From 816c476d8a72e0a53a23be057a4c9c1b4e73b8e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 13:26:08 +0100
Subject: [PATCH 01/87] Update baseline rule exception.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml   | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml   | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml    | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml    | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index 3ebde1b96..51052fe72 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -45,6 +45,11 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
+  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
+  # must be permitted for OC to work at all.
+  - id: 10055
+    name: "script-src includes unsafe-inline"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index 19bf336b2..204883d31 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -45,6 +45,11 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
+  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
+  # must be permitted for OC to work at all.
+  - id: 10055
+    name: "script-src includes unsafe-inline"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index 24f14d902..70c1b1e92 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -45,6 +45,11 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
+  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
+  # must be permitted for OC to work at all.
+  - id: 10055
+    name: "script-src includes unsafe-inline"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters:
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 9327dc09a..836bfc53a 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -45,6 +45,11 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
+  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
+  # must be permitted for OC to work at all.
+  - id: 10055
+    name: "script-src includes unsafe-inline"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From 7856594cd2a265cb4b7033f981e6e8b4596aad00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 14:53:33 +0100
Subject: [PATCH 02/87] The baseline scan should visit at least one page that
 throws an exception.

---
 .../SecurityScanningUITestContextExtensions.cs        | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 95c5c790c..7c8276ea0 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -1,6 +1,8 @@
+using Lombiq.HelpfulLibraries.OrchardCore.Mvc;
 using Lombiq.Tests.UI.Exceptions;
 using Lombiq.Tests.UI.Extensions;
 using Lombiq.Tests.UI.Services;
+using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using System;
 using System.Threading.Tasks;
@@ -25,7 +27,14 @@ public static Task RunAndAssertBaselineSecurityScanAsync(
         Action<SarifLog> assertSecurityScanResult = null) =>
         context.RunAndAssertSecurityScanAsync(
             AutomationFrameworkPlanPaths.BaselinePlanPath,
-            configure,
+            configuration =>
+            {
+                // Make sure to visit at least one page that throws an exception.
+                var errorPageRelativeUrl = context.GetRelativeUrlOfAction<ErrorController>(error => error.Index());
+                configuration.ModifyZapPlan(plan => plan.AddUrl(context.GetAbsoluteUri(errorPageRelativeUrl)));
+
+                configure?.Invoke(configuration);
+            },
             assertSecurityScanResult);
 
     /// <summary>

From 222be4759f2a50907aea8ac7d09f71624e08d5b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 17:48:23 +0100
Subject: [PATCH 03/87] Disable app log assertion for the duration of the
 security scan.

---
 .../SecurityScanningUITestContextExtensions.cs         | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 7c8276ea0..9e4a4d2fd 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -4,6 +4,7 @@
 using Lombiq.Tests.UI.Services;
 using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
+using Shouldly;
 using System;
 using System.Threading.Tasks;
 
@@ -116,6 +117,11 @@ public static async Task RunAndAssertSecurityScanAsync(
         Action<SecurityScanConfiguration> configure = null,
         Action<SarifLog> assertSecurityScanResult = null)
     {
+        // Verify that the app logs are fine right now, then disable app log assertion for the duration of this scan.
+        await context.Configuration.AssertAppLogsAsync(context.Application);
+        var assertAppLogsAsync = context.Configuration.AssertAppLogsAsync;
+        context.Configuration.AssertAppLogsAsync = _ => Task.CompletedTask;
+
         var configuration = context.Configuration.SecurityScanningConfiguration;
 
         SecurityScanResult result = null;
@@ -133,6 +139,10 @@ public static async Task RunAndAssertSecurityScanAsync(
             if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
             throw new SecurityScanningAssertionException(ex);
         }
+
+        // Clear app logs before app log assertion is restored.
+        context.ClearLogs();
+        context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
     }
 
     /// <summary>

From 6cfb21ddcad7813483457974ff09a30bac9f7983 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 18:32:31 +0100
Subject: [PATCH 04/87] unusing

---
 .../SecurityScanning/SecurityScanningUITestContextExtensions.cs  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 9e4a4d2fd..350834efe 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -4,7 +4,6 @@
 using Lombiq.Tests.UI.Services;
 using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
-using Shouldly;
 using System;
 using System.Threading.Tasks;
 

From b60dfe0f8eb07f561fe6eb591ec626d10a07c19c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 20:10:16 +0100
Subject: [PATCH 05/87] Expect custom error page.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index 51052fe72..e7fab4e3e 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -50,6 +50,9 @@ jobs:
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
+  - id: 90022
+    name: "Application Error Disclosure"
+    threshold: "low"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From eea23bd977f5cdbcfd76169864d78257ca78c816 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Tue, 26 Dec 2023 22:16:30 +0100
Subject: [PATCH 06/87] Disable rule 10037.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml | 7 ++++---
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml | 4 ++++
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml  | 4 ++++
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml  | 4 ++++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index e7fab4e3e..b269322af 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -50,9 +50,10 @@ jobs:
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
-  - id: 90022
-    name: "Application Error Disclosure"
-    threshold: "low"
+  # This is a low-risk alert, enforcing it is undesirable for branding.
+  - id: 10037
+    name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index 204883d31..a87e4d2d3 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -50,6 +50,10 @@ jobs:
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
+  # This is a low-risk alert, enforcing it is undesirable for branding.
+  - id: 10037
+    name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index 70c1b1e92..f88add172 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -50,6 +50,10 @@ jobs:
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
+  # This is a low-risk alert, enforcing it is undesirable for branding.
+  - id: 10037
+    name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters:
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 836bfc53a..43912d188 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -50,6 +50,10 @@ jobs:
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
+  # This is a low-risk alert, enforcing it is undesirable for branding.
+  - id: 10037
+    name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From 71f189d3016e6978a29b22c653f3cb692881bb6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Wed, 27 Dec 2023 21:51:42 +0100
Subject: [PATCH 07/87] Fix disabled rules, shouldn't have been dictionary.

---
 .../SecurityScanConfiguration.cs              | 31 +++++++++++++++++--
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 4aad3938e..79bd71e52 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -32,7 +32,8 @@ public class SecurityScanConfiguration
     public IDictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> ConfiguredActiveScanRules { get; } =
         new Dictionary<ScanRule, (ScanRuleThreshold, ScanRuleStrength)>();
     public IList<ScanRule> DisabledPassiveScanRules { get; } = new List<ScanRule>();
-    public IDictionary<string, ScanRule> DisabledRulesForUrls { get; } = new Dictionary<string, ScanRule>();
+    public IList<(string Url, int Id, string RuleName)> DisabledRulesForUrls { get; } = new List<(string Url, int Id, string RuleName)>();
+    public IList<(string Url, int Id, string Justification)> FalsePositives { get; } = new List<(string Url, int Id, string Justification)>();
     public IList<Func<YamlDocument, Task>> ZapPlanModifiers { get; } = new List<Func<YamlDocument, Task>>();
 
     internal SecurityScanConfiguration()
@@ -161,7 +162,30 @@ public SecurityScanConfiguration DisablePassiveScanRule(int id, string name = ""
     /// </param>
     public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex, int ruleId, string ruleName = "")
     {
-        DisabledRulesForUrls[urlRegex] = new ScanRule(ruleId, ruleName);
+        DisabledRulesForUrls.Add((urlRegex, ruleId, ruleName));
+        return this;
+    }
+
+    /// <summary>
+    /// Marks a rule (can be any rule, including e.g. both active or passive scan rules) for just URLs matching the
+    /// given regular expression pattern.
+    /// </summary>
+    /// <param name="urlRegex">
+    /// The regex pattern to match URLs against. It will be matched against the whole absolute URL, e.g., ".*blog.*"
+    /// will match https://example.com/blog, https://example.com/blog/my-post, etc.
+    /// </param>
+    /// <param name="ruleId">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
+    /// <param name="justification">
+    /// A human-readable explanation of why the alert is false positive.
+    /// </param>
+    public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(string urlRegex, int ruleId, string justification)
+    {
+        if (string.IsNullOrWhiteSpace(justification))
+        {
+            throw new InvalidOperationException("Please provide a justification for disabling this alert!");
+        }
+
+        FalsePositives.Add((urlRegex, ruleId, justification));
         return this;
     }
 
@@ -247,7 +271,8 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
         }
 
         foreach (var rule in DisabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
-        foreach (var urlToRule in DisabledRulesForUrls) yamlDocument.AddAlertFilter(urlToRule.Key, urlToRule.Value.Id, urlToRule.Value.Name);
+        foreach (var (url, id, name) in DisabledRulesForUrls) yamlDocument.AddAlertFilter(url, id, name);
+        foreach (var (url, id, justification) in FalsePositives) yamlDocument.AddAlertFilter(url, id, justification, isFalsePositive: true);
         foreach (var modifier in ZapPlanModifiers) await modifier(yamlDocument);
     }
 

From e0115687cce9a572c92ae5d2651a8e8e5307220a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Wed, 27 Dec 2023 21:59:06 +0100
Subject: [PATCH 08/87] Turn all the collections into private, because we have
 methods to handle them in a specific restricted manner so exposing the
 original collections is only asking for shenanigans.

---
 .../SecurityScanConfiguration.cs              | 52 +++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 79bd71e52..2bc2f93f0 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -23,18 +23,18 @@ namespace Lombiq.Tests.UI.SecurityScanning;
 /// </remarks>
 public class SecurityScanConfiguration
 {
+    private readonly List<Uri> _additionalUris = new();
+    private readonly List<string> _excludedUrlRegexPatterns = new();
+    private readonly List<ScanRule> _disabledActiveScanRules = new();
+    private readonly Dictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> _configuredActiveScanRules = new();
+    private readonly List<ScanRule> _disabledPassiveScanRules = new();
+    private readonly List<(string Url, int Id, string RuleName)> _disabledRulesForUrls = new();
+    private readonly List<(string Url, int Id, string Justification)> _falsePositives = new();
+    private readonly List<Func<YamlDocument, Task>> _zapPlanModifiers = new();
+
     public Uri StartUri { get; private set; }
-    public IList<Uri> AdditionalUris { get; } = new List<Uri>();
     public bool AjaxSpiderIsUsed { get; private set; }
     public string SignInUserName { get; private set; }
-    public IList<string> ExcludedUrlRegexPatterns { get; } = new List<string>();
-    public IList<ScanRule> DisabledActiveScanRules { get; } = new List<ScanRule>();
-    public IDictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> ConfiguredActiveScanRules { get; } =
-        new Dictionary<ScanRule, (ScanRuleThreshold, ScanRuleStrength)>();
-    public IList<ScanRule> DisabledPassiveScanRules { get; } = new List<ScanRule>();
-    public IList<(string Url, int Id, string RuleName)> DisabledRulesForUrls { get; } = new List<(string Url, int Id, string RuleName)>();
-    public IList<(string Url, int Id, string Justification)> FalsePositives { get; } = new List<(string Url, int Id, string Justification)>();
-    public IList<Func<YamlDocument, Task>> ZapPlanModifiers { get; } = new List<Func<YamlDocument, Task>>();
 
     internal SecurityScanConfiguration()
     {
@@ -57,7 +57,7 @@ public SecurityScanConfiguration StartAtUri(Uri startUri)
     /// <param name="additionalUri">The <see cref="Uri"/> under the app to also cover during the scan.</param>
     public SecurityScanConfiguration AddAdditionalUri(Uri additionalUri)
     {
-        AdditionalUris.Add(additionalUri);
+        _additionalUris.Add(additionalUri);
         return this;
     }
 
@@ -91,7 +91,7 @@ public SecurityScanConfiguration SignIn(string userName = DefaultUser.UserName)
     /// </param>
     public SecurityScanConfiguration ExcludeUrlWithRegex(string excludedUrlRegex)
     {
-        ExcludedUrlRegexPatterns.Add(excludedUrlRegex);
+        _excludedUrlRegexPatterns.Add(excludedUrlRegex);
         return this;
     }
 
@@ -106,7 +106,7 @@ public SecurityScanConfiguration ExcludeUrlWithRegex(string excludedUrlRegex)
     /// </param>
     public SecurityScanConfiguration DisableActiveScanRule(int id, string name = "")
     {
-        DisabledActiveScanRules.Add(new ScanRule(id, name));
+        _disabledActiveScanRules.Add(new ScanRule(id, name));
         return this;
     }
 
@@ -128,7 +128,7 @@ public SecurityScanConfiguration DisableActiveScanRule(int id, string name = "")
     /// </param>
     public SecurityScanConfiguration ConfigureActiveScanRule(int id, ScanRuleThreshold threshold, ScanRuleStrength strength, string name = "")
     {
-        ConfiguredActiveScanRules.Add(new ScanRule(id, name), (threshold, strength));
+        _configuredActiveScanRules.Add(new ScanRule(id, name), (threshold, strength));
         return this;
     }
 
@@ -143,7 +143,7 @@ public SecurityScanConfiguration ConfigureActiveScanRule(int id, ScanRuleThresho
     /// </param>
     public SecurityScanConfiguration DisablePassiveScanRule(int id, string name = "")
     {
-        DisabledPassiveScanRules.Add(new ScanRule(id, name));
+        _disabledPassiveScanRules.Add(new ScanRule(id, name));
         return this;
     }
 
@@ -162,7 +162,7 @@ public SecurityScanConfiguration DisablePassiveScanRule(int id, string name = ""
     /// </param>
     public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex, int ruleId, string ruleName = "")
     {
-        DisabledRulesForUrls.Add((urlRegex, ruleId, ruleName));
+        _disabledRulesForUrls.Add((urlRegex, ruleId, ruleName));
         return this;
     }
 
@@ -185,7 +185,7 @@ public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(stri
             throw new InvalidOperationException("Please provide a justification for disabling this alert!");
         }
 
-        FalsePositives.Add((urlRegex, ruleId, justification));
+        _falsePositives.Add((urlRegex, ruleId, justification));
         return this;
     }
 
@@ -200,7 +200,7 @@ public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(stri
     /// </param>
     public SecurityScanConfiguration ModifyZapPlan(Func<YamlDocument, Task> modifyPlan)
     {
-        ZapPlanModifiers.Add(modifyPlan);
+        _zapPlanModifiers.Add(modifyPlan);
         return this;
     }
 
@@ -215,7 +215,7 @@ public SecurityScanConfiguration ModifyZapPlan(Func<YamlDocument, Task> modifyPl
     /// </param>
     public SecurityScanConfiguration ModifyZapPlan(Action<YamlDocument> modifyPlan)
     {
-        ZapPlanModifiers.Add(yamlDocument =>
+        _zapPlanModifiers.Add(yamlDocument =>
         {
             modifyPlan(yamlDocument);
             return Task.CompletedTask;
@@ -228,7 +228,7 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
     {
         yamlDocument.SetStartUrl(StartUri);
 
-        foreach (var uri in AdditionalUris) yamlDocument.AddUrl(uri);
+        foreach (var uri in _additionalUris) yamlDocument.AddUrl(uri);
 
         if (AjaxSpiderIsUsed) yamlDocument.AddSpiderAjaxAfterSpider();
 
@@ -258,10 +258,10 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
             //   pollPostData: ""
         }
 
-        yamlDocument.AddExcludePathsRegex(ExcludedUrlRegexPatterns.ToArray());
-        foreach (var rule in DisabledActiveScanRules) yamlDocument.DisableActiveScanRule(rule.Id, rule.Name);
+        yamlDocument.AddExcludePathsRegex(_excludedUrlRegexPatterns.ToArray());
+        foreach (var rule in _disabledActiveScanRules) yamlDocument.DisableActiveScanRule(rule.Id, rule.Name);
 
-        foreach (var ruleConfiguration in ConfiguredActiveScanRules)
+        foreach (var ruleConfiguration in _configuredActiveScanRules)
         {
             yamlDocument.ConfigureActiveScanRule(
                 ruleConfiguration.Key.Id,
@@ -270,10 +270,10 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
                 ruleConfiguration.Key.Name);
         }
 
-        foreach (var rule in DisabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
-        foreach (var (url, id, name) in DisabledRulesForUrls) yamlDocument.AddAlertFilter(url, id, name);
-        foreach (var (url, id, justification) in FalsePositives) yamlDocument.AddAlertFilter(url, id, justification, isFalsePositive: true);
-        foreach (var modifier in ZapPlanModifiers) await modifier(yamlDocument);
+        foreach (var rule in _disabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
+        foreach (var (url, id, name) in _disabledRulesForUrls) yamlDocument.AddAlertFilter(url, id, name);
+        foreach (var (url, id, justification) in _falsePositives) yamlDocument.AddAlertFilter(url, id, justification, isFalsePositive: true);
+        foreach (var modifier in _zapPlanModifiers) await modifier(yamlDocument);
     }
 
     public class ScanRule

From f8219f8bee09e3331873f1219e27125c825b0bfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Wed, 27 Dec 2023 23:22:22 +0100
Subject: [PATCH 09/87] Some YAML extensio DRYing.

---
 .../YamlDocumentExtensions.cs                 | 57 ++++++++++---------
 1 file changed, 29 insertions(+), 28 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index 9966e63ad..da08e77ab 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -108,9 +108,7 @@ public static YamlDocument AddExcludePathsRegex(this YamlDocument yamlDocument,
     {
         var currentContext = yamlDocument.GetCurrentContext();
 
-        if (!currentContext.Children.ContainsKey("excludePaths")) currentContext.Add("excludePaths", new YamlSequenceNode());
-
-        var excludePaths = (YamlSequenceNode)currentContext["excludePaths"];
+        var excludePaths = currentContext.GetOrAddNode<YamlSequenceNode>("excludePaths");
         foreach (var pattern in excludePathsRegexPatterns)
         {
             excludePaths.Add(pattern);
@@ -134,18 +132,12 @@ public static YamlDocument AddExcludePathsRegex(this YamlDocument yamlDocument,
     /// </exception>
     public static YamlDocument DisablePassiveScanRule(this YamlDocument yamlDocument, int id, string name = "")
     {
-        var passiveScanConfigJob = yamlDocument.GetPassiveScanConfigJobOrThrow();
-
-        if (!passiveScanConfigJob.Children.ContainsKey("rules")) passiveScanConfigJob.Add("rules", new YamlSequenceNode());
-
-        var newRule = new YamlMappingNode
+        yamlDocument.GetPassiveScanConfigJobOrThrow().AddRuleToRulesNode(new YamlMappingNode
         {
             { "id", id.ToTechnicalString() },
             { "name", name },
             { "threshold", "off" },
-        };
-
-        ((YamlSequenceNode)passiveScanConfigJob["rules"]).Add(newRule);
+        });
 
         return yamlDocument;
     }
@@ -204,19 +196,13 @@ public static YamlDocument ConfigureActiveScanRule(
             throw new ArgumentException("The \"activeScan\" job should contain a policyDefinition.");
         }
 
-        var policyDefinition = (YamlMappingNode)activeScanConfigJob["policyDefinition"];
-
-        if (!policyDefinition.Children.ContainsKey("rules")) policyDefinition.Add("rules", new YamlSequenceNode());
-
-        var newRule = new YamlMappingNode
+        activeScanConfigJob["policyDefinition"].AddRuleToRulesNode(new YamlMappingNode
         {
             { "id", id.ToTechnicalString() },
             { "name", name },
             { "threshold", threshold.ToString() },
             { "strength", strength.ToString() },
-        };
-
-        ((YamlSequenceNode)policyDefinition["rules"]).Add(newRule);
+        });
 
         return yamlDocument;
     }
@@ -261,18 +247,14 @@ public static YamlDocument AddAlertFilter(
             jobs.Children.Insert(passiveScanConfigIndex + 1, alertFilterJob);
         }
 
-        if (!alertFilterJob.Children.ContainsKey("alertFilters")) alertFilterJob.Add("alertFilters", new YamlSequenceNode());
-
-        var newRule = new YamlMappingNode
+        alertFilterJob.GetOrAddNode<YamlSequenceNode>("alertFilters").Add(new YamlMappingNode
         {
             { "ruleId", ruleId.ToTechnicalString() },
             { "ruleName", ruleName },
             { "url", urlMatchingRegexPattern },
             { "urlRegex", "true" },
             { "newRisk", isFalsePositive ? "False Positive" : "Info" },
-        };
-
-        ((YamlSequenceNode)alertFilterJob["alertFilters"]).Add(newRule);
+        });
 
         return yamlDocument;
     }
@@ -309,6 +291,20 @@ public static YamlDocument AddRequestor(this YamlDocument yamlDocument, string u
     /// </summary>
     public static YamlMappingNode GetRootNode(this YamlDocument yamlDocument) => (YamlMappingNode)yamlDocument.RootNode;
 
+    /// <summary>
+    /// Tries to access the child node by the name of <paramref name="key"/>. If it doesn't exists, it's created.
+    /// </summary>
+    public static T GetOrAddNode<T>(this YamlNode yamlNode, string key)
+        where T : YamlNode, new()
+    {
+        if (yamlNode is YamlMappingNode mappingNode && !mappingNode.Children.ContainsKey(key))
+        {
+            mappingNode.Children.Add(key, new T());
+        }
+
+        return (T)yamlNode[key];
+    }
+
     /// <summary>
     /// Gets the "jobs" section of the ZAP Automation Framework plan.
     /// </summary>
@@ -341,9 +337,7 @@ public static YamlSequenceNode GetUrls(this YamlDocument yamlDocument)
     {
         var currentContext = yamlDocument.GetCurrentContext();
 
-        if (!currentContext.Children.ContainsKey("urls")) currentContext.Add("urls", new YamlSequenceNode());
-
-        return (YamlSequenceNode)currentContext["urls"];
+        return currentContext.GetOrAddNode<YamlSequenceNode>("urls");
     }
 
     /// <summary>
@@ -419,4 +413,11 @@ public static YamlDocument MergeFrom(this YamlDocument baseDocument, YamlDocumen
 
         return baseDocument;
     }
+
+    /// <summary>
+    /// Ensures that the <paramref name="parentOfRules"/> has a <c>rules</c> child and then adds the <paramref
+    /// name="newRule"/> to it.
+    /// </summary>
+    public static void AddRuleToRulesNode(this YamlNode parentOfRules, YamlNode newRule) =>
+        parentOfRules.GetOrAddNode<YamlSequenceNode>("rules").Add(newRule);
 }

From c61a55c48aacfdc310097168436770dd3cfd3c97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 00:17:57 +0100
Subject: [PATCH 10/87] By default ignore /vendor/ or /vendors/ URLs.

