Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TDEAL-16: ZAP improvements #334

Merged
merged 93 commits into from
Jan 15, 2024
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
93 commits
Select commit Hold shift + click to select a range
816c476
Update baseline rule exception.
sarahelsaig Dec 26, 2023
3eec5b1
Merge remote-tracking branch 'origin/dev' into issue/TDEAL-16
sarahelsaig Dec 26, 2023
7856594
The baseline scan should visit at least one page that throws an excep…
sarahelsaig Dec 26, 2023
222be47
Disable app log assertion for the duration of the security scan.
sarahelsaig Dec 26, 2023
dfd2c55
Merge remote-tracking branch 'origin/dev' into issue/TDEAL-16
sarahelsaig Dec 26, 2023
6cfb21d
unusing
sarahelsaig Dec 26, 2023
b60dfe0
Expect custom error page.
sarahelsaig Dec 26, 2023
eea23bd
Disable rule 10037.
sarahelsaig Dec 26, 2023
71f189d
Fix disabled rules, shouldn't have been dictionary.
sarahelsaig Dec 27, 2023
e011568
Turn all the collections into private, because we have methods to han…
sarahelsaig Dec 27, 2023
f8219f8
Some YAML extensio DRYing.
sarahelsaig Dec 27, 2023
c61a55c
By default ignore /vendor/ or /vendors/ URLs.
sarahelsaig Dec 27, 2023
f6ea9fb
unusing
sarahelsaig Dec 27, 2023
32f03dd
Fix sample.
sarahelsaig Dec 28, 2023
445074d
Why was this rule disabled in the first place? Just enable "OrchardCo…
sarahelsaig Dec 28, 2023
bf117a6
Merge branch 'issue/TDEAL-16' of https://github.com/Lombiq/UI-Testing…
sarahelsaig Dec 28, 2023
1a6ad0c
Update the comment.
sarahelsaig Dec 28, 2023
5dd7647
Update Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
sarahelsaig Dec 28, 2023
2544f98
Remove duplicate method.
sarahelsaig Dec 28, 2023
a97fd47
More documentation.
sarahelsaig Dec 28, 2023
33810db
Explain why disabling "Strict-Transport-Security Header" is necessary.
sarahelsaig Dec 28, 2023
a1e8dad
Remove forced error generation because we are going to enable Orchard…
sarahelsaig Dec 28, 2023
e0c6d65
Tweak app log error handling during sercurity scan..
sarahelsaig Dec 28, 2023
6fa5d43
Disable 10062.
sarahelsaig Dec 29, 2023
5e3ed10
Typo.
sarahelsaig Dec 29, 2023
d1fd50d
Update coment regarding unsafe-inline.
sarahelsaig Dec 29, 2023
af0a663
Change "The response contains Personally Identifiable Information" to…
sarahelsaig Jan 5, 2024
1941430
Merge remote-tracking branch 'origin/dev' into issue/TDEAL-16
sarahelsaig Jan 6, 2024
e581165
Update the CustomZapAutomationFrameworkPlan.
sarahelsaig Jan 6, 2024
faa917b
Add DoWithoutAppLogAssertionAsync
sarahelsaig Jan 7, 2024
212b761
Test a known error page.
sarahelsaig Jan 7, 2024
3145498
Merge branch 'issue/TDEAL-16' of https://github.com/Lombiq/UI-Testing…
sarahelsaig Jan 7, 2024
d939ed0
Simplify job configuration using new extension methods.
sarahelsaig Jan 7, 2024
7653286
Limit the execution duration of activeScan.
sarahelsaig Jan 7, 2024
2149e2f
Permit some error lines in app logs.
sarahelsaig Jan 7, 2024
9026b83
Add AssertAppLogsForSecurityScan.
sarahelsaig Jan 7, 2024
b48b062
Permit another format exception.
sarahelsaig Jan 7, 2024
411d7cd
Much nicer app log error reporting.
sarahelsaig Jan 7, 2024
9f949da
spelling?
sarahelsaig Jan 7, 2024
e38ba5e
unusing
sarahelsaig Jan 7, 2024
fb08f79
Eliminate this arbitrary limitation.
sarahelsaig Jan 7, 2024
85e4b68
Make AssertAppLogsForSecurityScan parametric.
sarahelsaig Jan 7, 2024
218f8b3
Fix code styling.
sarahelsaig Jan 7, 2024
15bd351
Use SafelyDeleteDirectoryIfExists.
sarahelsaig Jan 7, 2024
0d43a1f
Add default value to userName in SignInDirectly.
sarahelsaig Jan 7, 2024
fb5bcdd
Add exception for a parameter key being null.
sarahelsaig Jan 7, 2024
85327ec
check empty userName differently
sarahelsaig Jan 7, 2024
888c0ab
unusing
sarahelsaig Jan 7, 2024
31a58cc
Reorganize the security scanning test into a reusable extension.
sarahelsaig Jan 8, 2024
2b2545d
Update HL NuGet package.
sarahelsaig Jan 8, 2024
059a34f
Update HL NuGet again.
sarahelsaig Jan 8, 2024
b2e8ec2
Make the AssertSecurityScanHasNoAlerts more informative.
sarahelsaig Jan 9, 2024
b225f61
Try to delete the ZAP directory even more safely.
sarahelsaig Jan 9, 2024
3127ba7
Instead of trying to delete the Zap directory use Zap1, Zap2, etc to …
sarahelsaig Jan 10, 2024
106085a
Throw on failure.
sarahelsaig Jan 10, 2024
11a538f
nuget
sarahelsaig Jan 10, 2024
8c12e5e
Additional documentation.
sarahelsaig Jan 12, 2024
07efb93
Documentation cross-linking.
sarahelsaig Jan 12, 2024
a137be5
Include the PII disclosure issue URL.
sarahelsaig Jan 12, 2024
cca1aa5
Rename maxScanDurationInMinutes to maxActiveScanDurationInMinutes.
sarahelsaig Jan 12, 2024
050812e
Rename extension method and mention it in the samples.
sarahelsaig Jan 12, 2024
a9a4083
Update Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
sarahelsaig Jan 12, 2024
43a782d
Make error page scanning optional.
sarahelsaig Jan 12, 2024
e94c005
Use STJ.
sarahelsaig Jan 12, 2024
1b71ab7
Update Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguratio…
sarahelsaig Jan 12, 2024
9ca337f
More info on build-and-test-orchard-core.
