mirror of
https://github.com/project-zot/zot.git
synced 2026-06-16 20:38:08 +08:00
Andrei Aaron
5968e7199f
(cherry picked from commit6d03ce5f2d) Additional changes on top of:6d03ce5f2d- Build and use zot from the same branch do not use a container image as scan target, use the binary - Fix typo in rules filename - Add the full rule list to the rules config file - Ignore some of the specific rules and add reasons - Add security-related headers to fix some of the issues identified by the scan - Update UI it includes the latest fixes for zap scan issues Signed-off-by: Andrei Aaron <aaaron@luxoft.com> Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
3.4 KiB
3.4 KiB
| 1 | # zap-baseline rule configuration file | ||
|---|---|---|---|
| 2 | # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches | ||
| 3 | # Only the rule identifiers are used - the names are just for info | ||
| 4 | # You can add your own messages to each rule by appending them after a tab on each line. | ||
| 5 | 10003 | WARN | (Vulnerable JS Library (Powered by Retire.js)) |
| 6 | 10009 | WARN | (In Page Banner Information Leak) |
| 7 | 10010 | WARN | (Cookie No HttpOnly Flag) |
| 8 | 10011 | WARN | (Cookie Without Secure Flag) |
| 9 | 10015 | WARN | (Re-examine Cache-control Directives) |
| 10 | 10017 | WARN | (Cross-Domain JavaScript Source File Inclusion) |
| 11 | 10019 | WARN | (Content-Type Header Missing) |
| 12 | 10020 | WARN | (Anti-clickjacking Header) |
| 13 | 10021 | WARN | (X-Content-Type-Options Header Missing) |
| 14 | 10023 | WARN | (Information Disclosure - Debug Error Messages) |
| 15 | 10024 | WARN | (Information Disclosure - Sensitive Information in URL) |
| 16 | 10025 | WARN | (Information Disclosure - Sensitive Information in HTTP Referrer Header) |
| 17 | 10026 | WARN | (HTTP Parameter Override) |
| 18 | 10027 | IGNORE | (Information Disclosure - Suspicious Comments) The comments have been reviewed and will not help an attacker |
| 19 | 10028 | WARN | (Open Redirect) |
| 20 | 10029 | WARN | (Cookie Poisoning) |
| 21 | 10030 | WARN | (User Controllable Charset) |
| 22 | 10031 | WARN | (User Controllable HTML Element Attribute (Potential XSS)) |
| 23 | 10032 | WARN | (Viewstate) |
| 24 | 10033 | WARN | (Directory Browsing) |
| 25 | 10034 | WARN | (Heartbleed OpenSSL Vulnerability (Indicative)) |
| 26 | 10035 | WARN | (Strict-Transport-Security Header) |
| 27 | 10036 | WARN | (HTTP Server Response Header) |
| 28 | 10038 | WARN | (Content Security Policy (CSP) Header Not Set) |
| 29 | 10039 | WARN | (X-Backend-Server Header Information Leak) |
| 30 | 10040 | WARN | (Secure Pages Include Mixed Content) |
| 31 | 10041 | WARN | (HTTP to HTTPS Insecure Transition in Form Post) |
| 32 | 10042 | WARN | (HTTPS to HTTP Insecure Transition in Form Post) |
| 33 | 10043 | WARN | (User Controllable JavaScript Event (XSS)) |
| 34 | 10044 | WARN | (Big Redirect Detected (Potential Sensitive Information Leak)) |
| 35 | 10049 | IGNORE | (Content Cacheability) We'd need to set the non-cacheble headers on content which could potentially be cached |
| 36 | 10050 | WARN | (Retrieved from Cache) |
| 37 | 10052 | WARN | (X-ChromeLogger-Data (XCOLD) Header Information Leak) |
| 38 | 10054 | WARN | (Cookie without SameSite Attribute) |
| 39 | 10055 | WARN | (CSP) |
| 40 | 10056 | WARN | (X-Debug-Token Information Leak) |
| 41 | 10057 | WARN | (Username Hash Found) |
| 42 | 10061 | WARN | (X-AspNet-Version Response Header) |
| 43 | 10062 | WARN | (PII Disclosure) |
| 44 | 10063 | WARN | (Permissions Policy Header Not Set) |
| 45 | 10096 | IGNORE | (Timestamp Disclosure) All existing timestamps are related to container images and are required |
| 46 | 10097 | WARN | (Hash Disclosure) |
| 47 | 10098 | IGNORE | (Cross-Domain Misconfiguration) Cannot know in advance what DN the users will configure for CORS headers |
| 48 | 10105 | IGNORE | (Weak Authentication Method) Cannot package in advance a certificate which would be used for the user's domain, so we cannot use HTTPS |
| 49 | 10108 | WARN | (Reverse Tabnabbing) |
| 50 | 10109 | IGNORE | (Modern Web Application) The Ajax crawler is run using -j command line option |
| 51 | 10110 | WARN | (Dangerous JS Functions) |
| 52 | 10202 | WARN | (Absence of Anti-CSRF Tokens) |
| 53 | 2 | WARN | (Private IP Disclosure) |
| 54 | 3 | WARN | (Session ID in URL Rewrite) |
| 55 | 50001 | WARN | (Script Passive Scan Rules) |
| 56 | 90001 | WARN | (Insecure JSF ViewState) |
| 57 | 90002 | WARN | (Java Serialization Object) |
| 58 | 90003 | IGNORE | (Sub Resource Integrity Attribute Missing) Google Fonts API return dynamic stylesheets depending on OS/Browser and it is not possible to use static identity hashes |
| 59 | 90011 | WARN | (Charset Mismatch) |
| 60 | 90022 | WARN | (Application Error Disclosure) |
| 61 | 90030 | WARN | (WSDL File Detection) |
| 62 | 90033 | WARN | (Loosely Scoped Cookie) |