feat: retire: Include CVEs as Alert Tags when available

- CHANGELOG > Added change note.
- RetireScanRule > Added functionality to add CVEs as alert tags when
they're available.
- RetireScanRuleUnitTest > Asserted the new behavior in one unittest.

Signed-off-by: kingthorin <[email protected]>

addOns/retire/CHANGELOG.md

@@ -4,14 +4,13 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Relevant CVEs will now be added as Alert Tags when available.
 
 ## [0.11.0] - 2022-05-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.10.0] - 2022-02-02
 ### Changed
 - Updated with upstream retire.js pattern changes.

addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java

@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -45,6 +46,7 @@ public class RetireScanRule extends PluginPassiveScanner {
             CommonAlertTag.toMap(
                     CommonAlertTag.OWASP_2021_A06_VULN_COMP,
                     CommonAlertTag.OWASP_2017_A09_VULN_COMP);
+    private Map<String, String> alertTags = new HashMap<>();
 
     private Repo repo;
 
@@ -122,14 +124,18 @@ private String getDetails(String key, Map<String, Set<String>> info) {
         }
         StringBuilder sb = new StringBuilder();
         for (String item : info.get(key)) {
+            if (key.equals(Result.CVE)) {
+                alertTags.put(item, "");
+            }
             sb.append(item).append('\n');
         }
         return sb.toString();
     }
 
     @Override
     public Map<String, String> getAlertTags() {
-        return ALERT_TAGS;
+        alertTags.putAll(ALERT_TAGS);
+        return alertTags;
     }
 
     private Repo getRepo() {

addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java

@@ -152,6 +152,8 @@ void shouldRaiseAlertOnVulnerableContent() {
         assertEquals(
                 "https://github.com/twbs/bootstrap/issues/20184\n",
                 alertsRaised.get(0).getReference());
+        // Two Constant OWASP tags plus one CVE
+        assertEquals(3, (alertsRaised.get(0).getTags().size());
     }
 
     @Test