automation: Allow selecting rules via Alert Tags

Signed-off-by: ricekot <[email protected]>

Author: ricekot

addOns/automation/CHANGELOG.md

@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Support for step delay in Browser Based Authentication.
 - Support for min wait for in Client Script Authentication.
 - Support for url in activeScan job.
+- Allow selecting rules in policy definitions using alert tags.
 
 ### Changed
 - Refer to output panel for errors.

addOns/automation/src/main/java/org/zaproxy/addon/automation/gui/ActiveScanJobDialog.java

@@ -22,13 +22,15 @@
 import java.awt.Component;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import javax.swing.JButton;
 import javax.swing.JTextField;
 import org.parosproxy.paros.core.scanner.Plugin.AlertThreshold;
 import org.parosproxy.paros.core.scanner.Plugin.AttackStrength;
 import org.zaproxy.addon.automation.jobs.ActiveScanJob;
 import org.zaproxy.addon.automation.jobs.ActiveScanJob.Parameters;
 import org.zaproxy.addon.automation.jobs.JobUtils;
+import org.zaproxy.addon.automation.jobs.PolicyDefinition;
 import org.zaproxy.addon.automation.jobs.PolicyDefinition.Rule;
 import org.zaproxy.zap.utils.DisplayUtils;
 
@@ -41,6 +43,7 @@ public class ActiveScanJobDialog extends ActiveScanPolicyDialog {
         "automation.dialog.tab.params",
         "automation.dialog.ascan.tab.policydefaults",
         "automation.dialog.ascan.tab.policyrules",
+        "automation.dialog.ascan.tab.policyalerttags",
         "automation.dialog.ascan.tab.adv"
     };
 
@@ -68,48 +71,51 @@ public class ActiveScanJobDialog extends ActiveScanPolicyDialog {
     public ActiveScanJobDialog(ActiveScanJob job) {
         super(TITLE, DisplayUtils.getScaledDimension(500, 400), TAB_LABELS);
         this.job = job;
+        int tabIndex = -1;
 
-        this.addTextField(0, NAME_PARAM, this.job.getData().getName());
+        this.addTextField(++tabIndex, NAME_PARAM, this.job.getData().getName());
         List<String> contextNames = this.job.getEnv().getContextNames();
         // Add blank option
         contextNames.add(0, "");
-        this.addComboField(0, CONTEXT_PARAM, contextNames, this.job.getParameters().getContext());
+        this.addComboField(
+                tabIndex, CONTEXT_PARAM, contextNames, this.job.getParameters().getContext());
 
         List<String> users = job.getEnv().getAllUserNames();
         // Add blank option
         users.add(0, "");
-        this.addComboField(0, USER_PARAM, users, this.job.getData().getParameters().getUser());
+        this.addComboField(
+                tabIndex, USER_PARAM, users, this.job.getData().getParameters().getUser());
 
         // Cannot select the node as it might not be present in the Sites tree
-        this.addNodeSelectField(0, URL_PARAM, null, true, false);
+        this.addNodeSelectField(tabIndex, URL_PARAM, null, true, false);
         Component urlField = this.getField(URL_PARAM);
         if (urlField instanceof JTextField) {
             ((JTextField) urlField).setText(this.job.getParameters().getUrl());
         }
 
-        this.addTextField(0, POLICY_PARAM, this.job.getParameters().getPolicy());
+        this.addTextField(tabIndex, POLICY_PARAM, this.job.getParameters().getPolicy());
         this.addNumberField(
-                0,
+                tabIndex,
                 MAX_RULE_DURATION_PARAM,
                 0,
                 Integer.MAX_VALUE,
                 JobUtils.unBox(job.getParameters().getMaxRuleDurationInMins()));
         this.addNumberField(
-                0,
+                tabIndex,
                 MAX_SCAN_DURATION_PARAM,
                 0,
                 Integer.MAX_VALUE,
                 JobUtils.unBox(job.getParameters().getMaxScanDurationInMins()));
         addNumberField(
-                0,
+                tabIndex,
                 MAX_ALERTS_PER_RULE_PARAM,
                 0,
                 Integer.MAX_VALUE,
                 JobUtils.unBox(job.getParameters().getMaxAlertsPerRule()));
-        this.addCheckBoxField(0, FIELD_ADVANCED, advOptionsSet());
+        this.addCheckBoxField(tabIndex, FIELD_ADVANCED, advOptionsSet());
         this.addFieldListener(FIELD_ADVANCED, e -> setAdvancedTabs(getBoolValue(FIELD_ADVANCED)));
 