---
 .../SecurityScanningUITestContextExtensions.cs           | 4 ++++
 .../SecurityScanning/YamlDocumentExtensions.cs           | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 350834efe..8fa3e86bf 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -165,6 +165,10 @@ public static Task<SecurityScanResult> RunSecurityScanAsync(
 
         configuration.StartAtUri(context.GetCurrentUri());
 
+        // By default ignore /vendor/ or /vendors/ URLs. This is case-insensitive. We have no control over them, and
+        // they may contain several false positives (e.g. in font-awesome)..
+        configuration.ExcludeUrlWithRegex(@".*/vendors?/.*");
+
         if (context.Configuration.SecurityScanningConfiguration.ZapAutomationFrameworkPlanModifier != null)
         {
             configuration.ModifyZapPlan(async plan =>
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index da08e77ab..f5f5ad72a 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -207,6 +207,15 @@ public static YamlDocument ConfigureActiveScanRule(
         return yamlDocument;
     }
 
+    /// <summary>
+    /// Adds a regular expression used to exclude paths in the current context.
+    /// </summary>
+    public static YamlDocument AddGlobalExcludePath(this YamlDocument yamlDocument, string pathRegex)
+    {
+        yamlDocument.GetCurrentContext().GetOrAddNode<YamlSequenceNode>("excludePaths").Add(pathRegex);
+        return yamlDocument;
+    }
+
     /// <summary>
     /// Adds an <see href="https://www.zaproxy.org/docs/desktop/addons/alert-filters/">Alert Filter</see> to the ZAP
     /// Automation Framework plan.

From f6ea9fb22525f20b284ec0818643b29deccb29ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 00:28:21 +0100
Subject: [PATCH 11/87] unusing

---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 2bc2f93f0..e80161cdb 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -5,7 +5,6 @@
 using Lombiq.Tests.UI.Shortcuts.Controllers;
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using YamlDotNet.RepresentationModel;
 

From 32f03dd2af5be00df7d1018bf633dd117a6f08c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 02:04:43 +0100
Subject: [PATCH 12/87] Fix sample.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 14dbbf4e4..3ab1abbde 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -65,7 +65,7 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
                 configuration => configuration
                     ////.UseAjaxSpider() // This is quite slow so just showing you here but not running it.
                     .ExcludeUrlWithRegex(".*blog.*")
-                    .DisablePassiveScanRule(10037, "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)")
+                    .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
                     .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
                     .SignIn(),
                 sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(34)));

From 445074d15a8e28400e47ff66384a9bf95f586861 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 14:20:25 +0100
Subject: [PATCH 13/87] Why was this rule disabled in the first place? Just
 enable "OrchardCore.Https".

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml     | 3 ---
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml     | 3 ---
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml      | 3 ---
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml      | 3 ---
 4 files changed, 12 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index b269322af..a17a2d0aa 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -42,9 +42,6 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
-  - id: 10035
-    name: "Strict-Transport-Security Header"
-    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index a87e4d2d3..05bedaadf 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -42,9 +42,6 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
-  - id: 10035
-    name: "Strict-Transport-Security Header"
-    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index f88add172..c256d68bc 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -42,9 +42,6 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
-  - id: 10035
-    name: "Strict-Transport-Security Header"
-    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 43912d188..6a5441fd4 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -42,9 +42,6 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
-  - id: 10035
-    name: "Strict-Transport-Security Header"
-    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055

From 1a6ad0c3b8ada0c6c8ea4f55ffbb04292ffb8672 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:02:20 +0100
Subject: [PATCH 14/87] Update the comment.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs        | 4 ++--
 .../SecurityScanningUITestContextExtensions.cs                | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 3ab1abbde..87d6dbece 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -45,8 +45,8 @@ public Task BasicSecurityScanShouldPass() =>
     //   usually not just unnecessary for a website that's not an SPA, but also slows the scan down by a lot. However,
     //   if you have an SPA, you need to use it.
     // - Excludes certain URLs from the scan completely. Use this if you don't want ZAP to process certain URLs at all.
-    // - Disables the "Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)" alert of ZAP's passive
-    //   scan for the whole scan. This is because by default, Orchard Core sends an "X-Powered-By: OrchardCore" header.
+    // - Disables the The response does not include either Content-Security-Policy with 'frame-ancestors' directive."
+    //   alert of ZAP's passive scan for the whole scan. This is because by default, Orchard Core sends an "X-Powered-By: OrchardCore" header.
     //   If you want airtight security, you might want to turn this off, but for the sake of example we just ignore the
     //   alert here.
     // - Also disables the "Content Security Policy (CSP) Header Not Set" rule but only for the /about page. Use this to
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 8fa3e86bf..c5b40d868 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -29,7 +29,8 @@ public static Task RunAndAssertBaselineSecurityScanAsync(
             AutomationFrameworkPlanPaths.BaselinePlanPath,
             configuration =>
             {
-                // Make sure to visit at least one page that throws an exception.
+                // Make sure to visit at least one page that throws an exception. This is to ensure that error handling
+                // is tested for security as well.
                 var errorPageRelativeUrl = context.GetRelativeUrlOfAction<ErrorController>(error => error.Index());
                 configuration.ModifyZapPlan(plan => plan.AddUrl(context.GetAbsoluteUri(errorPageRelativeUrl)));
 

From 5dd76472c88a2cfe99c1f8a4994c8ad44ff0ea61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:02:43 +0100
Subject: [PATCH 15/87] Update
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index e80161cdb..f0e948235 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -166,8 +166,8 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     }
 
     /// <summary>
-    /// Marks a rule (can be any rule, including e.g. both active or passive scan rules) for just URLs matching the
-    /// given regular expression pattern.
+    /// Marks a rule (can be any rule, including e.g. both active or passive scan rules) as false positivefor just URLs
+    /// matching the given regular expression pattern.
     /// </summary>
     /// <param name="urlRegex">
     /// The regex pattern to match URLs against. It will be matched against the whole absolute URL, e.g., ".*blog.*"

From 2544f98d5e587a5044967be00f052ebdf33f7621 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:06:54 +0100
Subject: [PATCH 16/87] Remove duplicate method.

---
 .../SecurityScanning/YamlDocumentExtensions.cs           | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index f5f5ad72a..da08e77ab 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -207,15 +207,6 @@ public static YamlDocument ConfigureActiveScanRule(
         return yamlDocument;
     }
 
-    /// <summary>
-    /// Adds a regular expression used to exclude paths in the current context.
-    /// </summary>
-    public static YamlDocument AddGlobalExcludePath(this YamlDocument yamlDocument, string pathRegex)
-    {
-        yamlDocument.GetCurrentContext().GetOrAddNode<YamlSequenceNode>("excludePaths").Add(pathRegex);
-        return yamlDocument;
-    }
-
     /// <summary>
     /// Adds an <see href="https://www.zaproxy.org/docs/desktop/addons/alert-filters/">Alert Filter</see> to the ZAP
     /// Automation Framework plan.

From a97fd47c4a534e3eaf49a72165e887e0fb8df9cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:13:11 +0100
Subject: [PATCH 17/87] More documentation.

---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 4 ++++
 Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs    | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index f0e948235..113654396 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -177,6 +177,10 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     /// <param name="justification">
     /// A human-readable explanation of why the alert is false positive.
     /// </param>
+    /// <remarks><para>
+    /// Marking a rule as false positive helps the development of ZAP by collecting which rules have the highest false
+    /// positive rate (see <a href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/">the FAQ</a>).
+    /// </para></remarks>
     public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(string urlRegex, int ruleId, string justification)
     {
         if (string.IsNullOrWhiteSpace(justification))
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index da08e77ab..a30e0a71d 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -218,7 +218,8 @@ public static YamlDocument ConfigureActiveScanRule(
     /// </param>
     /// <param name="ruleName">
     /// The human-readable name of the rule. Not required to turn off the rule, and its value doesn't matter. It's just
-    /// useful for the readability of the method call.
+    /// useful for the readability of the method call. If <paramref name="isFalsePositive"/> is <see langword="true"/>,
+    /// write the justification here as well.
     /// </param>
     /// <param name="isFalsePositive">
     /// If you disable the rule because it's a false positive, then set this to <see langword="true"/>. This helps the

From 33810db528bd75736405e118edb1811ddccc7173 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:17:22 +0100
Subject: [PATCH 18/87] Explain why disabling "Strict-Transport-Security
 Header" is necessary.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml   | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml   | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml    | 5 +++++
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml    | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index a17a2d0aa..81fe3acd6 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -42,6 +42,11 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
+  # This needs to be disabled during UI testing, because a local app needn't use HSTS. It's also something commonly
+  # configured outside the app, like in Cloudflare.
+  - id: 10035
+    name: "Strict-Transport-Security Header"
+    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index 05bedaadf..da30e5784 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -42,6 +42,11 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
+  # This needs to be disabled during UI testing, because a local app needn't use HSTS. It's also something commonly
+  # configured outside the app, like in Cloudflare.
+  - id: 10035
+    name: "Strict-Transport-Security Header"
+    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index c256d68bc..97f98cb47 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -42,6 +42,11 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
+  # This needs to be disabled during UI testing, because a local app needn't use HSTS. It's also something commonly
+  # configured outside the app, like in Cloudflare.
+  - id: 10035
+    name: "Strict-Transport-Security Header"
+    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 6a5441fd4..d24a580d7 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -42,6 +42,11 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
+  # This needs to be disabled during UI testing, because a local app needn't use HSTS. It's also something commonly
+  # configured outside the app, like in Cloudflare.
+  - id: 10035
+    name: "Strict-Transport-Security Header"
+    threshold: "off"
   # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
   # must be permitted for OC to work at all.
   - id: 10055

From a1e8dad62aacf882743eaa5f8fd7d03f19be9e85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Thu, 28 Dec 2023 23:56:18 +0100
Subject: [PATCH 19/87] Remove forced error generation because we are going to
 enable OrchardCore.Diagnostics by default anyway.

---
 .../SecurityScanningUITestContextExtensions.cs       | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index c5b40d868..ba505a8dc 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -1,8 +1,6 @@
-using Lombiq.HelpfulLibraries.OrchardCore.Mvc;
 using Lombiq.Tests.UI.Exceptions;
 using Lombiq.Tests.UI.Extensions;
 using Lombiq.Tests.UI.Services;
-using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using System;
 using System.Threading.Tasks;
@@ -27,15 +25,7 @@ public static Task RunAndAssertBaselineSecurityScanAsync(
         Action<SarifLog> assertSecurityScanResult = null) =>
         context.RunAndAssertSecurityScanAsync(
             AutomationFrameworkPlanPaths.BaselinePlanPath,
-            configuration =>
-            {
-                // Make sure to visit at least one page that throws an exception. This is to ensure that error handling
-                // is tested for security as well.
-                var errorPageRelativeUrl = context.GetRelativeUrlOfAction<ErrorController>(error => error.Index());
-                configuration.ModifyZapPlan(plan => plan.AddUrl(context.GetAbsoluteUri(errorPageRelativeUrl)));
-
-                configure?.Invoke(configuration);
-            },
+            configure,
             assertSecurityScanResult);
 
     /// <summary>

From e0c6d65925a8d77e7a60f51067bb085fa2c64c7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Fri, 29 Dec 2023 00:48:24 +0100
Subject: [PATCH 20/87] Tweak app log error handling during sercurity scan..

---
 .../SecurityScanningUITestContextExtensions.cs             | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index ba505a8dc..85b8b59b8 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -108,6 +108,8 @@ public static async Task RunAndAssertSecurityScanAsync(
         Action<SarifLog> assertSecurityScanResult = null)
     {
         // Verify that the app logs are fine right now, then disable app log assertion for the duration of this scan.
+        // This way we see if security holes open when something goes wrong. It would be a problem if the site was only
+        // safe when everything worked well.
         await context.Configuration.AssertAppLogsAsync(context.Application);
         var assertAppLogsAsync = context.Configuration.AssertAppLogsAsync;
         context.Configuration.AssertAppLogsAsync = _ => Task.CompletedTask;
@@ -130,9 +132,10 @@ public static async Task RunAndAssertSecurityScanAsync(
             throw new SecurityScanningAssertionException(ex);
         }
 
-        // Clear app logs before app log assertion is restored.
-        context.ClearLogs();
+        // Now that the security scan has concluded, we can turn back app log assertion and verify if any errors have
+        // been accumulated during the security scan.
         context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
+        await context.Configuration.AssertAppLogsAsync(context.Application);
     }
 
     /// <summary>

From 6fa5d43849c1b8bef9489437b611ad55e352ab87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <david.el-saig@lombiq.com>
Date: Fri, 29 Dec 2023 02:51:03 +0100
Subject: [PATCH 21/87] Disable 10062.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml    | 4 ++++
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml    | 4 ++++
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml     | 4 ++++
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml     | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index 81fe3acd6..39cd44476 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -56,6 +56,10 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
+  # This rule generates false positives on UUIDs or random numeric sequences.
+  - id: 10062
+    name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index da30e5784..525084fa1 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -56,6 +56,10 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
+  # This rule generates false positives on UUIDs or random numeric sequences.
+  - id: 10062
+    name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index 97f98cb47..a37b1261e 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -56,6 +56,10 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
+  # This rule generates false positives on UUIDs or random numeric sequences.
+  - id: 10062
+    name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters:
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index d24a580d7..5a783abda 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -56,6 +56,10 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
+  # This rule generates false positives on UUIDs or random numeric sequences.
+  - id: 10062
+    name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
+    threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From 5e3ed10a5ef530364e39664af33bc797e98d0566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 29 Dec 2023 04:51:19 +0100
Subject: [PATCH 22/87] Typo.

---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 113654396..963e82c59 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -166,7 +166,7 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     }
 
     /// <summary>
-    /// Marks a rule (can be any rule, including e.g. both active or passive scan rules) as false positivefor just URLs
+    /// Marks a rule (can be any rule, including e.g. both active or passive scan rules) as false positive for just URLs
     /// matching the given regular expression pattern.
     /// </summary>
     /// <param name="urlRegex">

From d1fd50d5af059cd079adb6bb1b3d3eb78a6af393 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 29 Dec 2023 21:30:00 +0100
Subject: [PATCH 23/87] Update coment regarding unsafe-inline.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml    | 4 ++--
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml    | 4 ++--
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml     | 4 ++--
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml     | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index 39cd44476..ac5cbe6ed 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -47,8 +47,8 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
-  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
-  # must be permitted for OC to work at all.
+  # This is required for <script> blocks which OC uses extensively. The rule may be removed when OC starts to provide
+  # cryptographic nonce for these script blocks (see https://github.com/OrchardCMS/OrchardCore/issues/13389).
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index 525084fa1..bc17f2de6 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -47,8 +47,8 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
-  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
-  # must be permitted for OC to work at all.
+  # This is required for <script> blocks which OC uses extensively. The rule may be removed when OC starts to provide
+  # cryptographic nonce for these script blocks (see https://github.com/OrchardCMS/OrchardCore/issues/13389).
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index a37b1261e..bfd0a36bc 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -47,8 +47,8 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
-  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
-  # must be permitted for OC to work at all.
+  # This is required for <script> blocks which OC uses extensively. The rule may be removed when OC starts to provide
+  # cryptographic nonce for these script blocks (see https://github.com/OrchardCMS/OrchardCore/issues/13389).
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 5a783abda..88f3658ba 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -47,8 +47,8 @@ jobs:
   - id: 10035
     name: "Strict-Transport-Security Header"
     threshold: "off"
-  # Some stock Orchard Core shapes and pages (including the setup page) contain inline script blocks, so this directive
-  # must be permitted for OC to work at all.
+  # This is required for <script> blocks which OC uses extensively. The rule may be removed when OC starts to provide
+  # cryptographic nonce for these script blocks (see https://github.com/OrchardCMS/OrchardCore/issues/13389).
   - id: 10055
     name: "script-src includes unsafe-inline"
     threshold: "off"

From af0a663b6f40b7fd68ecdb7194159104d08c6da4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 5 Jan 2024 21:43:01 +0100
Subject: [PATCH 24/87] Change "The response contains Personally Identifiable
 Information" to "high" threshold instead of "off".

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml      | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml      | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml       | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml       | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index ac5cbe6ed..c17ea12cf 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -59,7 +59,7 @@ jobs:
   # This rule generates false positives on UUIDs or random numeric sequences.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
-    threshold: "off"
+    threshold: "high"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index bc17f2de6..329731f28 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -59,7 +59,7 @@ jobs:
   # This rule generates false positives on UUIDs or random numeric sequences.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
-    threshold: "off"
+    threshold: "high"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index bfd0a36bc..a901687b5 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -59,7 +59,7 @@ jobs:
   # This rule generates false positives on UUIDs or random numeric sequences.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
-    threshold: "off"
+    threshold: "high"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters:
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 88f3658ba..7e99ab0d0 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -59,7 +59,7 @@ jobs:
   # This rule generates false positives on UUIDs or random numeric sequences.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
-    threshold: "off"
+    threshold: "high"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From e5811651cd56d3698aaa15bbf42e5714b42e275b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 6 Jan 2024 21:28:13 +0100
Subject: [PATCH 25/87] Update the CustomZapAutomationFrameworkPlan.

