Merge pull request #6514 from kingthorin/add-cwes

thc202 · web-flow · commit 35e008558147 · 2025-06-26T13:01:15.000+01:00
Add CWEs to scan rules
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
+- The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
 
 ## [72] - 2025-06-20
 ### Added
diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java
@@ -203,6 +203,11 @@ public void scan() {
         }
     }
 
+    @Override
+    public int getCweId() {
+        return 1230; // CWE-1230: Exposure of Sensitive Information Through Metadata
+    }
+
     @Override
     public List<Alert> getExampleAlerts() {
         return List.of(createAlert(null, "www.example.com").build());
diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java
@@ -189,6 +189,7 @@ void shouldReturnExpectedExampleAlert() {
         Alert alert1 = alerts.get(0);
         assertThat(alert1.getRisk(), is(equalTo(Alert.RISK_HIGH)));
         assertThat(alert1.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
+        assertThat(alert1.getCweId(), is(equalTo(1230)));
     }
 
     private static NanoServerHandler createHandler(
diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
+- The Web Cache Deception scan rule now has a CWE reference.
 
 ## [49] - 2025-06-20
 ### Changed
diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/WebCacheDeceptionScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/WebCacheDeceptionScanRule.java
@@ -206,4 +206,9 @@ public String getReference() {
     public Map<String, String> getAlertTags() {
         return ALERT_TAGS;
     }
+
+    @Override
+    public int getCweId() {
+        return 444; // CWE-444: Inconsistent Interpretation of HTTP Requests
+    }
 }
diff --git a/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/WebCacheDeceptionScanRuleUnitTest.java b/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/WebCacheDeceptionScanRuleUnitTest.java
@@ -175,8 +175,10 @@ void shouldNotAlertIfResponseDoesNotGetsCached() throws Exception {
     void shouldReturnExpectedMappings() {
         // Given / When
         Map<String, String> tags = rule.getAlertTags();
+        int cwe = rule.getCweId();
         // Then
         assertThat(tags.size(), is(equalTo(6)));
+        assertThat(cwe, is(equalTo(444)));
         assertThat(
                 tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()),
                 is(equalTo(true)));
diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
+- The 403 Bypass scan rule now has a CWE reference.
 
 ## [59] - 2025-06-20
 ### Changed
diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ForbiddenBypassScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ForbiddenBypassScanRule.java
@@ -203,6 +203,11 @@ public Map<String, String> getAlertTags() {
         return ALERT_TAGS;
     }
 
+    @Override
+    public int getCweId() {
+        return 348; // CWE-348: Use of Less Trusted Source
+    }
+
     @Override
     public List<Alert> getExampleAlerts() {
         List<Alert> alerts = new ArrayList<>();
diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- The Reverse Tabnabbing and Retrieved from Cache scan rules now have CWE references.
 
 ## [65] - 2025-06-20
 ### Added
diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java
@@ -156,7 +156,9 @@ private AlertBuilder buildAlert(String evidence) {
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln"))
                 .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs"))
-                .setEvidence(evidence);
+                .setEvidence(evidence)
+                // CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
+                .setCweId(1022);
     }
 
     @Override
diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java
@@ -149,6 +149,7 @@ private AlertBuilder buildAlert(String evidence, boolean compliant) {
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln"))
                 .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs"))
+                .setCweId(525) // CWE-525: Use of Web Browser Cache Containing Sensitive Information
                 .setEvidence(evidence)
                 // If compliant Other Info: "Age" header implies a HTTP/1.1 compliant cache server.
                 .setOtherInfo(
diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java
@@ -505,6 +505,7 @@ void shouldHaveExpectedExampleAlerts() {
         List<Alert> alerts = rule.getExampleAlerts();
         // Then
         assertThat(alerts.size(), is(equalTo(1)));
+        assertThat(alerts.get(0).getCweId(), is(equalTo(1022)));
     }
 
     @Test
diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java
@@ -86,8 +86,10 @@ void shouldHaveExpectedExampleAlerts() {
         assertThat(alerts.size(), is(equalTo(2)));
         Alert cacheHitMissAlert = alerts.get(0);
         assertThat(cacheHitMissAlert.getAlertRef(), is(equalTo("10050-1")));
+        assertThat(cacheHitMissAlert.getCweId(), is(equalTo(525)));
         Alert xCacheAlert = alerts.get(1);
         assertThat(xCacheAlert.getAlertRef(), is(equalTo("10050-2")));
+        assertThat(xCacheAlert.getCweId(), is(equalTo(525)));
     }
 
     @Test
diff --git a/addOns/soap/CHANGELOG.md b/addOns/soap/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- The SOAP Action Spoofing, SOAP XML Injection, and WSDL File Detection scan rules now all have CWE references.
 