sarahelsaig Jan 12, 2024
573ff8a
Merge branch 'issue/TDEAL-16' of https://github.com/Lombiq/UI-Testing…
sarahelsaig Jan 12, 2024
d85b200
Update workflow name convention.
sarahelsaig Jan 12, 2024
3e631a2
Code styling.
sarahelsaig Jan 12, 2024
50817fb
Add missing using.
sarahelsaig Jan 12, 2024
0c2bbcf
Use configuration to initialize the start URL.
sarahelsaig Jan 12, 2024
1d07bc8
Update HL nuget.
sarahelsaig Jan 12, 2024
7328baa
Add ShouldBeEmptyWhen extension method.
sarahelsaig Jan 13, 2024
ab5cd44
Refactor AddDisableRuleFilter,
sarahelsaig Jan 13, 2024
4b1b773
False positives should contain both the name and justification.
sarahelsaig Jan 13, 2024
2461d21
Add optional jsonSerializerOptions.
sarahelsaig Jan 13, 2024
573eacc
Update Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
sarahelsaig Jan 13, 2024
3f1a389
Update SecurityScanWithCustomConfigurationShouldPass and its comments.
sarahelsaig Jan 13, 2024
fdb704c
Fix missing default parameter.
sarahelsaig Jan 13, 2024
16c5ca7
Fix docstrings.
sarahelsaig Jan 13, 2024
5151a15
Restore sample assertion and update expected count.
sarahelsaig Jan 13, 2024
b9d398e
Add extension method and use security scan forgiving app assertion in…
sarahelsaig Jan 13, 2024
0640fb2
Instead of suppressing logs, just suppress the error page's exception…
sarahelsaig Jan 13, 2024
dc737f6
Add GetAbsoluteUrlOfAction.
sarahelsaig Jan 13, 2024
2784993
Use requestor instead of second scan.
sarahelsaig Jan 13, 2024
35fb6e8
Update Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
sarahelsaig Jan 13, 2024
74bae9c
Code formatting and organization.
sarahelsaig Jan 13, 2024
7397bb9
Update Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContext…
sarahelsaig Jan 14, 2024
9852ab3
Various doc fixes.
sarahelsaig Jan 14, 2024
4bb9d42
unusing
sarahelsaig Jan 14, 2024
1fd80a3
Additional instructions.
sarahelsaig Jan 15, 2024
c6c1035
Remove this thing whatever it is.
sarahelsaig Jan 15, 2024
ffc674a
Make it a range.
sarahelsaig Jan 15, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
Piedone marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
configuration => configuration
////.UseAjaxSpider() // This is quite slow so just showing you here but not running it.
.ExcludeUrlWithRegex(".*blog.*")
.DisablePassiveScanRule(10037, "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)")
.DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
Piedone marked this conversation as resolved.
Show resolved Hide resolved
Piedone marked this conversation as resolved.
Show resolved Hide resolved
.DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
.SignIn(),
sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(34)));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ jobs:
- id: 10035
name: "Strict-Transport-Security Header"
threshold: "off"
# Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
# must be permitted for OC to work at all.
- id: 10055
name: "script-src includes unsafe-inline"
threshold: "off"
Piedone marked this conversation as resolved.
Show resolved Hide resolved
# This is a low-risk alert, enforcing it is undesirable for branding.
- id: 10037
name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
threshold: "off"
name: "passiveScan-config"
type: "passiveScan-config"
- parameters: {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ jobs:
- id: 10035
name: "Strict-Transport-Security Header"
threshold: "off"
# Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
# must be permitted for OC to work at all.
- id: 10055
name: "script-src includes unsafe-inline"
threshold: "off"
# This is a low-risk alert, enforcing it is undesirable for branding.
- id: 10037
name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
threshold: "off"
name: "passiveScan-config"
type: "passiveScan-config"
- parameters: {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ jobs:
- id: 10035
name: "Strict-Transport-Security Header"
threshold: "off"
# Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
# must be permitted for OC to work at all.
- id: 10055
name: "script-src includes unsafe-inline"
threshold: "off"
# This is a low-risk alert, enforcing it is undesirable for branding.
- id: 10037
name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
threshold: "off"
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ jobs:
- id: 10035
name: "Strict-Transport-Security Header"
threshold: "off"
# Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
# must be permitted for OC to work at all.
- id: 10055
name: "script-src includes unsafe-inline"
threshold: "off"
# This is a low-risk alert, enforcing it is undesirable for branding.
- id: 10037
name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
threshold: "off"
name: "passiveScan-config"
type: "passiveScan-config"
- parameters: {}
Expand Down
72 changes: 48 additions & 24 deletions Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
using Lombiq.Tests.UI.Shortcuts.Controllers;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using YamlDotNet.RepresentationModel;