---
 .../CustomZapAutomationFrameworkPlan.yml      | 20 +++++--------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/CustomZapAutomationFrameworkPlan.yml b/Lombiq.Tests.UI.Samples/Tests/CustomZapAutomationFrameworkPlan.yml
index ba2162096..d76b13c02 100644
--- a/Lombiq.Tests.UI.Samples/Tests/CustomZapAutomationFrameworkPlan.yml
+++ b/Lombiq.Tests.UI.Samples/Tests/CustomZapAutomationFrameworkPlan.yml
@@ -42,21 +42,11 @@ jobs:
     enableTags: false
     disableAllRules: false
   rules:
-  - id: 10035
-    name: "Strict-Transport-Security Header"
-    threshold: "off"
-  - id: 10038
-    name: "Content Security Policy (CSP) Header Not Set"
-    threshold: "off"
-  - id: 10020
-    name: "Anti-clickjacking Header"
-    threshold: "off"
-  - id: 10037
-    name: "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)"
-    threshold: "off"
-  - id: 10021
-    name: "X-Content-Type-Options Header Missing"
-    threshold: "off"
+    # This is required for <script> blocks which OC uses extensively. The rule may be removed when OC starts to provide
+    # cryptographic nonce for these script blocks (see https://github.com/OrchardCMS/OrchardCore/issues/13389).
+    - id: 10055
+      name: "script-src includes unsafe-inline"
+      threshold: "off"
   name: "passiveScan-config"
   type: "passiveScan-config"
 - parameters: {}

From faa917b8e3af04beaf3b03d97bd2787d75f64a73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 02:14:11 +0100
Subject: [PATCH 26/87] Add DoWithoutAppLogAssertionAsync

---
 .../BrowserUITestContextExtensions.cs         | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs b/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
index 6e4695686..ce302b795 100644
--- a/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
@@ -62,4 +62,35 @@ public static async Task<T> FetchWithBrowserContextAsync<T>(
 
         return await processResponseAsync(response);
     }
+
+    /// <summary>
+    /// Performs a <paramref name="task"/> with app log assertion temporarily disabled. But first <see
+    /// cref="OrchardCoreUITestExecutorConfiguration.AssertAppLogsAsync"/> is used to ensure no unrelated errors are
+    /// masked by this activity. Afterwards it's used again to verify the results, and if it fails then the logs are
+    /// cleared out.
+    /// </summary>
+    /// <returns>A task indicating whether there were anything in the app logs that would've failed the assertion.</returns>
+    public static async Task<bool> DoWithoutAppLogAssertionAsync(this UITestContext context, Func<Task> task)
+    {
+        // Verify that the app logs are fine right now, then suppress logs for the duration of the task.
+        await context.Configuration.AssertAppLogsAsync(context.Application);
+        var assertAppLogsAsync = context.Configuration.AssertAppLogsAsync;
+        context.Configuration.AssertAppLogsAsync = _ => Task.CompletedTask;
+
+        await task();
+
+        // Restore the app log assertion and determine if it would've failed. Clear the logs if failure occurred.
+        context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
+        try
+        {
+            await context.Configuration.AssertAppLogsAsync(context.Application);
+        }
+        catch
+        {
+            context.ClearLogs();
+            return true;
+        }
+
+        return false;
+    }
 }

From 212b761e93977ad70ae54be951a6388914c7e98d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 02:14:26 +0100
Subject: [PATCH 27/87] Test a known error page.

---
 ...SecurityScanningUITestContextExtensions.cs | 86 +++++++++++++------
 1 file changed, 58 insertions(+), 28 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 85b8b59b8..b4153e9e3 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -1,9 +1,13 @@
+using Lombiq.HelpfulLibraries.OrchardCore.Mvc;
 using Lombiq.Tests.UI.Exceptions;
 using Lombiq.Tests.UI.Extensions;
 using Lombiq.Tests.UI.Services;
+using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using System;
+using System.Net;
 using System.Threading.Tasks;
+using YamlDotNet.RepresentationModel;
 
 namespace Lombiq.Tests.UI.SecurityScanning;
 
@@ -107,35 +111,56 @@ public static async Task RunAndAssertSecurityScanAsync(
         Action<SecurityScanConfiguration> configure = null,
         Action<SarifLog> assertSecurityScanResult = null)
     {
-        // Verify that the app logs are fine right now, then disable app log assertion for the duration of this scan.
-        // This way we see if security holes open when something goes wrong. It would be a problem if the site was only
-        // safe when everything worked well.
-        await context.Configuration.AssertAppLogsAsync(context.Application);
-        var assertAppLogsAsync = context.Configuration.AssertAppLogsAsync;
-        context.Configuration.AssertAppLogsAsync = _ => Task.CompletedTask;
-
-        var configuration = context.Configuration.SecurityScanningConfiguration;
-
-        SecurityScanResult result = null;
-        try
-        {
-            result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, configure);
-
-            if (assertSecurityScanResult != null) assertSecurityScanResult(result.SarifLog);
-            else configuration?.AssertSecurityScanResult(context, result.SarifLog);
-
-            if (configuration.CreateReportAlways) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
-        }
-        catch (Exception ex)
+        var configuration = context.Configuration.SecurityScanningConfiguration ?? new SecurityScanningConfiguration();
+        async Task RunAndAssertSecurityScanInnerAsync(Uri startUri, Action<SecurityScanConfiguration> configure)
         {
-            if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
-            throw new SecurityScanningAssertionException(ex);
+            SecurityScanResult result = null;
+            try
+            {
+                result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, configure, startUri);
+
+                if (assertSecurityScanResult != null) assertSecurityScanResult(result.SarifLog);
+                else configuration.AssertSecurityScanResult(context, result.SarifLog);
+
+                if (configuration.CreateReportAlways)
+                {
+                    context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
+                }
+            }
+            catch (Exception ex)
+            {
+                if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
+                throw new SecurityScanningAssertionException(ex);
+            }
         }
 
-        // Now that the security scan has concluded, we can turn back app log assertion and verify if any errors have
-        // been accumulated during the security scan.
-        context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
-        await context.Configuration.AssertAppLogsAsync(context.Application);
+        await RunAndAssertSecurityScanInnerAsync(startUri: null, configure);
+
+        // Verify that error page handling also works by visiting a known error page with no logging.
+        var errorUrl = context.GetAbsoluteUri(context.GetRelativeUrlOfAction<ErrorController>(controller => controller.Index()));
+        await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerAsync(
+            startUri: errorUrl,
+            scanConfiguration =>
+            {
+                configure?.Invoke(scanConfiguration);
+
+                // Configure this scan to only visit the target page.
+                scanConfiguration.ModifyZapPlan(plan =>
+                {
+                    if (plan.GetSpiderJob() is { } spiderJob)
+                    {
+                        var parameters = spiderJob.GetOrAddNode<YamlMappingNode>("parameters");
+                        parameters.Add("maxDepth", "1");
+                        parameters.Add("maxChildren", "0");
+                    }
+
+                    if (plan.GetJobByType("activeScan") is { } activeScanJob)
+                    {
+                        var parameters = activeScanJob.GetOrAddNode<YamlMappingNode>("parameters");
+                        parameters.Add("recurse", "false");
+                    }
+                });
+            }));
     }
 
     /// <summary>
@@ -146,6 +171,10 @@ public static async Task RunAndAssertSecurityScanAsync(
     /// <see href="https://www.zaproxy.org/docs/automate/automation-framework/"/> for details.
     /// </param>
     /// <param name="configure">A delegate to configure the security scan in detail.</param>
+    /// <param name="startUri">
+    /// The address where the scan should start. If <see langword="null"/> is used then the current browser location
+    /// will be used via <see cref="NavigationUITestContextExtensions.GetCurrentUri"/>.
+    /// </param>
     /// <returns>
     /// A <see cref="SecurityScanResult"/> instance containing the SARIF (<see
     /// href="https://sarifweb.azurewebsites.net/"/>) report of the scan.
@@ -153,11 +182,12 @@ public static async Task RunAndAssertSecurityScanAsync(
     public static Task<SecurityScanResult> RunSecurityScanAsync(
         this UITestContext context,
         string automationFrameworkYamlPath,
-        Action<SecurityScanConfiguration> configure = null)
+        Action<SecurityScanConfiguration> configure = null,
+        Uri startUri = null)
     {
         var configuration = new SecurityScanConfiguration();
 
-        configuration.StartAtUri(context.GetCurrentUri());
+        configuration.StartAtUri(startUri ?? context.GetCurrentUri());
 
         // By default ignore /vendor/ or /vendors/ URLs. This is case-insensitive. We have no control over them, and
         // they may contain several false positives (e.g. in font-awesome)..

From d939ed00ab8cd5d75943e54dc01cf06a2951efa5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 03:29:22 +0100
Subject: [PATCH 28/87] Simplify job configuration using new extension methods.

---
 ...SecurityScanningUITestContextExtensions.cs | 15 ++------
 .../YamlDocumentExtensions.cs                 | 37 +++++++++++++++++++
 2 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index b4153e9e3..80bd5d364 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -147,18 +147,9 @@ await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerA
                 // Configure this scan to only visit the target page.
                 scanConfiguration.ModifyZapPlan(plan =>
                 {
-                    if (plan.GetSpiderJob() is { } spiderJob)
-                    {
-                        var parameters = spiderJob.GetOrAddNode<YamlMappingNode>("parameters");
-                        parameters.Add("maxDepth", "1");
-                        parameters.Add("maxChildren", "0");
-                    }
-
-                    if (plan.GetJobByType("activeScan") is { } activeScanJob)
-                    {
-                        var parameters = activeScanJob.GetOrAddNode<YamlMappingNode>("parameters");
-                        parameters.Add("recurse", "false");
-                    }
+                    plan.SetSpiderParameter("maxDepth", 1.ToTechnicalString());
+                    plan.SetSpiderParameter("maxChildren", 2.ToTechnicalString());
+                    plan.SetActiveScanParameter("recurse", "false");
                 });
             }));
     }
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index a30e0a71d..e94f90069 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -306,6 +306,20 @@ public static T GetOrAddNode<T>(this YamlNode yamlNode, string key)
         return (T)yamlNode[key];
     }
 
+    /// <summary>
+    /// Adds the specified mapping to the <see cref="YamlMappingNode.Children" /> collection. If the given <paramref
+    /// name="key"/> already exists, it's removed first.
+    /// </summary>
+    public static void SetMappingChild(this YamlMappingNode node, YamlNode key, YamlNode value)
+    {
+        if (node.Children.ContainsKey(key))
+        {
+            node.Children.Remove(key);
+        }
+
+        node.Add(key, value);
+    }
+
     /// <summary>
     /// Gets the "jobs" section of the ZAP Automation Framework plan.
     /// </summary>
@@ -317,6 +331,29 @@ public static YamlSequenceNode GetJobs(this YamlDocument yamlDocument) =>
     /// </summary>
     public static YamlNode GetSpiderJob(this YamlDocument yamlDocument) => yamlDocument.GetJobByName("spider");
 
+    /// <summary>
+    /// Gets the job from the "jobs" section of the ZAP Automation Framework with the name "activeScan".
+    /// </summary>
+    public static YamlNode GetActiveScanJob(this YamlDocument yamlDocument) => yamlDocument.GetJobByName("activeScan");
+
+    /// <summary>
+    /// Gets or creates the "parameters" node under the specified <paramref name="jobNode"/>.
+    /// </summary>
+    public static YamlMappingNode GetOrCreateParameters(this YamlNode jobNode) =>
+        jobNode.GetOrAddNode<YamlMappingNode>("parameters");
+
+    /// <summary>
+    /// Updates the provided configuration parameters for the "spider" job it it exists.
+    /// </summary>
+    public static void SetSpiderParameter(this YamlDocument yamlDocument, YamlNode parameter, YamlNode value) =>
+        yamlDocument.GetSpiderJob()?.GetOrCreateParameters().SetMappingChild(parameter, value);
+
+    /// <summary>
+    /// Updates the provided configuration parameters for the "activeScan" job it it exists.
+    /// </summary>
+    public static void SetActiveScanParameter(this YamlDocument yamlDocument, YamlNode parameter, YamlNode value) =>
+        yamlDocument.GetActiveScanJob()?.GetOrCreateParameters().SetMappingChild(parameter, value);
+
     /// <summary>
     /// Gets a job from the "jobs" section of the ZAP Automation Framework plan by its name.
     /// </summary>

From 765328685035a0c242b0085e403448d7daf2c4e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 04:13:30 +0100
Subject: [PATCH 29/87] Limit the execution duration of activeScan.

---
 .../SecurityScanning/YamlDocumentExtensions.cs     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index e94f90069..85c77eb41 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -354,6 +354,20 @@ public static void SetSpiderParameter(this YamlDocument yamlDocument, YamlNode p
     public static void SetActiveScanParameter(this YamlDocument yamlDocument, YamlNode parameter, YamlNode value) =>
         yamlDocument.GetActiveScanJob()?.GetOrCreateParameters().SetMappingChild(parameter, value);
 
+    /// <summary>
+    /// Sets time limits on the "activeScan" job. Both are in minutes. If set to 0 it means unlimited.
+    /// </summary>
+    /// <param name="maxScanDurationInMinutes">Time limit for the active scan altogether.</param>
+    /// <param name="maxRuleDurationInMinutes">Time limit for the individual rule scans in minutes.</param>
+    public static void SetActiveScanMaxDuration(
+        this YamlDocument yamlDocument,
+        int maxScanDurationInMinutes,
+        int maxRuleDurationInMinutes = 0)
+    {
+        yamlDocument.SetActiveScanParameter("maxScanDurationInMins", maxScanDurationInMinutes.ToTechnicalString());
+        yamlDocument.SetActiveScanParameter("maxRuleDurationInMins", maxRuleDurationInMinutes.ToTechnicalString());
+    }
+
     /// <summary>
     /// Gets a job from the "jobs" section of the ZAP Automation Framework plan by its name.
     /// </summary>

From 2149e2fbf5ab260baf4b4c74c1fa069182e51539 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 04:13:59 +0100
Subject: [PATCH 30/87] Permit some error lines in app logs.

---
 .../WebApplicationInstanceExtensions.cs       | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs b/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
index 0815a9f19..06413a38e 100644
--- a/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
@@ -1,6 +1,8 @@
 using Lombiq.Tests.UI.Services;
 using Shouldly;
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -12,19 +14,37 @@ public static class WebApplicationInstanceExtensions
     /// Asserting that the logs should be empty. When they aren't the Shouldly exception will contain the logs'
     /// contents.
     /// </summary>
+    /// <param name="permittedStringFragmentsInErrorLines">
+    /// If not <see langword="null"/> or empty, each line is split and any lines containing <c>|ERROR|</c> will be
+    /// ignored if they don't contain any string from this collection (case-insensitive).
+    /// </param>
     public static async Task LogsShouldBeEmptyAsync(
         this IWebApplicationInstance webApplicationInstance,
         bool canContainWarnings = false,
+        ICollection<string> permittedStringFragmentsInErrorLines = null,
         CancellationToken cancellationToken = default)
     {
         if (cancellationToken == default) cancellationToken = CancellationToken.None;
+        permittedStringFragmentsInErrorLines ??= Array.Empty<string>();
 
         var logOutput = await webApplicationInstance.GetLogOutputAsync(cancellationToken);
 
         if (canContainWarnings)
         {
-            logOutput.ShouldNotContain("|ERROR|");
             logOutput.ShouldNotContain("|FATAL|");
+
+            if (permittedStringFragmentsInErrorLines.Any())
+            {
+                logOutput
+                    .SplitByNewLines()
+                    .Where(line => line.Contains("|ERROR|"))
+                    .Where(line => !permittedStringFragmentsInErrorLines.Any(line.ContainsOrdinalIgnoreCase))
+                    .ShouldBeEmpty();
+            }
+            else
+            {
+                logOutput.ShouldNotContain("|ERROR|");
+            }
         }
         else
         {

From 9026b83696b13ee83ff0f1b15c86ec2bde111c04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 04:25:22 +0100
Subject: [PATCH 31/87] Add AssertAppLogsForSecurityScan.

---
 .../OrchardCoreUITestExecutorConfiguration.cs     | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 77fb8e271..8b06a742e 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -29,6 +29,21 @@ public class OrchardCoreUITestExecutorConfiguration
     public static readonly Func<IWebApplicationInstance, Task> AssertAppLogsCanContainWarningsAsync =
         app => app.LogsShouldBeEmptyAsync(canContainWarnings: true);
 
+    /// <summary>
+    /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
+    /// entries which represent correct reaction to incorrect or malicious user behavior during a security scan.
+    /// </summary>
+    public static readonly Func<IWebApplicationInstance, Task> AssertAppLogsForSecurityScan =
+        app => app.LogsShouldBeEmptyAsync(
+            canContainWarnings: true,
+            permittedStringFragmentsInErrorLines: new[]
+            {
+                // The model binding will throw FormatException exception with this text during ZAP active scan, when
+                // the bot tries to send malicious query strings or POST data that doesn't fit the types expected by the
+                // model. This is correct, safe behavior and should be logged in production.
+                "is not a valid value for Boolean",
+            });
+
     public static readonly Action<IEnumerable<LogEntry>> AssertBrowserLogIsEmpty =
         logEntries => logEntries.ShouldNotContain(
             logEntry => IsValidBrowserLogEntry(logEntry),

From b48b0624c419bd6db3db43fce8a47d27d4e926ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 04:49:17 +0100
Subject: [PATCH 32/87] Permit another format exception.

---
 .../Services/OrchardCoreUITestExecutorConfiguration.cs           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 8b06a742e..d68d7882b 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -42,6 +42,7 @@ public class OrchardCoreUITestExecutorConfiguration
                 // the bot tries to send malicious query strings or POST data that doesn't fit the types expected by the
                 // model. This is correct, safe behavior and should be logged in production.
                 "is not a valid value for Boolean",
+                "An unhandled exception has occurred while executing the request. System.FormatException: any",
             });
 
     public static readonly Action<IEnumerable<LogEntry>> AssertBrowserLogIsEmpty =

From 411d7cdca39cb0142a22cf8644b549eea54cbe74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 05:00:26 +0100
Subject: [PATCH 33/87] Much nicer app log error reporting.

---
 .../WebApplicationInstanceExtensions.cs       | 26 +++++++++----------
 .../OrchardCoreUITestExecutorConfiguration.cs |  2 +-
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs b/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
index 06413a38e..073beb887 100644
--- a/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/WebApplicationInstanceExtensions.cs
@@ -14,18 +14,18 @@ public static class WebApplicationInstanceExtensions
     /// Asserting that the logs should be empty. When they aren't the Shouldly exception will contain the logs'
     /// contents.
     /// </summary>
-    /// <param name="permittedStringFragmentsInErrorLines">
+    /// <param name="permittedErrorLines">
     /// If not <see langword="null"/> or empty, each line is split and any lines containing <c>|ERROR|</c> will be
-    /// ignored if they don't contain any string from this collection (case-insensitive).
+    /// ignored if they contain any string from this collection (case-insensitive).
     /// </param>
     public static async Task LogsShouldBeEmptyAsync(
         this IWebApplicationInstance webApplicationInstance,
         bool canContainWarnings = false,
-        ICollection<string> permittedStringFragmentsInErrorLines = null,
+        ICollection<string> permittedErrorLines = null,
         CancellationToken cancellationToken = default)
     {
         if (cancellationToken == default) cancellationToken = CancellationToken.None;
-        permittedStringFragmentsInErrorLines ??= Array.Empty<string>();
+        permittedErrorLines ??= Array.Empty<string>();
 
         var logOutput = await webApplicationInstance.GetLogOutputAsync(cancellationToken);
 
@@ -33,18 +33,16 @@ public static async Task LogsShouldBeEmptyAsync(
         {
             logOutput.ShouldNotContain("|FATAL|");
 
-            if (permittedStringFragmentsInErrorLines.Any())
-            {
-                logOutput
-                    .SplitByNewLines()
-                    .Where(line => line.Contains("|ERROR|"))
-                    .Where(line => !permittedStringFragmentsInErrorLines.Any(line.ContainsOrdinalIgnoreCase))
-                    .ShouldBeEmpty();
-            }
-            else
+            var errorLines = logOutput
+                .SplitByNewLines()
+                .Where(line => line.Contains("|ERROR|"));
+
+            if (permittedErrorLines.Any())
             {
-                logOutput.ShouldNotContain("|ERROR|");
+                errorLines = errorLines.Where(line => !permittedErrorLines.Any(line.ContainsOrdinalIgnoreCase));
             }
+
+            errorLines.ShouldBeEmpty();
         }
         else
         {
diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index d68d7882b..3503a7326 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -36,7 +36,7 @@ public class OrchardCoreUITestExecutorConfiguration
     public static readonly Func<IWebApplicationInstance, Task> AssertAppLogsForSecurityScan =
         app => app.LogsShouldBeEmptyAsync(
             canContainWarnings: true,
-            permittedStringFragmentsInErrorLines: new[]
+            permittedErrorLines: new[]
             {
                 // The model binding will throw FormatException exception with this text during ZAP active scan, when
                 // the bot tries to send malicious query strings or POST data that doesn't fit the types expected by the

From 9f949da2cf03c88d497e1789ab25e26466c65a7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 05:42:43 +0100
Subject: [PATCH 34/87] spelling?

