ascanrulesBeta: Replace usage of CWE-200

- CHANGELOG > Added change note. - Scan rules > In both cases CWE-200 was replaced with CWE-204 "Observable Response Discrepancy". - Unit Tests > Updated to assert the new CWE ID. Signed-off-by: kingthorin <[email protected]>
zaproxy · Nov 20, 2024 · 8e8201b · 8e8201b
1 parent 4a657ce
commit 8e8201b
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 4 deletions.
diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Changed
+- The following scan rules now use more specific CWE IDs:
+    - Proxy Disclosure (Issue 8713)
+    - Possible Username Enumeration (Issue 8715)
+
 ### Fixed
 - Address exception when scanning a message without path with Possible Username Enumeration scan rule.
 

diff --git a/...sBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java b/...sBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
@@ -784,7 +784,7 @@ public int getRisk() {
 
     @Override
     public int getCweId() {
-        return 200; // Information Exposure (primarily via TRACE / OPTIONS / TRACK)
+        return 204; // Observable Response Discrepancy
     }
 
     @Override

diff --git a/...a/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java b/...a/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java
@@ -745,7 +745,7 @@ private static boolean shouldContinue(List<Context> contextList) {
 
     @Override
     public int getCweId() {
-        return 200; // CWE-200: Information Exposure
+        return 204; // CWE-204: Observable Response Discrepancy
     }
 
     @Override

diff --git a/...c/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java b/...c/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java
@@ -41,7 +41,7 @@ void shouldReturnExpectedMappings() {
         int wasc = rule.getWascId();
         Map<String, String> tags = rule.getAlertTags();
         // Then
-        assertThat(cwe, is(equalTo(200)));
+        assertThat(cwe, is(equalTo(204)));
         assertThat(wasc, is(equalTo(45)));
         assertThat(tags.size(), is(equalTo(2)));
         assertThat(

diff --git a/...st/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRuleUnitTest.java b/...st/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRuleUnitTest.java
@@ -85,7 +85,7 @@ void shouldReturnExpectedMappings() {
         int wasc = rule.getWascId();
         Map<String, String> tags = rule.getAlertTags();
         // Then
-        assertThat(cwe, is(equalTo(200)));
+        assertThat(cwe, is(equalTo(204)));
         assertThat(wasc, is(equalTo(13)));
         assertThat(tags.size(), is(equalTo(3)));
         assertThat(