Expand All @@ -23,17 +22,18 @@ namespace Lombiq.Tests.UI.SecurityScanning;
/// </remarks>
public class SecurityScanConfiguration
{
private readonly List<Uri> _additionalUris = new();
private readonly List<string> _excludedUrlRegexPatterns = new();
private readonly List<ScanRule> _disabledActiveScanRules = new();
private readonly Dictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> _configuredActiveScanRules = new();
private readonly List<ScanRule> _disabledPassiveScanRules = new();
private readonly List<(string Url, int Id, string RuleName)> _disabledRulesForUrls = new();
private readonly List<(string Url, int Id, string Justification)> _falsePositives = new();
private readonly List<Func<YamlDocument, Task>> _zapPlanModifiers = new();

public Uri StartUri { get; private set; }
public IList<Uri> AdditionalUris { get; } = new List<Uri>();
public bool AjaxSpiderIsUsed { get; private set; }
public string SignInUserName { get; private set; }
public IList<string> ExcludedUrlRegexPatterns { get; } = new List<string>();
public IList<ScanRule> DisabledActiveScanRules { get; } = new List<ScanRule>();
public IDictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> ConfiguredActiveScanRules { get; } =
new Dictionary<ScanRule, (ScanRuleThreshold, ScanRuleStrength)>();
public IList<ScanRule> DisabledPassiveScanRules { get; } = new List<ScanRule>();
public IDictionary<string, ScanRule> DisabledRulesForUrls { get; } = new Dictionary<string, ScanRule>();
public IList<Func<YamlDocument, Task>> ZapPlanModifiers { get; } = new List<Func<YamlDocument, Task>>();

internal SecurityScanConfiguration()
{
Expand All @@ -56,7 +56,7 @@ public SecurityScanConfiguration StartAtUri(Uri startUri)
/// <param name="additionalUri">The <see cref="Uri"/> under the app to also cover during the scan.</param>
public SecurityScanConfiguration AddAdditionalUri(Uri additionalUri)
{
AdditionalUris.Add(additionalUri);
_additionalUris.Add(additionalUri);
return this;
}