-        this.addPadding(0);
+        this.addPadding(tabIndex);
 
         String thresholdName =
                 JobUtils.thresholdToI18n(job.getData().getPolicyDefinition().getDefaultThreshold());
@@ -131,7 +137,7 @@ public ActiveScanJobDialog(ActiveScanJob job) {
             allthresholds.add(JobUtils.thresholdToI18n(at.name()));
         }
 
-        this.addComboField(1, DEFAULT_THRESHOLD_PARAM, allthresholds, thresholdName);
+        this.addComboField(++tabIndex, DEFAULT_THRESHOLD_PARAM, allthresholds, thresholdName);
 
         List<String> allstrengths = new ArrayList<>();
 
@@ -142,45 +148,73 @@ public ActiveScanJobDialog(ActiveScanJob job) {
             allstrengths.add(JobUtils.strengthToI18n(at.name()));
         }
 
-        this.addComboField(1, DEFAULT_STRENGTH_PARAM, allstrengths, strengthName);
+        this.addComboField(tabIndex, DEFAULT_STRENGTH_PARAM, allstrengths, strengthName);
 
-        this.addPadding(1);
+        this.addPadding(tabIndex);
 
         List<JButton> buttons = new ArrayList<>();
         buttons.add(getAddButton());
         buttons.add(getModifyButton());
         buttons.add(getRemoveButton());
 
-        this.addTableField(2, getRulesTable(), buttons);
+        this.addTableField(++tabIndex, getRulesTable(), buttons);
+
+        String tagRuleThresholdName =
+                JobUtils.thresholdToI18n(
+                        job.getData()
+                                .getPolicyDefinition()
+                                .getAlertTagRule()
+                                .getThreshold()
+                                .name());
+        if (tagRuleThresholdName.isEmpty()) {
+            tagRuleThresholdName = JobUtils.thresholdToI18n(AlertThreshold.MEDIUM.name());
+        }
+        String tagRuleStrengthName =
+                JobUtils.strengthToI18n(
+                        job.getData().getPolicyDefinition().getAlertTagRule().getStrength().name());
+        if (tagRuleStrengthName.isEmpty()) {
+            tagRuleStrengthName = JobUtils.strengthToI18n(AttackStrength.MEDIUM.name());
+        }
+        this.addComboField(
+                ++tabIndex, TAG_RULE_THRESHOLD_PARAM, allthresholds, tagRuleThresholdName);
+        this.addComboField(tabIndex, TAG_RULE_STRENGTH_PARAM, allstrengths, tagRuleStrengthName);
+        this.addTableField(
+                tabIndex,
+                getIncludedAlertTagsTable(),
+                List.of(getAddIncludedAlertTagButton(), getRemoveIncludedAlertTagButton()));
+        this.addTableField(
+                tabIndex,
+                getExcludedAlertTagsTable(),
+                List.of(getAddExcludedAlertTagButton(), getRemoveExcludedAlertTagButton()));
 