---
 Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs b/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
index ce302b795..9e43cec34 100644
--- a/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/BrowserUITestContextExtensions.cs
@@ -69,7 +69,7 @@ public static async Task<T> FetchWithBrowserContextAsync<T>(
     /// masked by this activity. Afterwards it's used again to verify the results, and if it fails then the logs are
     /// cleared out.
     /// </summary>
-    /// <returns>A task indicating whether there were anything in the app logs that would've failed the assertion.</returns>
+    /// <returns>A task indicating whether there were anything in the app logs that failed the assertion.</returns>
     public static async Task<bool> DoWithoutAppLogAssertionAsync(this UITestContext context, Func<Task> task)
     {
         // Verify that the app logs are fine right now, then suppress logs for the duration of the task.
@@ -79,7 +79,7 @@ public static async Task<bool> DoWithoutAppLogAssertionAsync(this UITestContext
 
         await task();
 
-        // Restore the app log assertion and determine if it would've failed. Clear the logs if failure occurred.
+        // Restore the app log assertion and determine if it failed. Clear the logs if failure occurred.
         context.Configuration.AssertAppLogsAsync = assertAppLogsAsync;
         try
         {

From e38ba5e2607c6e5eb551bea379b2a0d52fb8b80e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 06:02:21 +0100
Subject: [PATCH 35/87] unusing

---
 .../SecurityScanning/SecurityScanningUITestContextExtensions.cs  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 80bd5d364..dafc754b2 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -7,7 +7,6 @@
 using System;
 using System.Net;
 using System.Threading.Tasks;
-using YamlDotNet.RepresentationModel;
 
 namespace Lombiq.Tests.UI.SecurityScanning;
 

From fb08f7956d999faed920cd48bb11c4538e938637 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 11:27:26 +0100
Subject: [PATCH 36/87] Eliminate this arbitrary limitation.

---
 Lombiq.Tests.UI/SecurityScanning/ZapManager.cs | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
index addea5713..3703b6211 100644
--- a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
@@ -61,17 +61,6 @@ public async Task<SecurityScanResult> RunSecurityScanAsync(
         string automationFrameworkYamlPath,
         Func<YamlDocument, Task> modifyPlan = null)
     {
-        // Being able to run more than one scan in a test would complicate report generation and processing the SARIF
-        // report so rather just preventing it here (really nobody should want it anyway).
-        const string customContextKey = "ZapManager.ScanWasRun";
-
-        if (context.CustomContext.ContainsKey(customContextKey))
-        {
-            throw new NotSupportedException("You may only run a single ZAP scan in a given test.");
-        }
-
-        context.CustomContext.Add(customContextKey, string.Empty);
-
         await EnsureInitializedAsync();
 
         if (string.IsNullOrEmpty(automationFrameworkYamlPath))
@@ -81,6 +70,11 @@ public async Task<SecurityScanResult> RunSecurityScanAsync(
 
         var mountedDirectoryPath = DirectoryPaths.GetTempSubDirectoryPath(context.Id, "Zap");
         var reportsDirectoryPath = Path.Combine(mountedDirectoryPath, _zapReportsDirectoryName);
+
+        // If there is already a Zap directory, delete it before recreating the necessary directory structure. This is
+        // only needed if a scan has already been executed once for the current context. Deleting the existing "Zap"
+        // directory ensures a clean slate.
+        if (Directory.Exists(mountedDirectoryPath)) Directory.Delete(mountedDirectoryPath, recursive: true);
         Directory.CreateDirectory(reportsDirectoryPath);
 
         // Giving write permission to all users to the reports folder. This is to avoid issues under GitHub-hosted

From 85e4b68abbb3041254e92d99d8e194e15625ef7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 19:46:12 +0100
Subject: [PATCH 37/87] Make AssertAppLogsForSecurityScan parametric.

---
 .../OrchardCoreUITestExecutorConfiguration.cs | 40 +++++++++++--------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 3503a7326..1eb673fe9 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -29,22 +29,6 @@ public class OrchardCoreUITestExecutorConfiguration
     public static readonly Func<IWebApplicationInstance, Task> AssertAppLogsCanContainWarningsAsync =
         app => app.LogsShouldBeEmptyAsync(canContainWarnings: true);
 
-    /// <summary>
-    /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
-    /// entries which represent correct reaction to incorrect or malicious user behavior during a security scan.
-    /// </summary>
-    public static readonly Func<IWebApplicationInstance, Task> AssertAppLogsForSecurityScan =
-        app => app.LogsShouldBeEmptyAsync(
-            canContainWarnings: true,
-            permittedErrorLines: new[]
-            {
-                // The model binding will throw FormatException exception with this text during ZAP active scan, when
-                // the bot tries to send malicious query strings or POST data that doesn't fit the types expected by the
-                // model. This is correct, safe behavior and should be logged in production.
-                "is not a valid value for Boolean",
-                "An unhandled exception has occurred while executing the request. System.FormatException: any",
-            });
-
     public static readonly Action<IEnumerable<LogEntry>> AssertBrowserLogIsEmpty =
         logEntries => logEntries.ShouldNotContain(
             logEntry => IsValidBrowserLogEntry(logEntry),
@@ -224,4 +208,28 @@ public void AssertBrowserLogMaybe(IList<LogEntry> browserLogs, Action<string> lo
             throw;
         }
     }
+
+    /// <summary>
+    /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
+    /// entries which represent correct reaction to incorrect or malicious user behavior during a security scan.
+    /// </summary>
+    public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecurityScan(params string[] AdditionalPermittedErrorLines)
+    {
+        var permittedErrorLines = new List<string>
+        {
+            // The model binding will throw FormatException exception with this text during ZAP active scan, when
+            // the bot tries to send malicious query strings or POST data that doesn't fit the types expected by the
+            // model. This is correct, safe behavior and should be logged in production.
+            "is not a valid value for Boolean",
+            "An unhandled exception has occurred while executing the request. System.FormatException: any",
+            // Happens when the static file middleware tries to access a path that doesn't exist or access a file as
+            // a directory. Presumably this is an attempt to access protected files using source path manipulation.
+            // This is handled by ASP.NET Core and there is nothing for us to worry about.
+            "System.IO.IOException: Not a directory",
+        };
+
+        permittedErrorLines.AddRange(AdditionalPermittedErrorLines);
+
+        return app => app.LogsShouldBeEmptyAsync(canContainWarnings: true, permittedErrorLines);
+    }
 }

From 218f8b3983c666feef04e22b86c45d2d1a618727 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 20:11:44 +0100
Subject: [PATCH 38/87] Fix code styling.

---
 .../Services/OrchardCoreUITestExecutorConfiguration.cs        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 1eb673fe9..4223b7b60 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -213,7 +213,7 @@ public void AssertBrowserLogMaybe(IList<LogEntry> browserLogs, Action<string> lo
     /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
     /// entries which represent correct reaction to incorrect or malicious user behavior during a security scan.
     /// </summary>
-    public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecurityScan(params string[] AdditionalPermittedErrorLines)
+    public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecurityScan(params string[] additionalPermittedErrorLines)
     {
         var permittedErrorLines = new List<string>
         {
@@ -228,7 +228,7 @@ public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecuritySca
             "System.IO.IOException: Not a directory",
         };
 
-        permittedErrorLines.AddRange(AdditionalPermittedErrorLines);
+        permittedErrorLines.AddRange(additionalPermittedErrorLines);
 
         return app => app.LogsShouldBeEmptyAsync(canContainWarnings: true, permittedErrorLines);
     }

From 15bd35161ed64d5ef7965287eb9d2e6f3ceaeaca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 20:25:29 +0100
Subject: [PATCH 39/87] Use SafelyDeleteDirectoryIfExists.

---
 Lombiq.Tests.UI/SecurityScanning/ZapManager.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
index 3703b6211..8acb02a1e 100644
--- a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
@@ -1,6 +1,7 @@
 using CliWrap;
 using Lombiq.HelpfulLibraries.Cli;
 using Lombiq.Tests.UI.Constants;
+using Lombiq.Tests.UI.Helpers;
 using Lombiq.Tests.UI.Services;
 using Lombiq.Tests.UI.Services.GitHub;
 using Microsoft.CodeAnalysis.Sarif;
@@ -74,7 +75,7 @@ public async Task<SecurityScanResult> RunSecurityScanAsync(
         // If there is already a Zap directory, delete it before recreating the necessary directory structure. This is
         // only needed if a scan has already been executed once for the current context. Deleting the existing "Zap"
         // directory ensures a clean slate.
-        if (Directory.Exists(mountedDirectoryPath)) Directory.Delete(mountedDirectoryPath, recursive: true);
+        DirectoryHelper.SafelyDeleteDirectoryIfExists(mountedDirectoryPath);
         Directory.CreateDirectory(reportsDirectoryPath);
 
         // Giving write permission to all users to the reports folder. This is to avoid issues under GitHub-hosted

From 0d43a1fe8c211e77d736a5b322fd1740d3edde57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 20:30:36 +0100
Subject: [PATCH 40/87] Add default value to userName in SignInDirectly.

---
 Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
index 03c1632dd..4ffbfee17 100644
--- a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
+++ b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
@@ -20,11 +20,9 @@ public AccountController(UserManager<IUser> userManager, SignInManager<IUser> us
     }
 
     [AllowAnonymous]
-    public async Task<IActionResult> SignInDirectly(string userName)
+    public async Task<IActionResult> SignInDirectly(string userName = "admin")
     {
-        var user = await _userManager.FindByNameAsync(userName);
-
-        if (user == null) return NotFound();
+        if (await _userManager.FindByNameAsync(userName) is not { } user) return NotFound();
 
         await _userSignInManager.SignInAsync(user, isPersistent: false);
 

From fb5bcdd008c7ce8cb96c804dbad0bac40a45c788 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 20:46:49 +0100
Subject: [PATCH 41/87] Add exception for a parameter key being null.

---
 .../Services/OrchardCoreUITestExecutorConfiguration.cs        | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 4223b7b60..6678e4728 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -226,6 +226,10 @@ public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecuritySca
             // a directory. Presumably this is an attempt to access protected files using source path manipulation.
             // This is handled by ASP.NET Core and there is nothing for us to worry about.
             "System.IO.IOException: Not a directory",
+            // This happens when a request's model contains a dictionary and a key is missing. While this can be a
+            // legitimate application error, during a security scan it's more likely the result of an incomplete
+            // artificially constructed request. So the means the ASP.NET Core model binding is working as intended.
+            "An unhandled exception has occurred while executing the request. System.ArgumentNullException: Value cannot be null. (Parameter 'key')",
         };
 
         permittedErrorLines.AddRange(additionalPermittedErrorLines);

From 85327ec313bcfa9fbcc2832fc0b47e899ea525e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 23:03:52 +0100
Subject: [PATCH 42/87] check empty userName differently

---
 Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
index 4ffbfee17..cbe500f3e 100644
--- a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
+++ b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using OrchardCore.Users;
+using System;
 using System.Threading.Tasks;
 
 namespace Lombiq.Tests.UI.Shortcuts.Controllers;
@@ -20,8 +21,9 @@ public AccountController(UserManager<IUser> userManager, SignInManager<IUser> us
     }
 
     [AllowAnonymous]
-    public async Task<IActionResult> SignInDirectly(string userName = "admin")
+    public async Task<IActionResult> SignInDirectly(string userName)
     {
+        if (string.IsNullOrWhiteSpace(userName)) userName = "admin";
         if (await _userManager.FindByNameAsync(userName) is not { } user) return NotFound();
 
         await _userSignInManager.SignInAsync(user, isPersistent: false);

From 888c0abd98f998bd429581dd836b8a69c88b30cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 7 Jan 2024 23:24:46 +0100
Subject: [PATCH 43/87] unusing

---
 Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
index cbe500f3e..e47b31eca 100644
--- a/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
+++ b/Lombiq.Tests.UI.Shortcuts/Controllers/AccountController.cs
@@ -3,7 +3,6 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using OrchardCore.Users;
-using System;
 using System.Threading.Tasks;
 
 namespace Lombiq.Tests.UI.Shortcuts.Controllers;

From 31a58cc2c7e9bbcd1080c7cc90948e29a7b8417e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 8 Jan 2024 07:24:53 +0100
Subject: [PATCH 44/87] Reorganize the security scanning test into a reusable
 extension.

---
 ...SecurityScanningUITestContextExtensions.cs | 44 +++++++++++++++++++
 .../YamlDocumentExtensions.cs                 |  2 +-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index dafc754b2..f8df51174 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -7,6 +7,7 @@
 using System;
 using System.Net;
 using System.Threading.Tasks;
+using static Lombiq.Tests.UI.Services.OrchardCoreUITestExecutorConfiguration;
 
 namespace Lombiq.Tests.UI.SecurityScanning;
 
@@ -50,6 +51,49 @@ public static Task RunAndAssertFullSecurityScanAsync(
             configure,
             assertSecurityScanResult);
 
+    /// <inheritdoc cref="RunAndAssertFullSecurityScanAsync"/>
+    /// <param name="doSignIn">If <see langword="true"/> the bot is configured to sign in as <c>admin</c> first.</param>
+    /// <param name="maxScanDurationInMinutes">Time limit for the active scan altogether.</param>
+    /// <param name="maxRuleDurationInMinutes">Time limit for the individual rules in the active scan.</param>
+    /// <remarks><para>
+    /// This extension method makes changes to the normal configuration of the test to be more suited for CI operation.
+    /// It changes the <see cref="UITestContext.Configuration"/> to not do any retries because this is a long running
+    /// test. It also replaces the app log assertion logic with the specialized version for security scans, <see
+    /// cref="UseAssertAppLogsForSecurityScan"/>. The scan is configured to ignore the admin dashboard, optionally log
+    /// in as admin, and use the provided time limits for the "active scan" portion of the security scan.
+    /// </para></remarks>
+    public static Task RunAndConfigureAndAssertFullSecurityScanForAutomationAsync(
+        this UITestContext context,
+        Action<SecurityScanConfiguration> additionalConfiguration = null,
+        Action<SarifLog> assertSecurityScanResult = null,
+        bool doSignIn = true,
+        int maxScanDurationInMinutes = 10,
+        int maxRuleDurationInMinutes = 2)
+    {
+        // Ignore some validation errors that only happen during security tests.
+        context.Configuration.AssertAppLogsAsync = UseAssertAppLogsForSecurityScan();
+
+        // This takes over 10 minutes and the session will certainly time out with retries.
+        context.Configuration.MaxRetryCount = 0;
+
+        return context.RunAndAssertFullSecurityScanAsync(
+            configuration =>
+            {
+                // Signing in ensures full access and that the bot won't have to interact with the login screen.
+                if (doSignIn) configuration.SignIn();
+
+                // There is no need to security scan the admin dashboard.
+                configuration.ExcludeUrlWithRegex(@".*/Admin/.*");
+
+                // Active scan takes a very long time, this is not practical in CI.
+                configuration.ModifyZapPlan(plan => plan
+                    .SetActiveScanMaxDuration(maxScanDurationInMinutes, maxRuleDurationInMinutes));
+
+                additionalConfiguration?.Invoke(configuration);
+            },
+            assertSecurityScanResult);
+    }
+
     /// <summary>
     /// Run a <see href="https://www.zaproxy.org/">Zed Attack Proxy (ZAP)</see> security scan against an app with the
     /// GraphQL Automation Framework profile and runs assertions on the result (see <see
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index 85c77eb41..fee0beb59 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -358,7 +358,7 @@ public static void SetActiveScanParameter(this YamlDocument yamlDocument, YamlNo
     /// Sets time limits on the "activeScan" job. Both are in minutes. If set to 0 it means unlimited.
     /// </summary>
     /// <param name="maxScanDurationInMinutes">Time limit for the active scan altogether.</param>
-    /// <param name="maxRuleDurationInMinutes">Time limit for the individual rule scans in minutes.</param>
+    /// <param name="maxRuleDurationInMinutes">Time limit for the individual rule scans.</param>
     public static void SetActiveScanMaxDuration(
         this YamlDocument yamlDocument,
         int maxScanDurationInMinutes,

From 2b2545d828b49cc5cbe38142273bdc09c123e100 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 8 Jan 2024 08:40:30 +0100
Subject: [PATCH 45/87] Update HL NuGet package.

---
 Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj | 2 +-
 Lombiq.Tests.UI/Lombiq.Tests.UI.csproj                     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
index cc4504bda..ea0ad05b4 100644
--- a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
+++ b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
@@ -50,7 +50,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.0" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.0.tdeal-16" />
   </ItemGroup>
 
 </Project>
diff --git a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
index 28dae6c07..c962860fd 100644
--- a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
+++ b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
@@ -103,9 +103,9 @@
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
     <PackageReference Include="Lombiq.Tests" Version="2.2.5" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.0" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.0" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.0" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.0.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.0.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.0.tdeal-16" />
     <PackageReference Include="Lombiq.Npm.Targets" Version="1.4.0" />
   </ItemGroup>
 

From 059a34f676df5b01e4578b00e7f79a1c1a712787 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 8 Jan 2024 10:22:48 +0100
Subject: [PATCH 46/87] Update HL NuGet again.

---
 Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj | 2 +-
 Lombiq.Tests.UI/Lombiq.Tests.UI.csproj                     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
index ea0ad05b4..de12d765c 100644
--- a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
+++ b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
@@ -50,7 +50,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.0.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.1.tdeal-16" />
   </ItemGroup>
 
 </Project>
diff --git a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
index c962860fd..0d465846f 100644
--- a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
+++ b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
@@ -103,9 +103,9 @@
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
     <PackageReference Include="Lombiq.Tests" Version="2.2.5" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.0.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.0.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.0.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.1.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.1.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.1.tdeal-16" />
     <PackageReference Include="Lombiq.Npm.Targets" Version="1.4.0" />
   </ItemGroup>
 

From b2e8ec287b4bf024af046abbe7df4e5aa8ae1a87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Tue, 9 Jan 2024 20:22:42 +0100
Subject: [PATCH 47/87] Make the AssertSecurityScanHasNoAlerts more
 informative.

---
 .../SecurityScanningConfiguration.cs          | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 0bf3df4f7..847a5fc69 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -1,7 +1,9 @@
 using Lombiq.Tests.UI.Services;
 using Microsoft.CodeAnalysis.Sarif;
+using Newtonsoft.Json;
 using Shouldly;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
 using YamlDotNet.RepresentationModel;
 
@@ -30,7 +32,23 @@ public class SecurityScanningConfiguration
     /// </summary>
     public Action<UITestContext, SarifLog> AssertSecurityScanResult { get; set; } = AssertSecurityScanHasNoAlerts;
 
-    public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts =
-        (_, sarifLog) => sarifLog.Runs[0].Results.ShouldNotContain(result =>
-            result.Kind == ResultKind.Fail && result.Level != FailureLevel.None && result.Level != FailureLevel.Note);
+    public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts = (_, sarifLog) =>
+    {
+        var errors = sarifLog
+            .Runs[0]
+            .Results
+            .Where(result =>
+                result.Kind == ResultKind.Fail &&
+                result.Level != FailureLevel.None &&
+                result.Level != FailureLevel.Note)
+            .Select(result => new
+            {
+                Kind = result.Kind.ToString(),
+                Level = result.Level.ToString(),
+                Details = result,
+            })
+            .ToList();
+
+        errors.ShouldBeEmpty(JsonConvert.SerializeObject(errors));
+    };
 }

From b225f6146a10613af13bcce13fd863737b99f1ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Wed, 10 Jan 2024 00:26:01 +0100
Subject: [PATCH 48/87] Try to delete the ZAP directory even more safely.

