json-parser-zap: unfold instances of each alert

... so that we can match each instance separately

Fixes: #90
Closes: #94

Author: kdudka

src/lib/parser-json-zap.cc

@@ -21,16 +21,22 @@
 
 struct ZapTreeDecoder::Private {
     std::string                     timeStamp;
-    Defect                          defPrototype = Defect("OWASP_ZAP_WARNING");
+    Defect                          sitePrototype;
+    Defect                          alertPrototype;
     const pt::ptree                *alertList = nullptr;
+    const pt::ptree                *instList = nullptr;
     pt::ptree::const_iterator       alertIter;
+    pt::ptree::const_iterator       instIter;
 
     Private()
     {
-        this->defPrototype.tool = "owasp-zap";
+        this->sitePrototype.checker = "OWASP_ZAP_WARNING";
+        this->sitePrototype.tool    = "owasp-zap";
     }
 
-    void readAlert(Defect *pDef, const pt::ptree &alertNode);
+    void readSiteProto(const pt::ptree &siteNode);
+    void readAlertProto(const pt::ptree &alertNode);
+    void readAlertInst(Defect *pDef, const pt::ptree &instNode);
 };
 
 template <typename TPropList>
@@ -51,33 +57,35 @@ void readNonEmptyProps(
     }
 }
 
-void ZapTreeDecoder::Private::readAlert(Defect *pDef, const pt::ptree &alertNode)
+void ZapTreeDecoder::Private::readSiteProto(const pt::ptree &siteNode)
 {
-    // read per-defect properties
-    *pDef = this->defPrototype;
-    pDef->cwe = valueOf<int>(alertNode, "cweid");
-    pDef->imp = (1 < valueOf<int>(alertNode, "riskcode"));
-
-    // get "uri" for the key event
-    std::string uri;
-    const pt::ptree *instList = nullptr;
-    if (findChildOf(&instList, alertNode, "instances")) {
-        for (const auto &item : *instList) {
-            uri = valueOf<std::string>(item.second, "uri");
-            if (!uri.empty())
-                // found!
-                break;
-        }
-    }
+    this->sitePrototype.events.clear();
+    const auto siteName = valueOf<std::string>(siteNode, "@name");
+    if (siteName.empty() || this->timeStamp.empty())
+        return;
 
-    TEvtList &events = pDef->events;
-    if (uri.empty() && !events.empty())
-        // fallback to "uri" from the prototype event
-        uri = events.front().fileName;
+    // create a prototype "note" event
+    DefEvent siteEvt("note");
+    siteEvt.fileName = std::move(siteName);
+    siteEvt.msg = "dynamically analyzed on " + this->timeStamp;
+    siteEvt.verbosityLevel = /* info event */ 1;
+    this->sitePrototype.events.push_back(std::move(siteEvt));
+}
+
+void ZapTreeDecoder::Private::readAlertProto(const pt::ptree &alertNode)
+{
+    // read per-alert properties
+    this->alertPrototype = this->sitePrototype;
+    this->alertPrototype.cwe = valueOf<int>(alertNode, "cweid");
+    this->alertPrototype.imp = (1 < valueOf<int>(alertNode, "riskcode"));
 
     // initialize key event
     DefEvent evt("alert");
-    evt.fileName = uri;
+
+    // get "uri" from the prototype event
+    TEvtList &events = this->alertPrototype.events;
+    if (!events.empty())
+        evt.fileName = events.front().fileName;
 
     // read "alertRef" if available
     const auto alertRef = valueOf<std::string>(alertNode, "alertRef");
@@ -88,29 +96,36 @@ void ZapTreeDecoder::Private::readAlert(Defect *pDef, const pt::ptree &alertNode
     evt.msg = valueOf<std::string>(alertNode, "alert");
 
     // append the key event
-    pDef->keyEventIdx = events.size();
+    this->alertPrototype.keyEventIdx = events.size();
     events.push_back(evt);
 
