public override Task <bool> SummaryRunGenerationally(VulnerabilitySummary summary)
{
// Any module implementing this method will be run iteratively until all functions return "false" -- that is,
// all functions have *not* made a change in that generation.
return(Task.FromResult(false));
}
private async Task <VulnerabilitySummary> SummarizeArtifacts(IList <PluginResult> results)
{
var summary = new VulnerabilitySummary {
ResultInstances = results
};
// Run single-execution tasks for each of the result objects
Logger.LogInformation("Executing single-run tasks for {0} result objects", results.Count);
await Task.WhenAll(results.Select(r => r.SummaryRunOnce(summary)));
Logger.LogInformation("Completed single-run execution against {0} result objects", results.Count);
// Run generations of multi-execution tasks
var changesOccurredThisGeneration = true;
var sw = new Stopwatch();
sw.Start();
var generations = 0;
while (changesOccurredThisGeneration)
{
generations++;
foreach (var g in results)
{
changesOccurredThisGeneration = await g.SummaryRunGenerationally(summary);
}
Logger.LogDebug("Completed summary generation {0} ... Converged? {1}", generations,
!changesOccurredThisGeneration);
}
sw.Stop();
Logger.LogInformation("Completed summary report in {0} over {1} generations", sw.Elapsed, generations);
return(summary);
}
public override async Task SummaryRunOnce(VulnerabilitySummary summary)
{
if (Duration != null)
{
SaveResultArtifact("generations.dat", this);
}
var reloaded = LoadResultArtifact <DummyPluginResult>("generations.dat");
// This ... doesn't really do anything.
// This is run once per module, before the method below.
await Task.FromResult(0);
}
public override async Task SummaryRunOnce(VulnerabilitySummary summary)
{
ZapJsonReport report = null;
var jsonReportPath = Path.Combine(WorkingDirectory, OwaspZapPlugin.JSON_REPORT_FILE);
if (File.Exists(jsonReportPath))
{
using (var sr = new StreamReader(jsonReportPath))
{
report = JsonConvert.DeserializeObject <ZapJsonReport>(await sr.ReadToEndAsync());
}
}
else
{
Logger.LogCritical("JSON report from this plugin was not found! Aborting...");
return;
}
if (report == null)
{
Logger.LogCritical("JSON report from this plugin was not valid! Aborting...");
return;
}
foreach (var alert in report.Site.First().Alerts)
{
var item = new VulnerabilityItem
{
PluginResults = new List <PluginResult> {
this
},
PluginPointer = PluginPointer,
PluginRawScore = alert.RiskCode * alert.Confidence,
PluginAdjustedScore = alert.RiskCode * alert.Confidence / (3.0 * 5.0) * 100,
Description = alert.Desc,
Resources = alert.Instances.Select(instance =>
{
var newResource = new HttpResource {
Method = instance.Method, Url = instance.Uri
};
var newFingerprint =
newResource.Fingerprint(skippedFields: new[] { "resourceId", "fields", "headers" });
if (ResourceManager.Instance.ContainsFingerprint(newFingerprint))
{
return(ResourceManager.Instance.GetByFingerprint <HttpResource>(newFingerprint));
}
ResourceManager.Instance.Register(newResource);
return(newResource);
}).Cast <Resource>().ToList()
};
item.Extras["OWASPZAP"] = new
{
alert.Alert,
alert.Confidence,
alert.Count,
alert.CWEId,
alert.Desc,
alert.Name,
alert.OtherInfo,
alert.PluginId,
alert.Reference,
alert.RiskCode,
alert.RiskDesc,
alert.Solution,
alert.SourceId,
alert.WASCId
};
string[] skipFields = { "pluginResults", "extras" };
var fingerprint = item.Fingerprint(skippedFields: skipFields);
if (summary.VulnerabilityItems.All(i => i.Fingerprint(skippedFields: skipFields) != fingerprint))
{
summary.VulnerabilityItems.Add(item);
}
else // correlation -- multiple plugins see this
{
var correlatedItem = summary.VulnerabilityItems.FirstOrDefault(v =>
v.Fingerprint(skippedFields: skipFields) == fingerprint);
if (correlatedItem != null && !correlatedItem.PluginResults.Contains(this))
{
correlatedItem.PluginResults.Add(this);
correlatedItem.Extras["OWASPZAP"] = item.Extras["OWASPZAP"];
}
}
}
// TODO: Migrate HTML report into AzDO plugin?
}
public override async Task <bool> SummaryRunGenerationally(VulnerabilitySummary summary)
{
// Nothing to converge!
return(await Task.FromResult(false));
}