 ## [25] - 2025-06-20
 ### Added
diff --git a/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java b/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java
@@ -307,8 +307,7 @@ public int getRisk() {
 
     @Override
     public int getCweId() {
-        // The CWE id
-        return 0;
+        return 451; // CWE-451: User Interface (UI) Misrepresentation of Critical Information
     }
 
     @Override
diff --git a/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPXMLInjectionActiveScanRule.java b/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPXMLInjectionActiveScanRule.java
@@ -211,8 +211,7 @@ public int getRisk() {
 
     @Override
     public int getCweId() {
-        // The CWE id
-        return 0;
+        return 91; // CWE-91: XML Injection
     }
 
     @Override
diff --git a/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/WSDLFilePassiveScanRule.java b/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/WSDLFilePassiveScanRule.java
@@ -92,6 +92,7 @@ private void raiseAlert(String evidence) {
                 .setOtherInfo(getOtherInfo())
                 .setSolution(getSolution())
                 .setEvidence(evidence)
+                .setCweId(651) // CWE-651: Exposure of WSDL File Containing Sensitive Information
                 .setWascId(13)
                 .raise();
     }
diff --git a/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRuleTestCase.java b/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRuleTestCase.java
@@ -82,7 +82,7 @@ void shouldReturnExpectedMappings() {
         int wasc = rule.getWascId();
         Map<String, String> tags = rule.getAlertTags();
         // Then
-        assertThat(cwe, is(equalTo(0)));
+        assertThat(cwe, is(equalTo(451)));
         assertThat(wasc, is(equalTo(0)));
         assertThat(tags.size(), is(equalTo(10)));
 
diff --git a/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/SOAPXMLInjectionActiveScanRuleTestCase.java b/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/SOAPXMLInjectionActiveScanRuleTestCase.java
@@ -64,7 +64,7 @@ void shouldReturnExpectedMappings() {
         int wasc = rule.getWascId();
         Map<String, String> tags = rule.getAlertTags();
         // Then
-        assertThat(cwe, is(equalTo(0)));
+        assertThat(cwe, is(equalTo(91)));
         assertThat(wasc, is(equalTo(0)));
         assertThat(tags.size(), is(equalTo(10)));
 
diff --git a/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/WSDLFilePassiveScanRuleTestCase.java b/addOns/soap/src/test/java/org/zaproxy/zap/extension/soap/WSDLFilePassiveScanRuleTestCase.java
@@ -121,6 +121,7 @@ void shouldAlertWhenWsdlResponseStatus200(String contentType) throws IOException
         scanHttpResponseReceive(wsdlMsg);
         // Then
         assertThat(alertsRaised.size(), equalTo(1));
+        assertThat(alertsRaised.get(0).getCweId(), is(equalTo(651)));
     }
 
     @ParameterizedTest

Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,11 @@ public void scan() {`
`203`	`203`	`}`
`204`	`204`	`}`
`205`	`205`
	`206`	`+ @Override`
	`207`	`+ public int getCweId() {`
	`208`	`+ return 1230; // CWE-1230: Exposure of Sensitive Information Through Metadata`
	`209`	`+ }`
	`210`	`+`
`206`	`211`	`@Override`
`207`	`212`	`public List<Alert> getExampleAlerts() {`
`208`	`213`	`return List.of(createAlert(null, "www.example.com").build());`
Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,7 @@ void shouldReturnExpectedExampleAlert() {`
`189`	`189`	`Alert alert1 = alerts.get(0);`
`190`	`190`	`assertThat(alert1.getRisk(), is(equalTo(Alert.RISK_HIGH)));`
`191`	`191`	`assertThat(alert1.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));`
	`192`	`+ assertThat(alert1.getCweId(), is(equalTo(1230)));`
`192`	`193`	`}`
`193`	`194`
`194`	`195`	`private static NanoServerHandler createHandler(`
Original file line number	Diff line number	Diff line change
`@@ -206,4 +206,9 @@ public String getReference() {`
`206`	`206`	`public Map<String, String> getAlertTags() {`
`207`	`207`	`return ALERT_TAGS;`
`208`	`208`	`}`
	`209`	`+`
	`210`	`+ @Override`
	`211`	`+ public int getCweId() {`
	`212`	`+ return 444; // CWE-444: Inconsistent Interpretation of HTTP Requests`
	`213`	`+ }`
`209`	`214`	`}`