         this.addNumberField(
-                3,
+                ++tabIndex,
                 DELAY_IN_MS_PARAM,
                 0,
                 Integer.MAX_VALUE,
                 JobUtils.unBox(job.getParameters().getDelayInMs()));
         this.addNumberField(
-                3,
+                tabIndex,
                 THREADS_PER_HOST_PARAM,
                 1,
                 Integer.MAX_VALUE,
                 JobUtils.unBox(job.getParameters().getThreadPerHost()));
         this.addCheckBoxField(
-                3, ADD_QUERY_PARAM, JobUtils.unBox(job.getParameters().getAddQueryParam()));
+                tabIndex, ADD_QUERY_PARAM, JobUtils.unBox(job.getParameters().getAddQueryParam()));
         this.addCheckBoxField(
-                3,
+                tabIndex,
                 HANDLE_ANTI_CSRF_PARAM,
                 JobUtils.unBox(job.getParameters().getHandleAntiCSRFTokens()));
         this.addCheckBoxField(
-                3,
+                tabIndex,
                 INJECT_PLUGIN_ID_PARAM,
                 JobUtils.unBox(job.getParameters().getInjectPluginIdInHeader()));
         this.addCheckBoxField(
-                3,
+                tabIndex,
                 SCAN_HEADERS_PARAM,
                 JobUtils.unBox(job.getParameters().getScanHeadersAllRequests()));
 
-        this.addPadding(3);
+        this.addPadding(tabIndex);
 
         setAdvancedTabs(getBoolValue(FIELD_ADVANCED));
     }
@@ -248,6 +282,23 @@ public void save() {
             this.job.getParameters().setScanHeadersAllRequests(null);
         }
         this.job.getData().getPolicyDefinition().setRules(this.getRulesModel().getRules());
+        this.job
+                .getData()
+                .getPolicyDefinition()
+                .setAlertTagRule(
+                        new PolicyDefinition.AlertTagRuleConfig(
+                                this.getIncludedTagsTableModel().getAlertTagPatterns(),
+                                this.getExcludedTagsTableModel().getAlertTagPatterns(),
+                                AttackStrength.valueOf(
+                                        JobUtils.i18nToStrength(
+                                                        this.getStringValue(
+                                                                TAG_RULE_STRENGTH_PARAM))
+                                                .toUpperCase(Locale.ROOT)),
+                                AlertThreshold.valueOf(
+                                        JobUtils.i18nToThreshold(
+                                                        this.getStringValue(
+                                                                TAG_RULE_THRESHOLD_PARAM))
+                                                .toUpperCase(Locale.ROOT))));
         this.job.resetAndSetChanged();
     }
 
@@ -261,4 +312,9 @@ public String validateFields() {
     protected List<Rule> getRules() {
         return job.getData().getPolicyDefinition().getRules();
     }
+
+    @Override
+    protected PolicyDefinition.AlertTagRuleConfig getAlertTagRule() {
+        return job.getData().getPolicyDefinition().getAlertTagRule();
+    }
 }

addOns/automation/src/main/java/org/zaproxy/addon/automation/gui/ActiveScanPolicyDialog.java

@@ -22,21 +22,28 @@
 import java.awt.Dimension;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
+import java.util.ArrayList;
 import java.util.List;
+import java.util.function.Supplier;
+import java.util.regex.Pattern;
 import javax.swing.JButton;
 import javax.swing.JOptionPane;
 import javax.swing.JTable;
+import lombok.AccessLevel;
+import lombok.Getter;
 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.view.View;
+import org.zaproxy.addon.automation.jobs.PolicyDefinition.AlertTagRuleConfig;
 import org.zaproxy.addon.automation.jobs.PolicyDefinition.Rule;
 import org.zaproxy.zap.utils.DisplayUtils;
 import org.zaproxy.zap.view.StandardFieldsDialog;
 
 @SuppressWarnings("serial")
 /** An abstract class that provides the methods needed to add active scan policy management tabs. */
+@Getter(value = AccessLevel.PROTECTED)
 public abstract class ActiveScanPolicyDialog extends StandardFieldsDialog {
 
     private static final long serialVersionUID = 1L;
@@ -47,6 +54,10 @@ public abstract class ActiveScanPolicyDialog extends StandardFieldsDialog {
             "automation.dialog.ascan.defaultthreshold";
     protected static final String DEFAULT_STRENGTH_PARAM =
             "automation.dialog.ascan.defaultstrength";
+    protected static final String TAG_RULE_THRESHOLD_PARAM =
+            "automation.dialog.ascanpolicyalerttags.threshold";
+    protected static final String TAG_RULE_STRENGTH_PARAM =
+            "automation.dialog.ascanpolicyalerttags.strength";
 
     private JButton addButton = null;
     private JButton modifyButton = null;
@@ -55,6 +66,26 @@ public abstract class ActiveScanPolicyDialog extends StandardFieldsDialog {
     private JTable rulesTable = null;
     private AscanRulesTableModel rulesModel = null;
 