     // read other per-alert events if available
     evt.verbosityLevel = /* info event */ 1;
     const auto defProps = { "desc", "solution", "otherinfo", "reference" };
     readNonEmptyProps(&events, alertNode, evt, defProps);
+}
 
-    if (!instList)
-        // no instances to go through
-        return;
+void ZapTreeDecoder::Private::readAlertInst(
+        Defect                      *pDef,
+        const pt::ptree             &instNode)
+{
+    // start with the prototype initialized by readAlertProto()
+    *pDef = this->alertPrototype;
+    TEvtList &events = pDef->events;
+
+    // reinitialize events with "uri" specific for this instance (if available)
+    const std::string uri = valueOf<std::string>(instNode, "uri");
+    if (!uri.empty())
+        for (DefEvent &evt : events)
+            evt.fileName = uri;
+
+    // use the key event as a prototype for instance-specific events
+    DefEvent evtProto = events[pDef->keyEventIdx];
+    evtProto.verbosityLevel = /* info event */ 1;
 
     // read per-instance properties
     const auto instProps = { "method", "param", "attack", "evidence" };
-    for (const auto &item : *instList) {
-        const pt::ptree &instNode = item.second;
-        evt.fileName = valueOf<std::string>(instNode, "uri");
-        if (evt.fileName.empty())
-            // no "uri" for this instance
-            continue;
-
-        readNonEmptyProps(&events, instNode, evt, instProps);
-    }
+    readNonEmptyProps(&events, instNode, evtProto, instProps);
 }
 
 ZapTreeDecoder::ZapTreeDecoder():
@@ -131,14 +146,14 @@ void ZapTreeDecoder::readScanProps(
     d->timeStamp = valueOf<std::string>(*root, "@generated");
 }
 
-bool ZapTreeDecoder::readNode(Defect *pDef)
+const pt::ptree* ZapTreeDecoder::nextAlert()
 {
     // iterate over sites unless we are processing a site already
     while (!d->alertList || d->alertList->end() == d->alertIter) {
         const pt::ptree *siteNode = this->nextNode();
         if (!siteNode)
             // failed initialization or EOF
-            return false;
+            return nullptr;
 
         if (!findChildOf(&d->alertList, *siteNode, "alerts")) {
             // "alerts" node missing for this site
@@ -148,29 +163,48 @@ bool ZapTreeDecoder::readNode(Defect *pDef)
 
         // initialize iteration over alerts
         d->alertIter = d->alertList->begin();
+        d->instList = nullptr;
 
-        if (d->alertList->end() != d->alertIter) {
-            // site with alerts found -> update defect prototype based on site
-            d->defPrototype.events.clear();
-            const auto siteName = valueOf<std::string>(*siteNode, "@name");
-            if (!siteName.empty() && !d->timeStamp.empty()) {
-                // create a prototype "note" event
-                DefEvent siteEvt("note");
-                siteEvt.fileName = std::move(siteName);
-                siteEvt.msg = "dynamically analyzed on " + d->timeStamp;
-                siteEvt.verbosityLevel = /* info event */ 1;
-                d->defPrototype.events.push_back(std::move(siteEvt));
-            }
-
-            break;
-        }
+        if (!d->alertList->empty())
+            // site with alerts found --> update site prototype
+            d->readSiteProto(*siteNode);
     }
 
     // get the current alert and move to the next one
-    const auto itNow = d->alertIter++;
+    const auto itAlertNow = d->alertIter++;
+    return &itAlertNow->second;
+}
+
+bool ZapTreeDecoder::readNode(Defect *pDef)
+{
+    if (!d->instList || d->instList->end() == d->instIter) {
+        // iterate over alerts
+        const pt::ptree *alertNode = this->nextAlert();
+        if (!alertNode)
+            // failed initialization or EOF
+            return false;
+
+        // process the current alert
+        d->readAlertProto(*alertNode);
+
+        // read the list of instances
+        if (!findChildOf(&d->instList, *alertNode, "instances")
+                || d->instList->empty())
+        {
+            // no instances for this alert --> emit the prototype
+            d->instList = nullptr;
+            *pDef = d->alertPrototype;
+            return true;
+        }
+
+        // initialize iteration over instances
+        d->instIter = d->instList->begin();
+    }
 
