zot/.zap/rules.tsv

1	# zap-baseline rule configuration file
2	# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
3	# Only the rule identifiers are used - the names are just for info
4	# You can add your own messages to each rule by appending them after a tab on each line.
5	10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
6	10009	WARN	(In Page Banner Information Leak)
7	10010	WARN	(Cookie No HttpOnly Flag)
8	10011	WARN	(Cookie Without Secure Flag)
9	10015	WARN	(Re-examine Cache-control Directives)
10	10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
11	10019	WARN	(Content-Type Header Missing)
12	10020	WARN	(Anti-clickjacking Header)
13	10021	WARN	(X-Content-Type-Options Header Missing)
14	10023	WARN	(Information Disclosure - Debug Error Messages)
15	10024	WARN	(Information Disclosure - Sensitive Information in URL)
16	10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
17	10026	WARN	(HTTP Parameter Override)
18	10027	IGNORE	(Information Disclosure - Suspicious Comments) The comments have been reviewed and will not help an attacker
19	10028	WARN	(Open Redirect)
20	10029	WARN	(Cookie Poisoning)
21	10030	WARN	(User Controllable Charset)
22	10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
23	10032	WARN	(Viewstate)
24	10033	WARN	(Directory Browsing)
25	10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
26	10035	WARN	(Strict-Transport-Security Header)
27	10036	WARN	(HTTP Server Response Header)
28	10038	WARN	(Content Security Policy (CSP) Header Not Set)
29	10039	WARN	(X-Backend-Server Header Information Leak)
30	10040	WARN	(Secure Pages Include Mixed Content)
31	10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
32	10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
33	10043	WARN	(User Controllable JavaScript Event (XSS))
34	10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
35	10049	IGNORE	(Content Cacheability) We'd need to set the non-cacheble headers on content which could potentially be cached
36	10050	WARN	(Retrieved from Cache)
37	10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
38	10054	WARN	(Cookie without SameSite Attribute)
39	10055	IGNORE	(CSP) We set CSP in both UI (with *) and backend (no *), unfortunately the UI needs to use * in case it is deployed separately
40	10056	WARN	(X-Debug-Token Information Leak)
41	10057	WARN	(Username Hash Found)
42	10061	WARN	(X-AspNet-Version Response Header)
43	10062	WARN	(PII Disclosure)
44	10063	WARN	(Permissions Policy Header Not Set)
45	10094	IGNORE	Base64 Disclosure)	The UI needs to use xlsx library to export the vulnerabilities list and this library triggers this warning
46	10096	IGNORE	(Timestamp Disclosure) All existing timestamps are related to container images and are required
47	10097	WARN	(Hash Disclosure)
48	10098	IGNORE	(Cross-Domain Misconfiguration) Cannot know in advance what DN the users will configure for CORS headers
49	10105	IGNORE	(Weak Authentication Method) Cannot package in advance a certificate which would be used for the user's domain, so we cannot use HTTPS
50	10108	WARN	(Reverse Tabnabbing)
51	10109	IGNORE	(Modern Web Application) The Ajax crawler is run using -j command line option
52	10110	WARN	(Dangerous JS Functions)
53	10202	WARN	(Absence of Anti-CSRF Tokens)
54	2	WARN	(Private IP Disclosure)
55	3	WARN	(Session ID in URL Rewrite)
56	50001	WARN	(Script Passive Scan Rules)
57	90001	WARN	(Insecure JSF ViewState)
58	90002	WARN	(Java Serialization Object)
59	90003	WARN	(Sub Resource Integrity Attribute Missing)
60	90005	IGNORE	(Sec-Fetch-Dest Header is Missing)
61	90011	WARN	(Charset Mismatch)
62	90022	WARN	(Application Error Disclosure)
63	90030	WARN	(WSDL File Detection)
64	90033	WARN	(Loosely Scoped Cookie)