+    private JTable includedTagsTable;
+    private final AlertTagsTableModel includedTagsTableModel =
+            new AlertTagsTableModel(
+                    Constant.messages.getString(
+                            "automation.dialog.ascanpolicyalerttags.includedtagpatterns"));
+    private final JButton addIncludedAlertTagButton =
+            createAddAlertTagButton(includedTagsTableModel);
+    private final JButton removeIncludedAlertTagButton =
+            createRemoveAlertTagButton(includedTagsTableModel, this::getIncludedAlertTagsTable);
+
+    private final AlertTagsTableModel excludedTagsTableModel =
+            new AlertTagsTableModel(
+                    Constant.messages.getString(
+                            "automation.dialog.ascanpolicyalerttags.excludedtagpatterns"));
+    private JTable excludedTagsTable;
+    private final JButton addExcludedAlertTagButton =
+            createAddAlertTagButton(excludedTagsTableModel);
+    private final JButton removeExcludedAlertTagButton =
+            createRemoveAlertTagButton(excludedTagsTableModel, this::getExcludedAlertTagsTable);
+
     public ActiveScanPolicyDialog(String title, Dimension dimension, String[] tabLabels) {
         super(View.getSingleton().getMainFrame(), title, dimension, tabLabels);
     }
@@ -185,4 +216,61 @@ protected AscanRulesTableModel getRulesModel() {
     }
 
     protected abstract List<Rule> getRules();
+
+    protected JTable getIncludedAlertTagsTable() {
+        if (includedTagsTable == null) {
+            includedTagsTable =
+                    createAlertTagsTable(
+                            getIncludedTagsTableModel(),
+                            getAlertTagRule().getIncludePatterns(),
+                            getRemoveIncludedAlertTagButton());
+        }
+        return includedTagsTable;
+    }
+
+    protected JTable getExcludedAlertTagsTable() {
+        if (excludedTagsTable == null) {
+            excludedTagsTable =
+                    createAlertTagsTable(
+                            getExcludedTagsTableModel(),
+                            getAlertTagRule().getExcludePatterns(),
+                            getRemoveExcludedAlertTagButton());
+        }
+        return excludedTagsTable;
+    }
+
+    protected AlertTagRuleConfig getAlertTagRule() {
+        return null;
+    }
+
+    private JButton createAddAlertTagButton(AlertTagsTableModel model) {
+        var button = new JButton(Constant.messages.getString("automation.dialog.button.add"));
+        button.addActionListener(
+                e -> {
+                    var dialog = new AddAlertTagDialog(this, model, -1);
+                    dialog.setVisible(true);
+                });
+        return button;
+    }
+
+    private JButton createRemoveAlertTagButton(
+            AlertTagsTableModel model, Supplier<JTable> tableSupplier) {
+        var button = new JButton(Constant.messages.getString("automation.dialog.button.remove"));
+        button.setEnabled(false);
+        button.addActionListener(e -> model.remove(tableSupplier.get().getSelectedRow()));
+        return button;
+    }
+
+    private JTable createAlertTagsTable(
+            AlertTagsTableModel model, List<Pattern> patterns, JButton removeButton) {
+        JTable table = new JTable(model);
+        model.setAlertTagPatterns(new ArrayList<>(patterns));
+        table.getSelectionModel()
+                .addListSelectionListener(
+                        e -> {
+                            boolean singleRowSelected = table.getSelectedRowCount() == 1;
+                            removeButton.setEnabled(singleRowSelected);
+                        });
+        return table;
+    }
 }