---
 .../SecurityScanning/ZapManager.cs            | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
index 8acb02a1e..99b09ab71 100644
--- a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
@@ -75,7 +75,26 @@ public async Task<SecurityScanResult> RunSecurityScanAsync(
         // If there is already a Zap directory, delete it before recreating the necessary directory structure. This is
         // only needed if a scan has already been executed once for the current context. Deleting the existing "Zap"
         // directory ensures a clean slate.
-        DirectoryHelper.SafelyDeleteDirectoryIfExists(mountedDirectoryPath);
+        if (Directory.Exists(mountedDirectoryPath))
+        {
+            var temporaryPath = $"{mountedDirectoryPath}-{Guid.NewGuid():N}";
+
+            // The directory is first renamed with a random suffix. This way even if the deletion is failed, the test
+            // should continue without problems. If this rename fails, that's fatal and should throw.
+            Directory.Move(mountedDirectoryPath, temporaryPath);
+
+            try
+            {
+                DirectoryHelper.SafelyDeleteDirectoryIfExists(temporaryPath);
+            }
+            catch (IOException exception)
+            {
+                _testOutputHelper.WriteLineTimestampedAndDebug(
+                    $"Failed to delete existing Zap directory ({exception.Message}). This is not a fatal error " +
+                    $"because the directory has already been renamed.");
+            }
+        }
+
         Directory.CreateDirectory(reportsDirectoryPath);
 
         // Giving write permission to all users to the reports folder. This is to avoid issues under GitHub-hosted

From 3127ba77d891b63d02f578b412a023f64097d16e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Wed, 10 Jan 2024 12:51:03 +0100
Subject: [PATCH 49/87] Instead of trying to delete the Zap directory use Zap1,
 Zap2, etc to avoid reporting conflicts.

---
 Lombiq.Tests.UI/Helpers/DirectoryHelper.cs    | 19 +++++++++++++
 .../SecurityScanning/ZapManager.cs            | 27 +++----------------
 2 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs b/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
index 8af0780d7..3762e44a6 100644
--- a/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
+++ b/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
@@ -41,4 +41,23 @@ public static void SafelyDeleteDirectoryIfExists(string path, int maxTryCount =
             }
         }
     }
+
+    /// <summary>
+    /// Creates a directory with the given path and a numeric suffix from 1 to <see cref="int.MaxValue"/>. This means if
+    /// the <paramref name="path"/> is <c>c:\MyDirectory</c> then it will first attempt to create <c>c:\MyDirectory1</c>
+    /// but if that already exists it will try to create <c>c:\MyDirectory2</c> instead, and so on.
+    /// </summary>
+    /// <param name="path">The base path to use when constructing the final path.</param>
+    /// <returns>The final path created.</returns>
+    public static string CreateEnumeratedDirectory(string path)
+    {
+        for (var i = 1; i < int.MaxValue; i++)
+        {
+            var newPath = path + i.ToTechnicalString();
+            if (Directory.Exists(newPath)) continue;
+
+            Directory.CreateDirectory(newPath);
+            return newPath;
+        }
+    }
 }
diff --git a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
index 99b09ab71..218e72176 100644
--- a/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/ZapManager.cs
@@ -69,32 +69,11 @@ public async Task<SecurityScanResult> RunSecurityScanAsync(
             automationFrameworkYamlPath = AutomationFrameworkPlanPaths.BaselinePlanPath;
         }
 
-        var mountedDirectoryPath = DirectoryPaths.GetTempSubDirectoryPath(context.Id, "Zap");
+        // Each attempt will have it's own "ZapN" directory inside the temp, starting with "Zap1".
+        var mountedDirectoryPath = DirectoryHelper.CreateEnumeratedDirectory(
+            DirectoryPaths.GetTempSubDirectoryPath(context.Id, "Zap"));
         var reportsDirectoryPath = Path.Combine(mountedDirectoryPath, _zapReportsDirectoryName);
 
-        // If there is already a Zap directory, delete it before recreating the necessary directory structure. This is
-        // only needed if a scan has already been executed once for the current context. Deleting the existing "Zap"
-        // directory ensures a clean slate.
-        if (Directory.Exists(mountedDirectoryPath))
-        {
-            var temporaryPath = $"{mountedDirectoryPath}-{Guid.NewGuid():N}";
-
-            // The directory is first renamed with a random suffix. This way even if the deletion is failed, the test
-            // should continue without problems. If this rename fails, that's fatal and should throw.
-            Directory.Move(mountedDirectoryPath, temporaryPath);
-
-            try
-            {
-                DirectoryHelper.SafelyDeleteDirectoryIfExists(temporaryPath);
-            }
-            catch (IOException exception)
-            {
-                _testOutputHelper.WriteLineTimestampedAndDebug(
-                    $"Failed to delete existing Zap directory ({exception.Message}). This is not a fatal error " +
-                    $"because the directory has already been renamed.");
-            }
-        }
-
         Directory.CreateDirectory(reportsDirectoryPath);
 
         // Giving write permission to all users to the reports folder. This is to avoid issues under GitHub-hosted

From 106085abb5fe4a8e7f528599f253fe7a53a8528c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Wed, 10 Jan 2024 12:59:57 +0100
Subject: [PATCH 50/87] Throw on failure.

---
 Lombiq.Tests.UI/Helpers/DirectoryHelper.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs b/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
index 3762e44a6..a9bd29db8 100644
--- a/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
+++ b/Lombiq.Tests.UI/Helpers/DirectoryHelper.cs
@@ -59,5 +59,7 @@ public static string CreateEnumeratedDirectory(string path)
             Directory.CreateDirectory(newPath);
             return newPath;
         }
+
+        throw new InvalidOperationException("Couldn't create a new directory within the integer space.");
     }
 }

From 11a538f4dcc89994c3d53fe462d7854cf0a2e35f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Wed, 10 Jan 2024 19:08:17 +0100
Subject: [PATCH 51/87] nuget

---
 Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj | 2 +-
 Lombiq.Tests.UI/Lombiq.Tests.UI.csproj                     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
index de12d765c..7e3a8ea09 100644
--- a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
+++ b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
@@ -50,7 +50,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.1.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.4.tdeal-16" />
   </ItemGroup>
 
 </Project>
diff --git a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
index 0d465846f..f5ea006ec 100644
--- a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
+++ b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
@@ -103,9 +103,9 @@
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
     <PackageReference Include="Lombiq.Tests" Version="2.2.5" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.1.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.1.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.1.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.4.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.4.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.4.tdeal-16" />
     <PackageReference Include="Lombiq.Npm.Targets" Version="1.4.0" />
   </ItemGroup>
 

From 8c12e5e3600ea77e1d544373407fb136226260fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 01:16:53 +0100
Subject: [PATCH 52/87] Additional documentation.

---
 Lombiq.Tests.UI/Docs/SecurityScanning.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Lombiq.Tests.UI/Docs/SecurityScanning.md b/Lombiq.Tests.UI/Docs/SecurityScanning.md
index 8ea980434..051c96fe0 100644
--- a/Lombiq.Tests.UI/Docs/SecurityScanning.md
+++ b/Lombiq.Tests.UI/Docs/SecurityScanning.md
@@ -19,6 +19,23 @@ You can create detailed security scans of your app with [Zed Attack Proxy (ZAP)]
 - While ZAP is fully managed for you, Docker needs to be available and running to host the ZAP instance. On your development machine, you can install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
 - The full scan of a website with even just 1-200 pages can take 5-10 minutes. So, be careful to fine-tune the ZAP configuration to make it suitable for your app.
 
+## Limitations
+
+On Windows-based GitHub runners the security tests always fail with the following error:
+
+> The `docker.exe pull softwaresecurityproject/zap-stable:2.14.0 --quiet` command failed with the output below.
+> no matching manifest for windows/amd64 10.0.20348 in the manifest list entries.
+
+This is because the Docker installation is configured to use Windows images, while the [ZAP docker image](https://hub.docker.com/r/softwaresecurityproject/zap-stable/tags) is only available for Linux. If you rely on our [Lombiq GitHub Actions](https://github.com/Lombiq/GitHub-Actions) then you can configure it like this to disable a test, in this case `SecurityScanningTests`:
+```
+  call-build-and-test-workflow-windows:
+    name: Build and Test
+    uses: Lombiq/GitHub-Actions/.github/workflows/build-and-test-orchard-core.yml@dev
+    with:
+      machine-types: '["windows-latest"]'
+      test-filter: "FullyQualifiedName!~SecurityScanningTests"
+```
+
 ## Troubleshooting
 
 - If you're unsure what happens in a scan, run the [ZAP desktop app](https://www.zaproxy.org/download/) and load the Automation Framework plan's YAML file into it. If you use the default scans, then these will be available under the build output directory (like _bin/Debug_) under _SecurityScanning/AutomationFrameworkPlans_. Then, you can open and run them as demonstrated [in this video](https://youtu.be/PnCbIAnauD8?si=u0vi63Uvv9wZINzb&t=1173).

From 07efb93e767352bea1f63e43a11c5799fc064ffc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 01:46:40 +0100
Subject: [PATCH 53/87] Documentation cross-linking.

---
 Lombiq.Tests.UI/Docs/SecurityScanning.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lombiq.Tests.UI/Docs/SecurityScanning.md b/Lombiq.Tests.UI/Docs/SecurityScanning.md
index 051c96fe0..a29b4c345 100644
--- a/Lombiq.Tests.UI/Docs/SecurityScanning.md
+++ b/Lombiq.Tests.UI/Docs/SecurityScanning.md
@@ -38,6 +38,7 @@ This is because the Docker installation is configured to use Windows images, whi
 
 ## Troubleshooting
 
+- Most common alerts in Orchard Core can be resolved by [using the extension method in Lombiq Helpful Libraries](https://github.com/Lombiq/Helpful-Libraries/blob/dev/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md) like this: `orchardCoreBuilder.ConfigureSecurityDefaults(allowInlineStyle: true)`.
 - If you're unsure what happens in a scan, run the [ZAP desktop app](https://www.zaproxy.org/download/) and load the Automation Framework plan's YAML file into it. If you use the default scans, then these will be available under the build output directory (like _bin/Debug_) under _SecurityScanning/AutomationFrameworkPlans_. Then, you can open and run them as demonstrated [in this video](https://youtu.be/PnCbIAnauD8?si=u0vi63Uvv9wZINzb&t=1173).
 - If an alert is a false positive, follow [the official docs](https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/). You can use the [`alertFilter` job](https://www.zaproxy.org/docs/desktop/addons/alert-filters/automation/) to ignore alerts in very specific conditions. You can also access this via the .NET configuration API.
 - ZAP didn't find everything in your app? By default, ZAP has a crawl depth of 5 for its standard spider and 10 for its AJAX spider. Set `maxDepth` (and `maxChildren`) [for `spider`](https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-spider/) and `maxCrawlDepth` [for `spiderAjax`](https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/).

From a137be58e9d924a5791b2320c2d7aa8e9f9ec9a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 02:31:34 +0100
Subject: [PATCH 54/87] Include the PII disclosure issue URL.

---
 .../SecurityScanning/AutomationFrameworkPlans/Baseline.yml      | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/FullScan.yml      | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/GraphQL.yml       | 2 +-
 .../SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml       | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
index c17ea12cf..88ec3a373 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/Baseline.yml
@@ -56,7 +56,7 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
-  # This rule generates false positives on UUIDs or random numeric sequences.
+  # This rule generates false positives on UUIDs or random numeric sequences, see https://github.com/zaproxy/zaproxy/issues/8303.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
     threshold: "high"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
index 329731f28..87afb8828 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/FullScan.yml
@@ -56,7 +56,7 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
-  # This rule generates false positives on UUIDs or random numeric sequences.
+  # This rule generates false positives on UUIDs or random numeric sequences, see https://github.com/zaproxy/zaproxy/issues/8303.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
     threshold: "high"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
index a901687b5..3be077479 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/GraphQL.yml
@@ -56,7 +56,7 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
-  # This rule generates false positives on UUIDs or random numeric sequences.
+  # This rule generates false positives on UUIDs or random numeric sequences, see https://github.com/zaproxy/zaproxy/issues/8303.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
     threshold: "high"
diff --git a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
index 7e99ab0d0..eed3c0552 100644
--- a/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
+++ b/Lombiq.Tests.UI/SecurityScanning/AutomationFrameworkPlans/OpenAPI.yml
@@ -56,7 +56,7 @@ jobs:
   - id: 10037
     name: "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)"
     threshold: "off"
-  # This rule generates false positives on UUIDs or random numeric sequences.
+  # This rule generates false positives on UUIDs or random numeric sequences, see https://github.com/zaproxy/zaproxy/issues/8303.
   - id: 10062
     name: "The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data."
     threshold: "high"

From cca1aa544628d156f4031c484ffffdb12535f907 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 02:32:46 +0100
Subject: [PATCH 55/87] Rename maxScanDurationInMinutes to
 maxActiveScanDurationInMinutes.

---
 .../SecurityScanningUITestContextExtensions.cs              | 6 +++---
 Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index f8df51174..8c407027f 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -53,7 +53,7 @@ public static Task RunAndAssertFullSecurityScanAsync(
 
     /// <inheritdoc cref="RunAndAssertFullSecurityScanAsync"/>
     /// <param name="doSignIn">If <see langword="true"/> the bot is configured to sign in as <c>admin</c> first.</param>
-    /// <param name="maxScanDurationInMinutes">Time limit for the active scan altogether.</param>
+    /// <param name="maxActiveScanDurationInMinutes">Time limit for the active scan altogether.</param>
     /// <param name="maxRuleDurationInMinutes">Time limit for the individual rules in the active scan.</param>
     /// <remarks><para>
     /// This extension method makes changes to the normal configuration of the test to be more suited for CI operation.
@@ -67,7 +67,7 @@ public static Task RunAndConfigureAndAssertFullSecurityScanForAutomationAsync(
         Action<SecurityScanConfiguration> additionalConfiguration = null,
         Action<SarifLog> assertSecurityScanResult = null,
         bool doSignIn = true,
-        int maxScanDurationInMinutes = 10,
+        int maxActiveScanDurationInMinutes = 10,
         int maxRuleDurationInMinutes = 2)
     {
         // Ignore some validation errors that only happen during security tests.
@@ -87,7 +87,7 @@ public static Task RunAndConfigureAndAssertFullSecurityScanForAutomationAsync(
 
                 // Active scan takes a very long time, this is not practical in CI.
                 configuration.ModifyZapPlan(plan => plan
-                    .SetActiveScanMaxDuration(maxScanDurationInMinutes, maxRuleDurationInMinutes));
+                    .SetActiveScanMaxDuration(maxActiveScanDurationInMinutes, maxRuleDurationInMinutes));
 
                 additionalConfiguration?.Invoke(configuration);
             },
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index fee0beb59..4743c2605 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -357,14 +357,14 @@ public static void SetActiveScanParameter(this YamlDocument yamlDocument, YamlNo
     /// <summary>
     /// Sets time limits on the "activeScan" job. Both are in minutes. If set to 0 it means unlimited.
     /// </summary>
-    /// <param name="maxScanDurationInMinutes">Time limit for the active scan altogether.</param>
+    /// <param name="maxActiveScanDurationInMinutes">Time limit for the active scan altogether.</param>
     /// <param name="maxRuleDurationInMinutes">Time limit for the individual rule scans.</param>
     public static void SetActiveScanMaxDuration(
         this YamlDocument yamlDocument,
-        int maxScanDurationInMinutes,
+        int maxActiveScanDurationInMinutes,
         int maxRuleDurationInMinutes = 0)
     {
-        yamlDocument.SetActiveScanParameter("maxScanDurationInMins", maxScanDurationInMinutes.ToTechnicalString());
+        yamlDocument.SetActiveScanParameter("maxScanDurationInMins", maxActiveScanDurationInMinutes.ToTechnicalString());
         yamlDocument.SetActiveScanParameter("maxRuleDurationInMins", maxRuleDurationInMinutes.ToTechnicalString());
     }
 

From 050812ea79223e18f1ac7c4bca56836c42230de0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 02:42:37 +0100
Subject: [PATCH 56/87] Rename extension method and mention it in the samples.

---
 .../Tests/SecurityScanningTests.cs                    | 11 ++++++-----
 .../SecurityScanningUITestContextExtensions.cs        |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 87d6dbece..7d3e83afe 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -31,7 +31,10 @@ public SecurityScanningTests(ITestOutputHelper testOutputHelper)
 
     // We're running one of ZAP's built-in scans, the Baseline scan. This, as the name suggests, provides some
     // rudimentary security checks. While you can start with this, we recommend running the Full Scan, for which there
-    // similarly is an extension method as well.
+    // similarly is an extension method as well. This can take a very long time. If you want to have a broader scan in
+    // your CI test runs, use the RunAndConfigureAndAssertFullSecurityScanForContinuousIntegrationAsync extension method
+    // instead. It applies some limitations to the full scan, including time limits to the active scan portion that
+    // normally takes the longest.
 
     // If you're new to security scanning, starting with exactly this is probably a good idea. Most possibly your app
     // will fail the scan, but don't worry! You'll get a nice report about the findings in the failure dump.
@@ -45,10 +48,8 @@ public Task BasicSecurityScanShouldPass() =>
     //   usually not just unnecessary for a website that's not an SPA, but also slows the scan down by a lot. However,
     //   if you have an SPA, you need to use it.
     // - Excludes certain URLs from the scan completely. Use this if you don't want ZAP to process certain URLs at all.
-    // - Disables the The response does not include either Content-Security-Policy with 'frame-ancestors' directive."
-    //   alert of ZAP's passive scan for the whole scan. This is because by default, Orchard Core sends an "X-Powered-By: OrchardCore" header.
-    //   If you want airtight security, you might want to turn this off, but for the sake of example we just ignore the
-    //   alert here.
+    // - Disables the "The response does not include either Content-Security-Policy with 'frame-ancestors' directive."
+    //   alert of ZAP's passive scan for the whole scan.
     // - Also disables the "Content Security Policy (CSP) Header Not Set" rule but only for the /about page. Use this to
     //   disable rules more specifically instead of the whole scan.
     // - Configures sign in with a user account. This is what the scan will start with. With the Blog recipe it doesn't
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 8c407027f..c6355372d 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -62,7 +62,7 @@ public static Task RunAndAssertFullSecurityScanAsync(
     /// cref="UseAssertAppLogsForSecurityScan"/>. The scan is configured to ignore the admin dashboard, optionally log
     /// in as admin, and use the provided time limits for the "active scan" portion of the security scan.
     /// </para></remarks>
-    public static Task RunAndConfigureAndAssertFullSecurityScanForAutomationAsync(
+    public static Task RunAndConfigureAndAssertFullSecurityScanForContinuousIntegrationAsync(
         this UITestContext context,
         Action<SecurityScanConfiguration> additionalConfiguration = null,
         Action<SarifLog> assertSecurityScanResult = null,

From a9a408350ad2b71733b9975ac13fdb92c4140f26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 02:43:16 +0100
Subject: [PATCH 57/87] Update
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 963e82c59..8110f181b 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -179,7 +179,7 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     /// </param>
     /// <remarks><para>
     /// Marking a rule as false positive helps the development of ZAP by collecting which rules have the highest false
-    /// positive rate (see <a href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/">the FAQ</a>).
+    /// positive rate (see <see href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/">the FAQ</see>).
     /// </para></remarks>
     public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(string urlRegex, int ruleId, string justification)
     {

From 43a782d5b2d83dc9da90111768fbe76502fadd03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 03:01:44 +0100
Subject: [PATCH 58/87] Make error page scanning optional.

