Skip to content

how to use rulesFilePath? #10

New issue
New issue
Open
Open
how to use rulesFilePath?#10
@schamp

Description

@schamp
schamp
opened on Dec 7, 2017

The documentation for rulesFilePath:

# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

along side reportPath such as it is with the Jenkins WORKSPACE reference seems to imply that custom rules may be defined in this at analysis time. Is this the intention?

I am trying to develop my own plugin that can pass new rules in and a report that triggers them at the same time, and this looked like it might do what I want.

Am I missing how this is supposed to work? Do I have the wrong idea or am I doing it wrong? Is there an example I can follow?

For reference, here is the properties and file I am passing with the Jenkins plugin:

sonar.zaproxy.rulesFilePath=reports/test-rules.xml
sonar.zaproxy.reportPath=reports/test-report.xml

test-rules.xml

<rules>
    <rule>
        <key>1234567890</key>
        <name>Just some dynamic rule</name>
        <description>
            <![CDATA[<h3>Solution :</h3>
                <p>There is a problem, please fix it.</p>
		<h3>References:</h3>
		<ul>
		<li>No Reference.</li>
		</ul>]]>
        </description>
        <severity>MAJOR</severity>
        <status>READY</status>
        <tag>onetag</tag>
        <tag>anothertag</tag>
    </rule>
</rules>

test-report.xml:

<?xml version="1.0" encoding="UTF-8"?><OWASPZAPReport generated="jeu., 7 mai 2015 16:14:12" version="2.4.0">
    <site host="localhost" name="http://localhost:8180" port="8180" ssl="false"><alerts><alertitem>
        <pluginid>0</pluginid>
        <alert>Existing test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem><alertitem>
        <pluginid>1234567890</pluginid>
        <alert>Dynamic rule test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem>
	</alerts></site></OWASPZAPReport>

When I run this analysis with SonarQube 6.6, I get this warning about the rule I am trying to create:

WARN: The rule ZAProxy:1234567890 doesn't exist.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions