OUTOFSCOPE doesn't seem to be working #44
Description
Describe the bug
I'm running a fairly standard github action with ZAP baseline
I've got 2 OUTOFSCOPE lines to exclude an error:
10202 OUTOFSCOPE https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
10202 OUTOFSCOPE https://master.internal.juriba.com/default.aspx
It looks like it's worked in the logs from gitactions:
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Absence of Anti-CSRF Tokens [10202] ⬅️
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
However in the issues report this comes up as an error
Absence of Anti-CSRF Tokens [10202] total: 2:
https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
https://master.internal.juriba.com/default.aspx
I can use IGNORE to get rid of this error but obviously that is not as good.
Strange that at one point it seemed to work:
Resolved Alerts
Absence of Anti-CSRF Tokens [10202] total: 2:
But now sadly not
To Reproduce
Steps to reproduce the behavior:
Run a zap baseline scan:
zap_scan: runs-on: self-hosted name: Zap Scan steps: - name: Checkout uses: actions/checkout@v2 with: ref: master - name: OWASP ZAP Baseline Scan uses: zaproxy/action-baseline@v0.4.0 with: target: ‘https://example.com’ rules_file_name: ‘.github/workflows/zap/rules.tsv’
Expected behavior
The Absence of Anti-CSRF Tokens is excluded from the results
Screenshots
If applicable, add screenshots to help explain your problem.
Software versions
- ZAP: Latest version downloaded through docker run
- OS: docker
Errors from the zap.log file
n/a
Would you like to help fix this issue?
May be a user error as I'm new to this way of running zap