-    // process the current alert
-    d->readAlert(pDef, itNow->second);
+    // get the current instance and move to the next one
+    const auto itInstNow = d->instIter++;
 
+    // process the current instance
+    d->readAlertInst(pDef, itInstNow->second);
     return true;
 }

src/lib/parser-json-zap.hh

@@ -38,6 +38,7 @@ class ZapTreeDecoder: public AbstractTreeDecoder {
     private:
         struct Private;
         std::unique_ptr<Private> d;
+        const pt::ptree* nextAlert();
 };
 
 #endif /* H_GUARD_PARSER_JSON_ZAP_H */

tests/csgrep/0103-json-parser-zap-stdout.txt

@@ -10,7 +10,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/id/pet_id",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Tue, 9 Aug 2022 14:38:31",
@@ -60,7 +60,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/id/pet_id",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Tue, 9 Aug 2022 14:38:31",
@@ -110,7 +110,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/docs/openapi.json",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Tue, 9 Aug 2022 14:38:31",
@@ -164,6 +164,56 @@
                     "event": "param",
                     "message": "X-Content-Type-Options",
                     "verbosity_level": 1
+                }
+            ]
+        },
+        {
+            "checker": "OWASP_ZAP_WARNING",
+            "cwe": 693,
+            "tool": "owasp-zap",
+            "key_event_idx": 1,
+            "events": [
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "note",
+                    "message": "dynamically analyzed on Tue, 9 Aug 2022 14:38:31",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "alert[10021]",
+                    "message": "X-Content-Type-Options Header Missing",
+                    "verbosity_level": 0
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "desc",
+                    "message": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "solution",
+                    "message": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "otherinfo",
+                    "message": "<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At \"High\" threshold this scan rule will not alert on client or server error responses.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
+                    "line": 0,
+                    "event": "reference",
+                    "message": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://owasp.org/www-community/Security_Headers</p>",
+                    "verbosity_level": 1
                 },
                 {
                     "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/",
@@ -178,6 +228,56 @@
                     "event": "param",
                     "message": "X-Content-Type-Options",
                     "verbosity_level": 1
+                }
+            ]
+        },
+        {
+            "checker": "OWASP_ZAP_WARNING",
+            "cwe": 693,
+            "tool": "owasp-zap",
+            "key_event_idx": 1,
+            "events": [
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "note",
+                    "message": "dynamically analyzed on Tue, 9 Aug 2022 14:38:31",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "alert[10021]",
+                    "message": "X-Content-Type-Options Header Missing",
+                    "verbosity_level": 0
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "desc",
+                    "message": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "solution",
+                    "message": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "otherinfo",
+                    "message": "<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At \"High\" threshold this scan rule will not alert on client or server error responses.</p>",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",
+                    "line": 0,
+                    "event": "reference",
+                    "message": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://owasp.org/www-community/Security_Headers</p>",
+                    "verbosity_level": 1
                 },
                 {
                     "file_name": "http://rhos-fedora-devel.usersys.redhat.com:5000/pets/name/pet_name",

tests/csgrep/0105-json-parser-zap-stdout.txt

@@ -11,7 +11,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000/api/v1/activities/",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Wed, 10 Aug 2022 10:13:02",
@@ -90,7 +90,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000/api/v1/activities/",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Wed, 10 Aug 2022 10:13:02",
@@ -161,7 +161,7 @@
             "key_event_idx": 1,
             "events": [
                 {
-                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000",
+                    "file_name": "http://rhos-fedora-devel.usersys.redhat.com:9000/api/v1/activities/",
                     "line": 0,
                     "event": "note",
                     "message": "dynamically analyzed on Wed, 10 Aug 2022 10:13:02",