.xml:

<?xml version="1.0" encoding="UTF-8"?><OWASPZAPReport generated="jeu., 7 mai 2015 16:14:12" version="2.4.0">
    <site host="localhost" name="http://localhost:8180" port="8180" ssl="false"><alerts><alertitem>
        <pluginid>0</pluginid>
        <alert>Existing test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem><alertitem>
        <pluginid>1234567890</pluginid>
        <alert>Dynamic rule test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem>
	</alerts></site></OWASPZAPReport>

When I run this analysis with SonarQube 6.6, I get this warning about the rule I am trying to create:

WARN: The rule ZAProxy:1234567890 doesn't exist.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@schamp