Expand Down Expand Up @@ -90,7 +90,7 @@ public SecurityScanConfiguration SignIn(string userName = DefaultUser.UserName)
/// </param>
public SecurityScanConfiguration ExcludeUrlWithRegex(string excludedUrlRegex)
{
ExcludedUrlRegexPatterns.Add(excludedUrlRegex);
_excludedUrlRegexPatterns.Add(excludedUrlRegex);
Piedone marked this conversation as resolved.
Show resolved Hide resolved
return this;
}

Expand All @@ -105,7 +105,7 @@ public SecurityScanConfiguration ExcludeUrlWithRegex(string excludedUrlRegex)
/// </param>
public SecurityScanConfiguration DisableActiveScanRule(int id, string name = "")
{
DisabledActiveScanRules.Add(new ScanRule(id, name));
_disabledActiveScanRules.Add(new ScanRule(id, name));
return this;
}

Expand All @@ -127,7 +127,7 @@ public SecurityScanConfiguration DisableActiveScanRule(int id, string name = "")
/// </param>
public SecurityScanConfiguration ConfigureActiveScanRule(int id, ScanRuleThreshold threshold, ScanRuleStrength strength, string name = "")
{
ConfiguredActiveScanRules.Add(new ScanRule(id, name), (threshold, strength));
_configuredActiveScanRules.Add(new ScanRule(id, name), (threshold, strength));
return this;
}

Expand All @@ -142,7 +142,7 @@ public SecurityScanConfiguration ConfigureActiveScanRule(int id, ScanRuleThresho
/// </param>
public SecurityScanConfiguration DisablePassiveScanRule(int id, string name = "")
{
DisabledPassiveScanRules.Add(new ScanRule(id, name));
_disabledPassiveScanRules.Add(new ScanRule(id, name));
return this;
}

Expand All @@ -161,7 +161,30 @@ public SecurityScanConfiguration DisablePassiveScanRule(int id, string name = ""
/// </param>
public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex, int ruleId, string ruleName = "")
{
DisabledRulesForUrls[urlRegex] = new ScanRule(ruleId, ruleName);
_disabledRulesForUrls.Add((urlRegex, ruleId, ruleName));
return this;
}

/// <summary>
/// Marks a rule (can be any rule, including e.g. both active or passive scan rules) for just URLs matching the
/// given regular expression pattern.
sarahelsaig marked this conversation as resolved.
Show resolved Hide resolved
/// </summary>
/// <param name="urlRegex">
/// The regex pattern to match URLs against. It will be matched against the whole absolute URL, e.g., ".*blog.*"
/// will match https://example.com/blog, https://example.com/blog/my-post, etc.
/// </param>
/// <param name="ruleId">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
/// <param name="justification">
/// A human-readable explanation of why the alert is false positive.
/// </param>
public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(string urlRegex, int ruleId, string justification)
Piedone marked this conversation as resolved.
Show resolved Hide resolved
Piedone marked this conversation as resolved.
Show resolved Hide resolved
{
if (string.IsNullOrWhiteSpace(justification))
{
throw new InvalidOperationException("Please provide a justification for disabling this alert!");
}
sarahelsaig marked this conversation as resolved.
Show resolved Hide resolved
sarahelsaig marked this conversation as resolved.
Show resolved Hide resolved

_falsePositives.Add((urlRegex, ruleId, justification));
return this;
}

Expand All @@ -176,7 +199,7 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
/// </param>
public SecurityScanConfiguration ModifyZapPlan(Func<YamlDocument, Task> modifyPlan)
{
ZapPlanModifiers.Add(modifyPlan);
_zapPlanModifiers.Add(modifyPlan);
return this;
}

Expand All @@ -191,7 +214,7 @@ public SecurityScanConfiguration ModifyZapPlan(Func<YamlDocument, Task> modifyPl
/// </param>
public SecurityScanConfiguration ModifyZapPlan(Action<YamlDocument> modifyPlan)
{
ZapPlanModifiers.Add(yamlDocument =>
_zapPlanModifiers.Add(yamlDocument =>
{
modifyPlan(yamlDocument);
return Task.CompletedTask;
Expand All @@ -204,7 +227,7 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
{
yamlDocument.SetStartUrl(StartUri);

foreach (var uri in AdditionalUris) yamlDocument.AddUrl(uri);
foreach (var uri in _additionalUris) yamlDocument.AddUrl(uri);

if (AjaxSpiderIsUsed) yamlDocument.AddSpiderAjaxAfterSpider();