---
 .../SecurityScanning/SecurityScanningConfiguration.cs       | 6 ++++++
 .../SecurityScanningUITestContextExtensions.cs              | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 847a5fc69..23b6322ca 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -32,6 +32,12 @@ public class SecurityScanningConfiguration
     /// </summary>
     public Action<UITestContext, SarifLog> AssertSecurityScanResult { get; set; } = AssertSecurityScanHasNoAlerts;
 
+    /// <summary>
+    /// Gets a value indicating whether the security scan should not visit the <see cref="ErrorController"/> to test
+    /// for correct error handling. This is achieved by running the scan a second time without leaving that page.
+    /// </summary>
+    public bool DontScanErrorPage { get; private set; }
+
     public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts = (_, sarifLog) =>
     {
         var errors = sarifLog
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index c6355372d..b257d0364 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -179,6 +179,8 @@ async Task RunAndAssertSecurityScanInnerAsync(Uri startUri, Action<SecurityScanC
 
         await RunAndAssertSecurityScanInnerAsync(startUri: null, configure);
 
+        if (configuration.DontScanErrorPage) return;
+
         // Verify that error page handling also works by visiting a known error page with no logging.
         var errorUrl = context.GetAbsoluteUri(context.GetRelativeUrlOfAction<ErrorController>(controller => controller.Index()));
         await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerAsync(

From e94c0056b77b7ca6ffbb492b99919ec167e49e19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 03:47:04 +0100
Subject: [PATCH 59/87] Use STJ.

---
 .../SecurityScanning/SecurityScanningConfiguration.cs         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 23b6322ca..ca885d642 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -1,9 +1,9 @@
 using Lombiq.Tests.UI.Services;
 using Microsoft.CodeAnalysis.Sarif;
-using Newtonsoft.Json;
 using Shouldly;
 using System;
 using System.Linq;
+using System.Text.Json;
 using System.Threading.Tasks;
 using YamlDotNet.RepresentationModel;
 
@@ -55,6 +55,6 @@ public class SecurityScanningConfiguration
             })
             .ToList();
 
-        errors.ShouldBeEmpty(JsonConvert.SerializeObject(errors));
+        errors.ShouldBeEmpty(JsonSerializer.Serialize(errors));
     };
 }

From 1b71ab716af5b620370fca06948d392ee0293d3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 03:48:53 +0100
Subject: [PATCH 60/87] Update
 Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
---
 .../Services/OrchardCoreUITestExecutorConfiguration.cs          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 6678e4728..3bc90c8d2 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -211,7 +211,7 @@ public void AssertBrowserLogMaybe(IList<LogEntry> browserLogs, Action<string> lo
 
     /// <summary>
     /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
-    /// entries which represent correct reaction to incorrect or malicious user behavior during a security scan.
+    /// entries which represent correct reactions to incorrect or malicious user behavior during a security scan.
     /// </summary>
     public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecurityScan(params string[] additionalPermittedErrorLines)
     {

From 9ca337f56c73fc41a04f401fb3947367318cf480 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 03:55:36 +0100
Subject: [PATCH 61/87] More info on build-and-test-orchard-core.

---
 Lombiq.Tests.UI/Docs/SecurityScanning.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lombiq.Tests.UI/Docs/SecurityScanning.md b/Lombiq.Tests.UI/Docs/SecurityScanning.md
index a29b4c345..835571dfa 100644
--- a/Lombiq.Tests.UI/Docs/SecurityScanning.md
+++ b/Lombiq.Tests.UI/Docs/SecurityScanning.md
@@ -30,6 +30,7 @@ This is because the Docker installation is configured to use Windows images, whi
 ```
   call-build-and-test-workflow-windows:
     name: Build and Test
+    # See https://github.com/Lombiq/GitHub-Actions/blob/dev/.github/workflows/build-and-test-orchard-core.yml.
     uses: Lombiq/GitHub-Actions/.github/workflows/build-and-test-orchard-core.yml@dev
     with:
       machine-types: '["windows-latest"]'

From d85b2002e3f3fcd4e99efbd5baa56eb53a8d1d0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 03:59:53 +0100
Subject: [PATCH 62/87] Update workflow name convention.

---
 Lombiq.Tests.UI/Docs/SecurityScanning.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/Docs/SecurityScanning.md b/Lombiq.Tests.UI/Docs/SecurityScanning.md
index 835571dfa..b9fc3f4c1 100644
--- a/Lombiq.Tests.UI/Docs/SecurityScanning.md
+++ b/Lombiq.Tests.UI/Docs/SecurityScanning.md
@@ -28,7 +28,7 @@ On Windows-based GitHub runners the security tests always fail with the followin
 
 This is because the Docker installation is configured to use Windows images, while the [ZAP docker image](https://hub.docker.com/r/softwaresecurityproject/zap-stable/tags) is only available for Linux. If you rely on our [Lombiq GitHub Actions](https://github.com/Lombiq/GitHub-Actions) then you can configure it like this to disable a test, in this case `SecurityScanningTests`:
 ```
-  call-build-and-test-workflow-windows:
+  build-and-test:
     name: Build and Test
     # See https://github.com/Lombiq/GitHub-Actions/blob/dev/.github/workflows/build-and-test-orchard-core.yml.
     uses: Lombiq/GitHub-Actions/.github/workflows/build-and-test-orchard-core.yml@dev

From 3e631a2dcff7062d33b731fa034a65e031565662 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 04:29:03 +0100
Subject: [PATCH 63/87] Code styling.

---
 Lombiq.Tests.UI/Docs/SecurityScanning.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/Docs/SecurityScanning.md b/Lombiq.Tests.UI/Docs/SecurityScanning.md
index b9fc3f4c1..8cf077367 100644
--- a/Lombiq.Tests.UI/Docs/SecurityScanning.md
+++ b/Lombiq.Tests.UI/Docs/SecurityScanning.md
@@ -27,7 +27,8 @@ On Windows-based GitHub runners the security tests always fail with the followin
 > no matching manifest for windows/amd64 10.0.20348 in the manifest list entries.
 
 This is because the Docker installation is configured to use Windows images, while the [ZAP docker image](https://hub.docker.com/r/softwaresecurityproject/zap-stable/tags) is only available for Linux. If you rely on our [Lombiq GitHub Actions](https://github.com/Lombiq/GitHub-Actions) then you can configure it like this to disable a test, in this case `SecurityScanningTests`:
-```
+
+```yaml
   build-and-test:
     name: Build and Test
     # See https://github.com/Lombiq/GitHub-Actions/blob/dev/.github/workflows/build-and-test-orchard-core.yml.

From 50817fbcdb6560b1e278a97c12ef0917a3432c5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 10:56:50 +0100
Subject: [PATCH 64/87] Add missing using.

---
 .../SecurityScanning/SecurityScanningConfiguration.cs            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index ca885d642..993c6daf2 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -1,4 +1,5 @@
 using Lombiq.Tests.UI.Services;
+using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using Shouldly;
 using System;

From 0c2bbcf1a9533b2fd889a7a952e00f02daea97ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 11:09:55 +0100
Subject: [PATCH 65/87] Use configuration to initialize the start URL.

---
 ...SecurityScanningUITestContextExtensions.cs | 34 ++++++++-----------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index b257d0364..d27f274e4 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -155,12 +155,12 @@ public static async Task RunAndAssertSecurityScanAsync(
         Action<SarifLog> assertSecurityScanResult = null)
     {
         var configuration = context.Configuration.SecurityScanningConfiguration ?? new SecurityScanningConfiguration();
-        async Task RunAndAssertSecurityScanInnerAsync(Uri startUri, Action<SecurityScanConfiguration> configure)
+        async Task RunAndAssertSecurityScanInnerAsync(Action<SecurityScanConfiguration> configure)
         {
             SecurityScanResult result = null;
             try
             {
-                result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, configure, startUri);
+                result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, configure);
 
                 if (assertSecurityScanResult != null) assertSecurityScanResult(result.SarifLog);
                 else configuration.AssertSecurityScanResult(context, result.SarifLog);
@@ -177,26 +177,26 @@ async Task RunAndAssertSecurityScanInnerAsync(Uri startUri, Action<SecurityScanC
             }
         }
 
-        await RunAndAssertSecurityScanInnerAsync(startUri: null, configure);
+        await RunAndAssertSecurityScanInnerAsync(configure);
 
         if (configuration.DontScanErrorPage) return;
 
         // Verify that error page handling also works by visiting a known error page with no logging.
         var errorUrl = context.GetAbsoluteUri(context.GetRelativeUrlOfAction<ErrorController>(controller => controller.Index()));
-        await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerAsync(
-            startUri: errorUrl,
-            scanConfiguration =>
-            {
-                configure?.Invoke(scanConfiguration);
+        await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerAsync(scanConfiguration =>
+        {
+            configure?.Invoke(scanConfiguration);
 
-                // Configure this scan to only visit the target page.
-                scanConfiguration.ModifyZapPlan(plan =>
+            // Configure this scan to only visit the target page.
+            scanConfiguration
+                .StartAtUri(errorUrl)
+                .ModifyZapPlan(plan =>
                 {
                     plan.SetSpiderParameter("maxDepth", 1.ToTechnicalString());
                     plan.SetSpiderParameter("maxChildren", 2.ToTechnicalString());
                     plan.SetActiveScanParameter("recurse", "false");
                 });
-            }));
+        }));
     }
 
     /// <summary>
@@ -207,10 +207,6 @@ await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerA
     /// <see href="https://www.zaproxy.org/docs/automate/automation-framework/"/> for details.
     /// </param>
     /// <param name="configure">A delegate to configure the security scan in detail.</param>
-    /// <param name="startUri">
-    /// The address where the scan should start. If <see langword="null"/> is used then the current browser location
-    /// will be used via <see cref="NavigationUITestContextExtensions.GetCurrentUri"/>.
-    /// </param>
     /// <returns>
     /// A <see cref="SecurityScanResult"/> instance containing the SARIF (<see
     /// href="https://sarifweb.azurewebsites.net/"/>) report of the scan.
@@ -218,12 +214,10 @@ await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerA
     public static Task<SecurityScanResult> RunSecurityScanAsync(
         this UITestContext context,
         string automationFrameworkYamlPath,
-        Action<SecurityScanConfiguration> configure = null,
-        Uri startUri = null)
+        Action<SecurityScanConfiguration> configure = null)
     {
-        var configuration = new SecurityScanConfiguration();
-
-        configuration.StartAtUri(startUri ?? context.GetCurrentUri());
+        var configuration = new SecurityScanConfiguration()
+            .StartAtUri(context.GetCurrentUri());
 
         // By default ignore /vendor/ or /vendors/ URLs. This is case-insensitive. We have no control over them, and
         // they may contain several false positives (e.g. in font-awesome)..

From 1d07bc8b4efb6592f45009d9c3cf4574dd8c1dc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Fri, 12 Jan 2024 11:48:01 +0100
Subject: [PATCH 66/87] Update HL nuget.

---
 Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj | 2 +-
 Lombiq.Tests.UI/Lombiq.Tests.UI.csproj                     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
index 7e3a8ea09..d077d6b04 100644
--- a/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
+++ b/Lombiq.Tests.UI.Shortcuts/Lombiq.Tests.UI.Shortcuts.csproj
@@ -50,7 +50,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.4.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.5.tdeal-16" />
   </ItemGroup>
 
 </Project>
diff --git a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
index f5ea006ec..ff194d3d3 100644
--- a/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
+++ b/Lombiq.Tests.UI/Lombiq.Tests.UI.csproj
@@ -103,9 +103,9 @@
 
   <ItemGroup Condition="'$(NuGetBuild)' == 'true'">
     <PackageReference Include="Lombiq.Tests" Version="2.2.5" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.4.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.4.tdeal-16" />
-    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.4.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Cli" Version="8.1.1-alpha.5.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.OrchardCore" Version="8.1.1-alpha.5.tdeal-16" />
+    <PackageReference Include="Lombiq.HelpfulLibraries.Refit" Version="8.1.1-alpha.5.tdeal-16" />
     <PackageReference Include="Lombiq.Npm.Targets" Version="1.4.0" />
   </ItemGroup>
 

From 7328baa7046777e19be078be07914fb51b1109de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 01:32:01 +0100
Subject: [PATCH 67/87] Add ShouldBeEmptyWhen extension method.

---
 .../Extensions/ShouldlyExtensions.cs          | 39 +++++++++++++++++++
 .../SecurityScanningConfiguration.cs          | 17 +++-----
 2 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
index 3b6162b11..905acb09c 100644
--- a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
@@ -1,4 +1,8 @@
+using System;
+using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using System.Text.Json;
 
 namespace Shouldly;
 
@@ -17,4 +21,39 @@ public static void ShouldBeAsString(this object actual, object expected, string
 
         actualText.ShouldBe(expected?.ToString(), customMessage);
     }
+
+    /// <summary>
+    /// Filters the provided <paramref name="enumerable"/> by the <paramref name="condition"/>. If the result is not
+    /// empty, a <see cref="ShouldAssertException"/> is thrown. A JSON serialized string of the results is provided as
+    /// the custom message of the exception.
+    /// </summary>
+    /// <remarks><para>
+    /// This extension method is similar to <c>enumerable.ShouldNotContain(condition)</c>, but it offers much better
+    /// developer experience because all the offending items are listed right there in the exception message. The
+    /// overhead is minimal during non-exceptional operation (only the creation of an empty list), and it's well worth
+    /// the added clarity during failure.
+    /// </para></remarks>
+    public static void ShouldBeEmptyWhen<TItem>(
+        this IEnumerable<TItem> enumerable,
+        Func<TItem, bool> condition) =>
+        enumerable.ShouldBeEmptyWhen<TItem, TItem>(condition, messageTransform: null);
+
+    /// <inheritdoc cref="ShouldBeEmptyWhen{TItem}"/>
+    /// <param name="messageTransform">
+    /// When not <see langword="null"/>, the results are transformed with this method before they
+    /// are serialized into JSON.
+    /// </param>
+    public static void ShouldBeEmptyWhen<TItem, TMessage>(
+        this IEnumerable<TItem> enumerable,
+        Func<TItem, bool> condition,
+        Func<TItem, TMessage> messageTransform)
+    {
+        var results = enumerable.Where(condition).ToList();
+        if (!results.Any()) return;
+
+        var message = messageTransform == null
+            ? JsonSerializer.Serialize(results)
+            : JsonSerializer.Serialize(results.Select(messageTransform));
+        results.ShouldBeEmpty(message); // This will always throw at this point.
+    }
 }
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 993c6daf2..1e086ada9 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -40,22 +40,15 @@ public class SecurityScanningConfiguration
     public bool DontScanErrorPage { get; private set; }
 
     public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts = (_, sarifLog) =>
-    {
-        var errors = sarifLog
-            .Runs[0]
-            .Results
-            .Where(result =>
+        sarifLog.Runs[0].Results.ShouldBeEmptyWhen(
+            result =>
                 result.Kind == ResultKind.Fail &&
                 result.Level != FailureLevel.None &&
-                result.Level != FailureLevel.Note)
-            .Select(result => new
+                result.Level != FailureLevel.Note,
+            result => new
             {
                 Kind = result.Kind.ToString(),
                 Level = result.Level.ToString(),
                 Details = result,
-            })
-            .ToList();
-
-        errors.ShouldBeEmpty(JsonSerializer.Serialize(errors));
-    };
+            });
 }

From ab5cd4494a32eda4c7b89834e3c8c616c115e66b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 01:59:23 +0100
Subject: [PATCH 68/87] Refactor AddDisableRuleFilter,

---
 .../YamlDocumentExtensions.cs                 | 78 +++++++++++++------
 1 file changed, 53 insertions(+), 25 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index 4743c2605..73c031719 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -211,27 +211,7 @@ public static YamlDocument ConfigureActiveScanRule(
     /// Adds an <see href="https://www.zaproxy.org/docs/desktop/addons/alert-filters/">Alert Filter</see> to the ZAP
     /// Automation Framework plan.
     /// </summary>
-    /// <param name="ruleId">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
-    /// <param name="urlMatchingRegexPattern">
-    /// A regular expression pattern to match URLs against. This should be a regex pattern that matches the whole
-    /// absolute URL, so something like ".*blog.*" to match /blog, /blog/my-post, etc.
-    /// </param>
-    /// <param name="ruleName">
-    /// The human-readable name of the rule. Not required to turn off the rule, and its value doesn't matter. It's just
-    /// useful for the readability of the method call. If <paramref name="isFalsePositive"/> is <see langword="true"/>,
-    /// write the justification here as well.
-    /// </param>
-    /// <param name="isFalsePositive">
-    /// If you disable the rule because it's a false positive, then set this to <see langword="true"/>. This helps the
-    /// development of ZAP by collecting which rules have the highest false positive rate (see <see
-    /// href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/"/>).
-    /// </param>
-    public static YamlDocument AddAlertFilter(
-        this YamlDocument yamlDocument,
-        string urlMatchingRegexPattern,
-        int ruleId,
-        string ruleName = "",
-        bool isFalsePositive = false)
+    public static YamlDocument AddAlertFilter(this YamlDocument yamlDocument, YamlMappingNode filter)
     {
         var jobs = yamlDocument.GetJobs();
 
@@ -248,18 +228,66 @@ public static YamlDocument AddAlertFilter(
             jobs.Children.Insert(passiveScanConfigIndex + 1, alertFilterJob);
         }
 
-        alertFilterJob.GetOrAddNode<YamlSequenceNode>("alertFilters").Add(new YamlMappingNode
+        alertFilterJob.GetOrAddNode<YamlSequenceNode>("alertFilters").Add(filter);
+        return yamlDocument;
+    }
+
+    /// <summary>
+    /// Adds an <see href="https://www.zaproxy.org/docs/desktop/addons/alert-filters/">Alert Filter</see> to the ZAP
+    /// Automation Framework plan.
+    /// </summary>
+    /// <param name="ruleId">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
+    /// <param name="urlMatchingRegexPattern">
+    /// A regular expression pattern to match URLs against. This should be a regex pattern that matches the whole
+    /// absolute URL, so something like ".*blog.*" to match /blog, /blog/my-post, etc.
+    /// </param>
+    /// <param name="ruleName">
+    /// The human-readable name of the rule. Not required to turn off the rule, and its value doesn't matter. It's just
+    /// useful for the readability of the method call.
+    /// </param>
+    public static YamlDocument AddDisableRuleFilter(
+        this YamlDocument yamlDocument,
+        string urlMatchingRegexPattern,
+        int ruleId,
+        string ruleName,
+        Action<YamlMappingNode> configureFilter = null)
+    {
+        var alertFilter = new YamlMappingNode
         {
             { "ruleId", ruleId.ToTechnicalString() },
             { "ruleName", ruleName },
             { "url", urlMatchingRegexPattern },
             { "urlRegex", "true" },
-            { "newRisk", isFalsePositive ? "False Positive" : "Info" },
-        });
+            { "newRisk", "Info" },
+        };
 
-        return yamlDocument;
+        configureFilter?.Invoke(alertFilter);
+
+        return yamlDocument.AddAlertFilter(alertFilter);
     }
 
+    /// <inheritdoc cref="AddDisableRuleFilter"/>
+    /// <param name="justification">
+    /// An informational text explaining why the alert in question is false positive. This helps the development of ZAP
+    /// by collecting which rules have the highest false positive rate (see <see
+    /// href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/"/>).
+    /// </param>
+    public static YamlDocument AddFalsePositiveRuleFilter(
+        this YamlDocument yamlDocument,
+        string urlMatchingRegexPattern,
+        int ruleId,
+        string ruleName,
+        string justification,
+        Action<YamlMappingNode> configureFilter = null) =>
+        yamlDocument.AddDisableRuleFilter(
+            urlMatchingRegexPattern,
+            ruleId, $"{ruleName}: {justification}",
+            node =>
+            {
+                configureFilter?.Invoke(node);
+                node.Children["newRisk"] = "False Positive";
+            });
+
     /// <summary>
     /// Adds a "requestor" job to the ZAP Automation Framework plan just before the job named "spider".
     /// </summary>

From 4b1b773db43307ece07b2638736b7dffb5b918c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:00:19 +0100
Subject: [PATCH 69/87] False positives should contain both the name and
 justification.

