ascanrulesBeta: Add Example Alerts to InsecureHttpMethodScanRule

[Brandosp]

Overview

Added example alerts for InsecureHttpMethodScanRule.

Related Issues

• New common getExampleAlerts() method zaproxy#6119
• Update rules to use alert refs zaproxy#7100

Checklist

• Update help
• Update changelog
• Run ./gradlew spotlessApply for code formatting
• Write tests
• Check code coverage
• Sign-off commits
• Squash commits
• Use a descriptive title

for more details, please refer to the developer rules and guidelines

[psiinon]

Checkmarx One – Scan Summary & Details – 410fbb87-0d23-4cac-a989-ce431f4e3510

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1357

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

[kingthorin]

Getting really close (from my point of view).

[kingthorin]

To be consistent with elsewhere in the file/repo this should probably be:

    void shouldHaveExpectedExampleAlert() {
        // Given / When
        List<Alert> alerts = rule.getExampleAlerts();
        // Then
        assertThat(alerts.size(), is(equalTo(5)));

[thc202]

Also the other assertions are not needed, the default tests already check the references.

[thc202]

This still needs to be extracted to its own method, it's also missing the webdav which IMO should have its own ref (i.e the one in line 569 should be replaced with two build/raise calls in lines 545 and 569, having all the data already filled in).

[Brandosp]

Sorry, not exactly sure what you mean by this. I began working on the code based off this comment, and I added to the buildHttpMethodAlert method to check whether or not the httpMethod is part of WEBDAV or not to give webdav its own alert ref

String alertRef = getId() + "-5"; if (WEBDAV_METHODS.contains(httpMethod)) { alertRef = getId() + "-6"; }
You mentioned adding two build/raise calls in line 545 and 569 which I assume this means I should create a buildAlert for specifically WEBDAV but I found this confusing as the main logic filters the data for whether the httpmethod is part of WEBDAV or not making it so the build call on 569 would create distinct alerts, so I imagine my assumption is wrong?

Additionally, when u mention extracting to its own method, do u mean creating a buildExampleAlert helper which would just use the code I have in the getExampleAlerts for the HttpMethodAlert, and then simply calling that helper function to make the code more structured?

[thc202]

There are two issues:

1. The getExampleAlerts() should not be duplicating what the main code is doing, both should call a common method. If tomorrow we change the description/other info of the lines 553 and 559, this example alert will keep returning the old/different description/other info. We should not need to manually keep main code and examples in sync. Also, note this issue is already happening with buildInsecureHttpMethodAlert, the example alert has the wrong description/other info.
2. The webdav case of line 545 is effectively a different alert, note the use of different description and why (IMO) it should have its own ref.

[thc202]

Note that you need to rebase the branch to adjust the changelog.