Expand Down Expand Up @@ -234,10 +257,10 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
// pollPostData: ""
}

yamlDocument.AddExcludePathsRegex(ExcludedUrlRegexPatterns.ToArray());
foreach (var rule in DisabledActiveScanRules) yamlDocument.DisableActiveScanRule(rule.Id, rule.Name);
yamlDocument.AddExcludePathsRegex(_excludedUrlRegexPatterns.ToArray());
foreach (var rule in _disabledActiveScanRules) yamlDocument.DisableActiveScanRule(rule.Id, rule.Name);

foreach (var ruleConfiguration in ConfiguredActiveScanRules)
foreach (var ruleConfiguration in _configuredActiveScanRules)
{
yamlDocument.ConfigureActiveScanRule(
ruleConfiguration.Key.Id,
Expand All @@ -246,9 +269,10 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
ruleConfiguration.Key.Name);
}

foreach (var rule in DisabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
foreach (var urlToRule in DisabledRulesForUrls) yamlDocument.AddAlertFilter(urlToRule.Key, urlToRule.Value.Id, urlToRule.Value.Name);
foreach (var modifier in ZapPlanModifiers) await modifier(yamlDocument);
foreach (var rule in _disabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
foreach (var (url, id, name) in _disabledRulesForUrls) yamlDocument.AddAlertFilter(url, id, name);
foreach (var (url, id, justification) in _falsePositives) yamlDocument.AddAlertFilter(url, id, justification, isFalsePositive: true);
foreach (var modifier in _zapPlanModifiers) await modifier(yamlDocument);
}

public class ScanRule
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
using Lombiq.HelpfulLibraries.OrchardCore.Mvc;
using Lombiq.Tests.UI.Exceptions;
using Lombiq.Tests.UI.Extensions;
using Lombiq.Tests.UI.Services;
using Lombiq.Tests.UI.Shortcuts.Controllers;
using Microsoft.CodeAnalysis.Sarif;
using System;
using System.Threading.Tasks;
Expand All @@ -25,7 +27,14 @@ public static Task RunAndAssertBaselineSecurityScanAsync(
Action<SarifLog> assertSecurityScanResult = null) =>
context.RunAndAssertSecurityScanAsync(
AutomationFrameworkPlanPaths.BaselinePlanPath,
configure,
configuration =>
{
// Make sure to visit at least one page that throws an exception.
Piedone marked this conversation as resolved.
Show resolved Hide resolved
var errorPageRelativeUrl = context.GetRelativeUrlOfAction<ErrorController>(error => error.Index());
configuration.ModifyZapPlan(plan => plan.AddUrl(context.GetAbsoluteUri(errorPageRelativeUrl)));
Piedone marked this conversation as resolved.
Show resolved Hide resolved

configure?.Invoke(configuration);
},
assertSecurityScanResult);

/// <summary>
Expand Down Expand Up @@ -107,6 +116,11 @@ public static async Task RunAndAssertSecurityScanAsync(
Action<SecurityScanConfiguration> configure = null,
Action<SarifLog> assertSecurityScanResult = null)
{
// Verify that the app logs are fine right now, then disable app log assertion for the duration of this scan.
await context.Configuration.AssertAppLogsAsync(context.Application);
var assertAppLogsAsync = context.Configuration.AssertAppLogsAsync;
context.Configuration.AssertAppLogsAsync = _ => Task.CompletedTask;
Piedone marked this conversation as resolved.
Show resolved Hide resolved

var configuration = context.Configuration.SecurityScanningConfiguration;

SecurityScanResult result = null;
Expand All @@ -124,6 +138,10 @@ public static async Task RunAndAssertSecurityScanAsync(
if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
throw new SecurityScanningAssertionException(ex);
}

// Clear app logs before app log assertion is restored.
context.ClearLogs();
context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
}
Piedone marked this conversation as resolved.
Show resolved Hide resolved

/// <summary>
Expand All @@ -147,6 +165,10 @@ public static Task<SecurityScanResult> RunSecurityScanAsync(

configuration.StartAtUri(context.GetCurrentUri());

// By default ignore /vendor/ or /vendors/ URLs. This is case-insensitive. We have no control over them, and
// they may contain several false positives (e.g. in font-awesome)..
sarahelsaig marked this conversation as resolved.
Show resolved Hide resolved
configuration.ExcludeUrlWithRegex(@".*/vendors?/.*");

if (context.Configuration.SecurityScanningConfiguration.ZapAutomationFrameworkPlanModifier != null)
{
configuration.ModifyZapPlan(async plan =>
Expand Down
Loading