---
 .../SecurityScanConfiguration.cs               | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index 8110f181b..e9ff33224 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -28,7 +28,7 @@ public class SecurityScanConfiguration
     private readonly Dictionary<ScanRule, (ScanRuleThreshold Threshold, ScanRuleStrength Strength)> _configuredActiveScanRules = new();
     private readonly List<ScanRule> _disabledPassiveScanRules = new();
     private readonly List<(string Url, int Id, string RuleName)> _disabledRulesForUrls = new();
-    private readonly List<(string Url, int Id, string Justification)> _falsePositives = new();
+    private readonly List<(string Url, int Id, string RuleName, string Justification)> _falsePositives = new();
     private readonly List<Func<YamlDocument, Task>> _zapPlanModifiers = new();
 
     public Uri StartUri { get; private set; }
@@ -174,6 +174,10 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     /// will match https://example.com/blog, https://example.com/blog/my-post, etc.
     /// </param>
     /// <param name="ruleId">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
+    /// <param name="ruleName">
+    /// The human-readable name of the rule. Not required to turn off the rule, and its value doesn't matter. It's just
+    /// useful for the readability of the method call.
+    /// </param>
     /// <param name="justification">
     /// A human-readable explanation of why the alert is false positive.
     /// </param>
@@ -181,14 +185,18 @@ public SecurityScanConfiguration DisableScanRuleForUrlWithRegex(string urlRegex,
     /// Marking a rule as false positive helps the development of ZAP by collecting which rules have the highest false
     /// positive rate (see <see href="https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/">the FAQ</see>).
     /// </para></remarks>
-    public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(string urlRegex, int ruleId, string justification)
+    public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(
+        string urlRegex,
+        int ruleId,
+        string ruleName,
+        string justification)
     {
         if (string.IsNullOrWhiteSpace(justification))
         {
             throw new InvalidOperationException("Please provide a justification for disabling this alert!");
         }
 
-        _falsePositives.Add((urlRegex, ruleId, justification));
+        _falsePositives.Add((urlRegex, ruleId, ruleName, justification));
         return this;
     }
 
@@ -274,8 +282,8 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
         }
 
         foreach (var rule in _disabledPassiveScanRules) yamlDocument.DisablePassiveScanRule(rule.Id, rule.Name);
-        foreach (var (url, id, name) in _disabledRulesForUrls) yamlDocument.AddAlertFilter(url, id, name);
-        foreach (var (url, id, justification) in _falsePositives) yamlDocument.AddAlertFilter(url, id, justification, isFalsePositive: true);
+        foreach (var (url, id, name) in _disabledRulesForUrls) yamlDocument.AddDisableRuleFilter(url, id, name);
+        foreach (var (url, id, name, justification) in _falsePositives) yamlDocument.AddFalsePositiveRuleFilter(url, id, name, justification);
         foreach (var modifier in _zapPlanModifiers) await modifier(yamlDocument);
     }
 

From 2461d215adc8e52c1d1d6b542c0f5ec4bcc999b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:03:50 +0100
Subject: [PATCH 70/87] Add optional jsonSerializerOptions.

---
 Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
index 905acb09c..62d14fcc1 100644
--- a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
@@ -35,8 +35,9 @@ public static void ShouldBeAsString(this object actual, object expected, string
     /// </para></remarks>
     public static void ShouldBeEmptyWhen<TItem>(
         this IEnumerable<TItem> enumerable,
-        Func<TItem, bool> condition) =>
-        enumerable.ShouldBeEmptyWhen<TItem, TItem>(condition, messageTransform: null);
+        Func<TItem, bool> condition,
+        JsonSerializerOptions jsonSerializerOptions = null) =>
+        enumerable.ShouldBeEmptyWhen<TItem, TItem>(condition, messageTransform: null, jsonSerializerOptions);
 
     /// <inheritdoc cref="ShouldBeEmptyWhen{TItem}"/>
     /// <param name="messageTransform">
@@ -46,14 +47,15 @@ public static void ShouldBeEmptyWhen<TItem>(
     public static void ShouldBeEmptyWhen<TItem, TMessage>(
         this IEnumerable<TItem> enumerable,
         Func<TItem, bool> condition,
-        Func<TItem, TMessage> messageTransform)
+        Func<TItem, TMessage> messageTransform,
+        JsonSerializerOptions jsonSerializerOptions)
     {
         var results = enumerable.Where(condition).ToList();
         if (!results.Any()) return;
 
         var message = messageTransform == null
-            ? JsonSerializer.Serialize(results)
-            : JsonSerializer.Serialize(results.Select(messageTransform));
+            ? JsonSerializer.Serialize(results, jsonSerializerOptions)
+            : JsonSerializer.Serialize(results.Select(messageTransform), jsonSerializerOptions);
         results.ShouldBeEmpty(message); // This will always throw at this point.
     }
 }

From 573eaccc8ab78a66f65d98d5e92a03cc8be479c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:04:44 +0100
Subject: [PATCH 71/87] Update
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index e9ff33224..b0c5a3292 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -191,7 +191,7 @@ public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(
         string ruleName,
         string justification)
     {
-        if (string.IsNullOrWhiteSpace(justification))
+        if (string.IsNullOrWhiteSpace(justification?.Trim()))
         {
             throw new InvalidOperationException("Please provide a justification for disabling this alert!");
         }

From 3f1a389f9157c86547ba420fc7c8245d1249e68f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:39:28 +0100
Subject: [PATCH 72/87] Update SecurityScanWithCustomConfigurationShouldPass
 and its comments.

---
 .../Tests/SecurityScanningTests.cs            | 31 +++++++++----------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 7d3e83afe..a37b3df10 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -44,21 +44,19 @@ public Task BasicSecurityScanShouldPass() =>
 
     // Time for some custom configuration! While this scan also runs the Baseline scan, it does this with several
     // adjustments:
-    // - Also runs ZAP's Ajax Spider (https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/). This is
-    //   usually not just unnecessary for a website that's not an SPA, but also slows the scan down by a lot. However,
-    //   if you have an SPA, you need to use it.
-    // - Excludes certain URLs from the scan completely. Use this if you don't want ZAP to process certain URLs at all.
-    // - Disables the "The response does not include either Content-Security-Policy with 'frame-ancestors' directive."
-    //   alert of ZAP's passive scan for the whole scan.
-    // - Also disables the "Content Security Policy (CSP) Header Not Set" rule but only for the /about page. Use this to
-    //   disable rules more specifically instead of the whole scan.
-    // - Configures sign in with a user account. This is what the scan will start with. With the Blog recipe it doesn't
-    //   matter too much, since nothing on the frontend will change, but you can use this to scan authenticated features
-    //   too. Note that since ZAP uses its own spider, not the browser accessed by the test, user sessions are not
-    //   shared, so such an explicit sign in is necessary.
-    // - The assertion on the scan results is custom. Use this if you (conditionally) want to assert on the results
-    //   differently from the global context.Configuration.SecurityScanningConfiguration.AssertSecurityScanResult. The
-    //   default there is "no scanning alert is allowed"; we expect some alerts here.
+    // - Also runs ZAP's Ajax Spider (https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/). Usually this
+    //   is only necessary for sites that are single page applications (SPA).
+    // - Excludes certain URLs from the scan completely. Use this if you don't want ZAP to process those pages at all.
+    // - Disables one of ZAP's passive scan rules for the whole scan.
+    // - Also disables a rule but only for the /about page. Use this to disable rules more specifically instead of the
+    //   whole scan.
+    // - Configures sign in with a user account. This is what the scan will start with. This doesn't matter much with
+    //   the Blog recipe, because nothing on the frontend will change. You can use this to scan authenticated features
+    //   too. This is necessary because ZAP uses its own spider so it doesn't share session or cookies with the browser.
+    // The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
+    // are only present to illustrate the type of adjustments you may want for your own site.
+    // After the configuration, you can also configure the assertion that verifies test success. You can see an example
+    // of this in the other test.
     [Fact]
     public Task SecurityScanWithCustomConfigurationShouldPass() =>
         ExecuteTestAfterSetupAsync(
@@ -68,8 +66,7 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
                     .ExcludeUrlWithRegex(".*blog.*")
                     .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
                     .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
-                    .SignIn(),
-                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(34)));
+                    .SignIn()));
 
     // Let's get low-level into ZAP's configuration now. While the .NET configuration API of the Lombiq UI Testing
     // Toolbox covers the most important ways to configure ZAP, sometimes you need more. For this, you have complete

From fdb704c00199d516a7ec8ea3ce4f3afe716357b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:43:05 +0100
Subject: [PATCH 73/87] Fix missing default parameter.

---
 Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs                | 2 +-
 .../SecurityScanning/SecurityScanningConfiguration.cs           | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
index 62d14fcc1..e0b161f38 100644
--- a/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/ShouldlyExtensions.cs
@@ -48,7 +48,7 @@ public static void ShouldBeEmptyWhen<TItem, TMessage>(
         this IEnumerable<TItem> enumerable,
         Func<TItem, bool> condition,
         Func<TItem, TMessage> messageTransform,
-        JsonSerializerOptions jsonSerializerOptions)
+        JsonSerializerOptions jsonSerializerOptions = null)
     {
         var results = enumerable.Where(condition).ToList();
         if (!results.Any()) return;
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 1e086ada9..fcfff6f4e 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -3,8 +3,6 @@
 using Microsoft.CodeAnalysis.Sarif;
 using Shouldly;
 using System;
-using System.Linq;
-using System.Text.Json;
 using System.Threading.Tasks;
 using YamlDotNet.RepresentationModel;
 

From 16c5ca70ee67cb9a728bcb6612a576b94b34ce35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 02:51:45 +0100
Subject: [PATCH 74/87] Fix docstrings.

---
 Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index 73c031719..2cb4f921d 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -119,8 +119,7 @@ public static YamlDocument AddExcludePathsRegex(this YamlDocument yamlDocument,
 
     /// <summary>
     /// Disable a certain ZAP passive scan rule for the whole scan in the ZAP Automation Framework plan. If you only
-    /// want to disable a rule for a given page, use <see cref="AddAlertFilter(YamlDocument, string, int, string, bool)"/>
-    /// instead.
+    /// want to disable a rule for a given page, use <see cref="AddDisableRuleFilter"/> instead.
     /// </summary>
     /// <param name="id">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
     /// <param name="name">
@@ -144,8 +143,7 @@ public static YamlDocument DisablePassiveScanRule(this YamlDocument yamlDocument
 
     /// <summary>
     /// Disable a certain ZAP active scan rule for the whole scan in the ZAP Automation Framework plan. If you only want
-    /// to disable a rule for a given page, use <see cref="AddAlertFilter(YamlDocument, string, int, string, bool)"/>
-    /// instead.
+    /// to disable a rule for a given page, use <see cref="AddDisableRuleFilter"/> instead.
     /// </summary>
     /// <param name="id">The ID of the rule. In the scan report, this is usually displayed as "Plugin Id".</param>
     /// <param name="name">

From 5151a15c136da7a0b1d8291bb22f6ea593a9c42e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 17:32:20 +0100
Subject: [PATCH 75/87] Restore sample assertion and update expected count.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index a37b3df10..2d9ed03ee 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -55,8 +55,7 @@ public Task BasicSecurityScanShouldPass() =>
     //   too. This is necessary because ZAP uses its own spider so it doesn't share session or cookies with the browser.
     // The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
     // are only present to illustrate the type of adjustments you may want for your own site.
-    // After the configuration, you can also configure the assertion that verifies test success. You can see an example
-    // of this in the other test.
+    // After the configuration, you can also configure the assertion that verifies test success.
     [Fact]
     public Task SecurityScanWithCustomConfigurationShouldPass() =>
         ExecuteTestAfterSetupAsync(
@@ -66,7 +65,8 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
                     .ExcludeUrlWithRegex(".*blog.*")
                     .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
                     .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
-                    .SignIn()));
+                    .SignIn(),
+                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(22)));
 
     // Let's get low-level into ZAP's configuration now. While the .NET configuration API of the Lombiq UI Testing
     // Toolbox covers the most important ways to configure ZAP, sometimes you need more. For this, you have complete

From b9d398e694918489ed9c200ef2f859d2595651a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 18:14:19 +0100
Subject: [PATCH 76/87] Add extension method and use security scan forgiving
 app assertion in the samples.

---
 .../Tests/SecurityScanningTests.cs            | 13 ++++++++++---
 ...reUITestExecutorConfigurationExtensions.cs | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 2d9ed03ee..38f71f42c 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -40,7 +40,12 @@ public SecurityScanningTests(ITestOutputHelper testOutputHelper)
     // will fail the scan, but don't worry! You'll get a nice report about the findings in the failure dump.
     [Fact]
     public Task BasicSecurityScanShouldPass() =>
-        ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync());
+        ExecuteTestAfterSetupAsync(
+            context => context.RunAndAssertBaselineSecurityScanAsync(),
+            // You should configure the assertion that checks the app logs to accept some common cases that only should
+            // appear during security scanning. If you launch a full scan, this is automatically configured by the
+            // RunAndConfigureAndAssertFullSecurityScanForContinuousIntegrationAsync extension method.
+            changeConfiguration: configuration => configuration.UseAssertAppLogsForSecurityScan());
 
     // Time for some custom configuration! While this scan also runs the Baseline scan, it does this with several
     // adjustments:
@@ -66,7 +71,8 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
                     .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
                     .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
                     .SignIn(),
-                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(22)));
+                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(22)),
+            changeConfiguration: configuration => configuration.UseAssertAppLogsForSecurityScan());
 
     // Let's get low-level into ZAP's configuration now. While the .NET configuration API of the Lombiq UI Testing
     // Toolbox covers the most important ways to configure ZAP, sometimes you need more. For this, you have complete
@@ -108,7 +114,8 @@ public Task SecurityScanWithCustomAutomationFrameworkPlanShouldPass() =>
                         // more pages to be scanned.
                         spiderParameters.Add("maxDepth", "8");
                     }),
-                sarifLog => SecurityScanningConfiguration.AssertSecurityScanHasNoAlerts(context, sarifLog)));
+                sarifLog => SecurityScanningConfiguration.AssertSecurityScanHasNoAlerts(context, sarifLog)),
+            changeConfiguration: configuration => configuration.UseAssertAppLogsForSecurityScan());
 
     // Overriding the default setup so we can have a simpler site, simplifying the security scan for the purpose of this
     // demo. For a real app's security scan you needn't (shouldn't) do this though; always run the scan on the actual
diff --git a/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs b/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs
new file mode 100644
index 000000000..815602460
--- /dev/null
+++ b/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs
@@ -0,0 +1,19 @@
+namespace Lombiq.Tests.UI.Services;
+
+public static class OrchardCoreUITestExecutorConfigurationExtensions
+{
+    /// <summary>
+    /// Sets the <see cref="OrchardCoreUITestExecutorConfiguration.AssertAppLogsAsync"/> to the output of <see
+    /// cref="OrchardCoreUITestExecutorConfiguration.UseAssertAppLogsForSecurityScan"/> so it accepts security scanning
+    /// related errors.
+    /// </summary>
+    public static OrchardCoreUITestExecutorConfiguration UseAssertAppLogsForSecurityScan(
+        this OrchardCoreUITestExecutorConfiguration configuration,
+        params string[] additionalPermittedErrorLines)
+    {
+        configuration.AssertAppLogsAsync = OrchardCoreUITestExecutorConfiguration
+            .UseAssertAppLogsForSecurityScan(additionalPermittedErrorLines);
+
+        return configuration;
+    }
+}

From 0640fb2c71ff4e2c18e7ac5059500254610aef86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 18:15:02 +0100
Subject: [PATCH 77/87] Instead of suppressing logs, just suppress the error
 page's exception message.

---
 Lombiq.Tests.UI.Shortcuts/Controllers/ErrorController.cs     | 2 +-
 .../SecurityScanningUITestContextExtensions.cs               | 5 ++---
 .../Services/OrchardCoreUITestExecutorConfiguration.cs       | 4 ++++
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI.Shortcuts/Controllers/ErrorController.cs b/Lombiq.Tests.UI.Shortcuts/Controllers/ErrorController.cs
index 3c524852e..3f9728bcc 100644
--- a/Lombiq.Tests.UI.Shortcuts/Controllers/ErrorController.cs
+++ b/Lombiq.Tests.UI.Shortcuts/Controllers/ErrorController.cs
@@ -9,7 +9,7 @@ namespace Lombiq.Tests.UI.Shortcuts.Controllers;
 [DevelopmentAndLocalhostOnly]
 public class ErrorController : Controller
 {
-    public const string ExceptionMessage = "This action causes an exception!";
+    public const string ExceptionMessage = "This action intentionally causes an exception!";
 
     // This only happens in the CI for some reason.
     [SuppressMessage("Usage", "CA1822:Mark members as static", Justification = "It's a controller action.")]
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index d27f274e4..69e433e03 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -5,7 +5,6 @@
 using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using System;
-using System.Net;
 using System.Threading.Tasks;
 using static Lombiq.Tests.UI.Services.OrchardCoreUITestExecutorConfiguration;
 
@@ -183,7 +182,7 @@ async Task RunAndAssertSecurityScanInnerAsync(Action<SecurityScanConfiguration>
 
         // Verify that error page handling also works by visiting a known error page with no logging.
         var errorUrl = context.GetAbsoluteUri(context.GetRelativeUrlOfAction<ErrorController>(controller => controller.Index()));
-        await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerAsync(scanConfiguration =>
+        await RunAndAssertSecurityScanInnerAsync(scanConfiguration =>
         {
             configure?.Invoke(scanConfiguration);
 
@@ -196,7 +195,7 @@ await context.DoWithoutAppLogAssertionAsync(() => RunAndAssertSecurityScanInnerA
                     plan.SetSpiderParameter("maxChildren", 2.ToTechnicalString());
                     plan.SetActiveScanParameter("recurse", "false");
                 });
-        }));
+        });
     }
 
     /// <summary>
diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index 3bc90c8d2..c98fe90aa 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -1,6 +1,7 @@
 using Lombiq.Tests.UI.Extensions;
 using Lombiq.Tests.UI.SecurityScanning;
 using Lombiq.Tests.UI.Services.GitHub;
+using Lombiq.Tests.UI.Shortcuts.Controllers;
 using OpenQA.Selenium;
 using Shouldly;
 using System;
@@ -230,6 +231,9 @@ public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecuritySca
             // legitimate application error, during a security scan it's more likely the result of an incomplete
             // artificially constructed request. So the means the ASP.NET Core model binding is working as intended.
             "An unhandled exception has occurred while executing the request. System.ArgumentNullException: Value cannot be null. (Parameter 'key')",
+            // One way to verify correct error handling is to navigate to ~/Lombiq.Tests.UI.Shortcuts/Error/Index, which
+            // always throws an exception. This also gets logged but it's expected, so it should be ignored.
+            ErrorController.ExceptionMessage,
         };
 
         permittedErrorLines.AddRange(additionalPermittedErrorLines);

From dc737f69bf98f282207d148e5df16f349c0e6a24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 19:02:08 +0100
Subject: [PATCH 78/87] Add GetAbsoluteUrlOfAction.

