feat: retire: Include CVEs as Alert Tags when available

- CHANGELOG > Added change note. - Result > Add convenience method to get a list of associated CVEs. - RetireScanRule > Added functionality to add CVEs as alert tags when they're available. - RetireScanRuleUnitTest > Asserted the new behavior in one unittest. Signed-off-by: kingthorin <[email protected]>
zaproxy · May 20, 2022 · 6fbc0af · 6fbc0af
1 parent 9b81f60
commit 6fbc0af
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 3 deletions.
diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md
@@ -4,14 +4,13 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Relevant CVEs will now be added as Alert Tags when available.
 
 ## [0.11.0] - 2022-05-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.10.0] - 2022-02-02
 ### Changed
 - Updated with upstream retire.js pattern changes.

diff --git a/addOns/retire/src/main/java/org/zaproxy/addon/retire/Result.java b/addOns/retire/src/main/java/org/zaproxy/addon/retire/Result.java
@@ -19,6 +19,7 @@
  */
 package org.zaproxy.addon.retire;
 
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -71,4 +72,11 @@ public void setOtherinfo(String otherinfo) {
     public boolean hasOtherInfo() {
         return otherinfo != null && !otherinfo.isEmpty();
     }
+
+    public Set<String> getCves() {
+        if (information.isEmpty() || !information.containsKey(CVE)) {
+            return Collections.emptySet();
+        }
+        return information.get(CVE);
+    }
 }
diff --git a/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java b/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -101,6 +102,7 @@ private AlertBuilder buildAlert(Result result, String otherInfo) {
                         Constant.messages.getString(
                                 "retire.rule.desc", result.getFilename(), result.getVersion()))
                 .setOtherInfo(otherInfo)
+                .setTags(getAllAlertTags(result))
                 .setReference(getDetails(Result.INFO, result.getInformation()))
                 .setSolution(Constant.messages.getString("retire.rule.soln", result.getFilename()))
                 .setEvidence(result.getEvidence().trim())
@@ -127,6 +129,13 @@ private String getDetails(String key, Map<String, Set<String>> info) {
         return sb.toString();
     }
 
+    private Map<String, String> getAllAlertTags(Result result) {
+        Map<String, String> alertTags = new HashMap<>();
+        result.getCves().forEach(value -> alertTags.put(value, ""));
+        alertTags.putAll(getAlertTags());
+        return alertTags;
+    }
+
     @Override
     public Map<String, String> getAlertTags() {
         return ALERT_TAGS;

diff --git a/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java b/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java
@@ -152,6 +152,8 @@ void shouldRaiseAlertOnVulnerableContent() {
         assertEquals(
                 "https://github.com/twbs/bootstrap/issues/20184\n",
                 alertsRaised.get(0).getReference());
+        // Two Constant OWASP tags plus one CVE
+        assertEquals(3, alertsRaised.get(0).getTags().size());
     }
 
     @Test