---
 .../TypedRouteUITestContextExtensions.cs      | 23 +++++++++++++++++++
 .../SecurityScanConfiguration.cs              |  6 ++---
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs b/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
index cd2033e44..295c62fd6 100644
--- a/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
@@ -62,6 +62,29 @@ public static string GetRelativeUrlOfAction<TController>(
             .CreateFromExpression(actionExpressionAsync.StripResult(), additionalArguments, CreateServiceProvider(context))
             .ToString();
 
+    /// <summary>
+    /// Gets the absolute URL generated by <see cref="TypedRoute"/> for the <paramref name="actionExpression"/> in the
+    /// <typeparamref name="TController"/>.
+    /// </summary>
+    public static Uri GetAbsoluteUrlOfAction<TController>(
+        this UITestContext context,
+        Expression<Action<TController>> actionExpression,
+        params (string Key, object Value)[] additionalArguments)
+        where TController : ControllerBase =>
+        context.GetAbsoluteUri(context.GetRelativeUrlOfAction(actionExpression, additionalArguments));
+
+    /// <summary>
+    /// Gets the absolute URL generated by <see cref="TypedRoute"/> for the <paramref name="actionExpressionAsync"/> in
+    /// the <typeparamref name="TController"/>.
+    /// </summary>
+    public static Uri GetAbsoluteUrlOfAction<TController>(
+        this UITestContext context,
+        Expression<Func<TController, Task>> actionExpressionAsync,
+        params (string Key, object Value)[] additionalArguments)
+        where TController : ControllerBase =>
+        context.GetAbsoluteUri(context.GetRelativeUrlOfAction(actionExpressionAsync, additionalArguments));
+
+
     private static IServiceProvider CreateServiceProvider(UITestContext context)
     {
         var services = new ServiceCollection();
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index b0c5a3292..e43a838ee 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -245,10 +245,8 @@ internal async Task ApplyToPlanAsync(YamlDocument yamlDocument, UITestContext co
 
         if (!string.IsNullOrEmpty(SignInUserName))
         {
-            yamlDocument.AddRequestor(
-                context.GetAbsoluteUri(
-                    context.GetRelativeUrlOfAction<AccountController>(controller => controller.SignInDirectly(SignInUserName)))
-                .ToString());
+            var url = context.GetAbsoluteUrlOfAction<AccountController>(controller => controller.SignInDirectly(SignInUserName));
+            yamlDocument.AddRequestor(url.AbsoluteUri);
 
             // With such direct sign in we don't need to utilize ZAP's authentication and user managements mechanisms
             // (see https://www.zaproxy.org/docs/desktop/start/features/authmethods/ and

From 27849930521b4bbe3996e89b7271815d3a96bbaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 19:03:16 +0100
Subject: [PATCH 79/87] Use requestor instead of second scan.

---
 ...SecurityScanningUITestContextExtensions.cs | 55 +++++++------------
 1 file changed, 21 insertions(+), 34 deletions(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index 69e433e03..c9019b54a 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -154,48 +154,35 @@ public static async Task RunAndAssertSecurityScanAsync(
         Action<SarifLog> assertSecurityScanResult = null)
     {
         var configuration = context.Configuration.SecurityScanningConfiguration ?? new SecurityScanningConfiguration();
-        async Task RunAndAssertSecurityScanInnerAsync(Action<SecurityScanConfiguration> configure)
+
+        SecurityScanResult result = null;
+        try
         {
-            SecurityScanResult result = null;
-            try
+            result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, scanConfiguration =>
             {
-                result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, configure);
-
-                if (assertSecurityScanResult != null) assertSecurityScanResult(result.SarifLog);
-                else configuration.AssertSecurityScanResult(context, result.SarifLog);
-
-                if (configuration.CreateReportAlways)
+                // Verify that error page handling also works by visiting a known error page with no logging.
+                if (!configuration.DontScanErrorPage)
                 {
-                    context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
+                    var errorUrl = context.GetAbsoluteUrlOfAction<ErrorController>(controller => controller.Index());
+                    scanConfiguration.ModifyZapPlan(yamlDocument => yamlDocument.AddRequestor(errorUrl.AbsoluteUri));
                 }
-            }
-            catch (Exception ex)
-            {
-                if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
-                throw new SecurityScanningAssertionException(ex);
-            }
-        }
 
-        await RunAndAssertSecurityScanInnerAsync(configure);
+                configure?.Invoke(scanConfiguration);
+            });
 
-        if (configuration.DontScanErrorPage) return;
+            if (assertSecurityScanResult != null) assertSecurityScanResult(result.SarifLog);
+            else configuration.AssertSecurityScanResult(context, result.SarifLog);
 
-        // Verify that error page handling also works by visiting a known error page with no logging.
-        var errorUrl = context.GetAbsoluteUri(context.GetRelativeUrlOfAction<ErrorController>(controller => controller.Index()));
-        await RunAndAssertSecurityScanInnerAsync(scanConfiguration =>
+            if (configuration.CreateReportAlways)
+            {
+                context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
+            }
+        }
+        catch (Exception ex)
         {
-            configure?.Invoke(scanConfiguration);
-
-            // Configure this scan to only visit the target page.
-            scanConfiguration
-                .StartAtUri(errorUrl)
-                .ModifyZapPlan(plan =>
-                {
-                    plan.SetSpiderParameter("maxDepth", 1.ToTechnicalString());
-                    plan.SetSpiderParameter("maxChildren", 2.ToTechnicalString());
-                    plan.SetActiveScanParameter("recurse", "false");
-                });
-        });
+            if (result != null) context.AppendDirectoryToFailureDump(result.ReportsDirectoryPath);
+            throw new SecurityScanningAssertionException(ex);
+        }
     }
 
     /// <summary>

From 35fb6e8e7c1208c5da8c87425c87e3b3e992b62c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 19:13:00 +0100
Subject: [PATCH 80/87] Update
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index e43a838ee..ba0257fe1 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -193,7 +193,7 @@ public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(
     {
         if (string.IsNullOrWhiteSpace(justification?.Trim()))
         {
-            throw new InvalidOperationException("Please provide a justification for disabling this alert!");
+            throw new InvalidOperationException("Please provide a detailed justification for marking this alert as a false positive, including context and reasoning.");
         }
 
         _falsePositives.Add((urlRegex, ruleId, ruleName, justification));

From 74bae9c78e79b75d56133466b7d012692aa72d0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sat, 13 Jan 2024 19:27:49 +0100
Subject: [PATCH 81/87] Code formatting and organization.

---
 ...reUITestExecutorConfigurationExtensions.cs | 19 -------------------
 .../TypedRouteUITestContextExtensions.cs      |  1 -
 .../SecurityScanConfiguration.cs              |  5 +++--
 ...SecurityScanningUITestContextExtensions.cs |  8 ++++----
 .../YamlDocumentExtensions.cs                 |  3 ++-
 .../OrchardCoreUITestExecutorConfiguration.cs | 13 ++++++++++++-
 6 files changed, 21 insertions(+), 28 deletions(-)
 delete mode 100644 Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs

diff --git a/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs b/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs
deleted file mode 100644
index 815602460..000000000
--- a/Lombiq.Tests.UI/Extensions/OrchardCoreUITestExecutorConfigurationExtensions.cs
+++ /dev/null
@@ -1,19 +0,0 @@
-namespace Lombiq.Tests.UI.Services;
-
-public static class OrchardCoreUITestExecutorConfigurationExtensions
-{
-    /// <summary>
-    /// Sets the <see cref="OrchardCoreUITestExecutorConfiguration.AssertAppLogsAsync"/> to the output of <see
-    /// cref="OrchardCoreUITestExecutorConfiguration.UseAssertAppLogsForSecurityScan"/> so it accepts security scanning
-    /// related errors.
-    /// </summary>
-    public static OrchardCoreUITestExecutorConfiguration UseAssertAppLogsForSecurityScan(
-        this OrchardCoreUITestExecutorConfiguration configuration,
-        params string[] additionalPermittedErrorLines)
-    {
-        configuration.AssertAppLogsAsync = OrchardCoreUITestExecutorConfiguration
-            .UseAssertAppLogsForSecurityScan(additionalPermittedErrorLines);
-
-        return configuration;
-    }
-}
diff --git a/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs b/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
index 295c62fd6..f3a2535c1 100644
--- a/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/Extensions/TypedRouteUITestContextExtensions.cs
@@ -84,7 +84,6 @@ public static Uri GetAbsoluteUrlOfAction<TController>(
         where TController : ControllerBase =>
         context.GetAbsoluteUri(context.GetRelativeUrlOfAction(actionExpressionAsync, additionalArguments));
 
-
     private static IServiceProvider CreateServiceProvider(UITestContext context)
     {
         var services = new ServiceCollection();
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index ba0257fe1..f2fc6c7df 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -1,6 +1,5 @@
 using Lombiq.HelpfulLibraries.OrchardCore.Mvc;
 using Lombiq.Tests.UI.Constants;
-using Lombiq.Tests.UI.Extensions;
 using Lombiq.Tests.UI.Services;
 using Lombiq.Tests.UI.Shortcuts.Controllers;
 using System;
@@ -193,7 +192,9 @@ public SecurityScanConfiguration MarkScanRuleAsFalsePositiveForUrlWithRegex(
     {
         if (string.IsNullOrWhiteSpace(justification?.Trim()))
         {
-            throw new InvalidOperationException("Please provide a detailed justification for marking this alert as a false positive, including context and reasoning.");
+            throw new InvalidOperationException(
+                "Please provide a detailed justification for marking this alert as a false positive, including " +
+                "context and reasoning.");
         }
 
         _falsePositives.Add((urlRegex, ruleId, ruleName, justification));
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index c9019b54a..e196f9842 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -6,7 +6,6 @@
 using Microsoft.CodeAnalysis.Sarif;
 using System;
 using System.Threading.Tasks;
-using static Lombiq.Tests.UI.Services.OrchardCoreUITestExecutorConfiguration;
 
 namespace Lombiq.Tests.UI.SecurityScanning;
 
@@ -58,8 +57,9 @@ public static Task RunAndAssertFullSecurityScanAsync(
     /// This extension method makes changes to the normal configuration of the test to be more suited for CI operation.
     /// It changes the <see cref="UITestContext.Configuration"/> to not do any retries because this is a long running
     /// test. It also replaces the app log assertion logic with the specialized version for security scans, <see
-    /// cref="UseAssertAppLogsForSecurityScan"/>. The scan is configured to ignore the admin dashboard, optionally log
-    /// in as admin, and use the provided time limits for the "active scan" portion of the security scan.
+    /// cref="OrchardCoreUITestExecutorConfiguration.UseAssertAppLogsForSecurityScan"/>. The scan is configured t
+    /// ignore the admin dashboard, optionally log in as admin, and use the provided time limits for the "active scan"
+    /// portion of the security scan.
     /// </para></remarks>
     public static Task RunAndConfigureAndAssertFullSecurityScanForContinuousIntegrationAsync(
         this UITestContext context,
@@ -70,7 +70,7 @@ public static Task RunAndConfigureAndAssertFullSecurityScanForContinuousIntegrat
         int maxRuleDurationInMinutes = 2)
     {
         // Ignore some validation errors that only happen during security tests.
-        context.Configuration.AssertAppLogsAsync = UseAssertAppLogsForSecurityScan();
+        context.Configuration.UseAssertAppLogsForSecurityScan();
 
         // This takes over 10 minutes and the session will certainly time out with retries.
         context.Configuration.MaxRetryCount = 0;
diff --git a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
index 2cb4f921d..1a918091b 100644
--- a/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs
@@ -279,7 +279,8 @@ public static YamlDocument AddFalsePositiveRuleFilter(
         Action<YamlMappingNode> configureFilter = null) =>
         yamlDocument.AddDisableRuleFilter(
             urlMatchingRegexPattern,
-            ruleId, $"{ruleName}: {justification}",
+            ruleId,
+            $"{ruleName}: {justification}",
             node =>
             {
                 configureFilter?.Invoke(node);
diff --git a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
index c98fe90aa..29d5ae5f0 100644
--- a/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
+++ b/Lombiq.Tests.UI/Services/OrchardCoreUITestExecutorConfiguration.cs
@@ -210,11 +210,22 @@ public void AssertBrowserLogMaybe(IList<LogEntry> browserLogs, Action<string> lo
         }
     }
 
+    /// <summary>
+    /// Sets the <see cref="AssertAppLogsAsync"/> to the output of <see cref="CreateAppLogAssertionForSecurityScan"/> so
+    /// it accepts errors in the log caused by the security scanning.
+    /// </summary>
+    public OrchardCoreUITestExecutorConfiguration UseAssertAppLogsForSecurityScan(params string[] additionalPermittedErrorLines)
+    {
+        AssertAppLogsAsync = CreateAppLogAssertionForSecurityScan(additionalPermittedErrorLines);
+
+        return this;
+    }
+
     /// <summary>
     /// Similar to <see cref="AssertAppLogsCanContainWarningsAsync"/>, but also permits certain <c>|ERROR</c> log
     /// entries which represent correct reactions to incorrect or malicious user behavior during a security scan.
     /// </summary>
-    public static Func<IWebApplicationInstance, Task> UseAssertAppLogsForSecurityScan(params string[] additionalPermittedErrorLines)
+    public static Func<IWebApplicationInstance, Task> CreateAppLogAssertionForSecurityScan(params string[] additionalPermittedErrorLines)
     {
         var permittedErrorLines = new List<string>
         {

From 7397bb99bbf130fc020efeafbaae0337685bdf6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 14 Jan 2024 22:00:26 +0100
Subject: [PATCH 82/87] Update
 Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
---
 .../SecurityScanning/SecurityScanningUITestContextExtensions.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index e196f9842..abbbe47f3 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -206,7 +206,7 @@ public static Task<SecurityScanResult> RunSecurityScanAsync(
             .StartAtUri(context.GetCurrentUri());
 
         // By default ignore /vendor/ or /vendors/ URLs. This is case-insensitive. We have no control over them, and
-        // they may contain several false positives (e.g. in font-awesome)..
+        // they may contain several false positives (e.g. in font-awesome).
         configuration.ExcludeUrlWithRegex(@".*/vendors?/.*");
 
         if (context.Configuration.SecurityScanningConfiguration.ZapAutomationFrameworkPlanModifier != null)

From 9852ab3471d82865c0d2a473df04b78ed332b9e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 14 Jan 2024 22:40:35 +0100
Subject: [PATCH 83/87] Various doc fixes.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs    | 8 +++++---
 .../SecurityScanning/SecurityScanConfiguration.cs         | 7 +++++++
 .../SecurityScanning/SecurityScanningConfiguration.cs     | 6 ------
 .../SecurityScanningUITestContextExtensions.cs            | 2 +-
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 38f71f42c..3136557c5 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -58,9 +58,11 @@ public Task BasicSecurityScanShouldPass() =>
     // - Configures sign in with a user account. This is what the scan will start with. This doesn't matter much with
     //   the Blog recipe, because nothing on the frontend will change. You can use this to scan authenticated features
     //   too. This is necessary because ZAP uses its own spider so it doesn't share session or cookies with the browser.
-    // The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
-    // are only present to illustrate the type of adjustments you may want for your own site.
-    // After the configuration, you can also configure the assertion that verifies test success.
+    // - The assertion on the scan results is custom. Use this if you (conditionally) want to assert on the results
+    //   differently from the global context.Configuration.SecurityScanningConfiguration.AssertSecurityScanResult. The
+    //   default there is "no scanning alert is allowed"; we expect some alerts here.
+    // - The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
+    //   are only present to illustrate the type of adjustments you may want for your own site.
     [Fact]
     public Task SecurityScanWithCustomConfigurationShouldPass() =>
         ExecuteTestAfterSetupAsync(
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
index f2fc6c7df..c486a3ce3 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs
@@ -34,6 +34,13 @@ public class SecurityScanConfiguration
     public bool AjaxSpiderIsUsed { get; private set; }
     public string SignInUserName { get; private set; }
 
+    /// <summary>
+    /// Gets a value indicating whether the security scan should not visit the <see cref="ErrorController"/> to test
+    /// for correct error handling. This is achieved by adding the error page URL to the configuration with <see
+    /// cref="YamlDocumentExtensions.AddRequestor"/>.
+    /// </summary>
+    public bool DontScanErrorPage { get; private set; }
+
     internal SecurityScanConfiguration()
     {
     }
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index fcfff6f4e..0a34c17ea 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -31,12 +31,6 @@ public class SecurityScanningConfiguration
     /// </summary>
     public Action<UITestContext, SarifLog> AssertSecurityScanResult { get; set; } = AssertSecurityScanHasNoAlerts;
 
-    /// <summary>
-    /// Gets a value indicating whether the security scan should not visit the <see cref="ErrorController"/> to test
-    /// for correct error handling. This is achieved by running the scan a second time without leaving that page.
-    /// </summary>
-    public bool DontScanErrorPage { get; private set; }
-
     public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts = (_, sarifLog) =>
         sarifLog.Runs[0].Results.ShouldBeEmptyWhen(
             result =>
diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index abbbe47f3..fbc7d999a 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -161,7 +161,7 @@ public static async Task RunAndAssertSecurityScanAsync(
             result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, scanConfiguration =>
             {
                 // Verify that error page handling also works by visiting a known error page with no logging.
-                if (!configuration.DontScanErrorPage)
+                if (!scanConfiguration.DontScanErrorPage)
                 {
                     var errorUrl = context.GetAbsoluteUrlOfAction<ErrorController>(controller => controller.Index());
                     scanConfiguration.ModifyZapPlan(yamlDocument => yamlDocument.AddRequestor(errorUrl.AbsoluteUri));

From 4bb9d4213dbbc3183942cb33b4b2d6f5148a2812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Sun, 14 Jan 2024 22:57:41 +0100
Subject: [PATCH 84/87] unusing

---
 .../SecurityScanning/SecurityScanningConfiguration.cs            | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
index 0a34c17ea..bec664945 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs
@@ -1,5 +1,4 @@
 using Lombiq.Tests.UI.Services;
-using Lombiq.Tests.UI.Shortcuts.Controllers;
 using Microsoft.CodeAnalysis.Sarif;
 using Shouldly;
 using System;

From 1fd80a3c5e9fc1dd6d53968a2659cc13a5e4ecc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 15 Jan 2024 01:19:30 +0100
Subject: [PATCH 85/87] Additional instructions.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 3136557c5..93b569e2a 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -18,6 +18,12 @@ namespace Lombiq.Tests.UI.Samples.Tests;
 // sure to also check out the corresponding documentation page:
 // https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md.
 
+// Most common alerts can be resolved by using the OrchardCoreBuilder.ConfigureSecurityDefaultsWithStaticFiles()
+// extension method from Lombiq.HelpfulLibraries.OrchardCore. It's worth enabling in in your Program and then verifying
+// that everything still works on the site before really getting into security scanning. If you experience any problems
+// related to Content-Security-Policy, take a look at the documentation of IContentSecurityPolicyProvider and
+// ContentSecurityPolicyAttribute to adjust the permissions, because these defaults are rather strict out of the box.
+
 // Note that security scanning has cross-platform support, but due to the limitations of virtualization under Windows in
 // GitHub Actions, these tests won't work there. They'll work on a Windows desktop though.
 public class SecurityScanningTests : UITestBase

From c6c10358a32d1c010970fe509ef9e01fae98b823 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 15 Jan 2024 01:19:43 +0100
Subject: [PATCH 86/87] Remove this thing whatever it is.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 93b569e2a..63352a715 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -154,13 +154,6 @@ protected override Task ExecuteTestAfterSetupAsync(
             {
                 configuration.HtmlValidationConfiguration.RunHtmlValidationAssertionOnAllPageChanges = false;
 
-                // Note how we specify an assertion too. This is because ZAP actually notices a few security issues with
-                // vanilla Orchard Core. These, however, are more like artifacts of running the app locally and out of
-                // the box without any real configuration. So, to make the tests pass, we need to override the default
-                // assertion that would fail the test if any issue is found.
-
-                // Don't do this at home! Fix the issues instead. This is only here to have a smoother demo.
-                configuration.SecurityScanningConfiguration.AssertSecurityScanResult = (_, _) => { };
                 // Check out the rest of SecurityScanningConfiguration too!
 
                 await changeConfigurationAsync(configuration);

From ffc674a3d7ff0ea3adc11cae3a9a554e4ce75b6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ra=20El-Saig?= <sara.el-saig@lombiq.com>
Date: Mon, 15 Jan 2024 01:23:20 +0100
Subject: [PATCH 87/87] Make it a range.

---
 Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
index 63352a715..1530fed29 100644
--- a/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
+++ b/Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs
@@ -79,7 +79,7 @@ public Task SecurityScanWithCustomConfigurationShouldPass() =>
                     .DisablePassiveScanRule(10020, "The response does not include either Content-Security-Policy with 'frame-ancestors' directive.")
                     .DisableScanRuleForUrlWithRegex(".*/about", 10038, "Content Security Policy (CSP) Header Not Set")
                     .SignIn(),
-                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeLessThan(22)),
+                sarifLog => sarifLog.Runs[0].Results.Count.ShouldBeInRange(17, 22)),
             changeConfiguration: configuration => configuration.UseAssertAppLogsForSecurityScan());
 
     // Let's get low-level into ZAP's configuration now. While the .NET configuration API of the Lombiq UI Testing