Zaproxy: Offer Exclude from Reports

Created on 4 Dec 2019  路  3Comments  路  Source: zaproxy/zaproxy

Is your feature request related to a problem? Please describe.
An application can involve third party resources, and the security of those resources may be outside of scope (in general it's impossible for someone dealing w/ a scan report to remediate any such items short of replacing the vendor which is usually undesirable).

Some items might be addressable by "deleting" nodes from the Sites tree, but others are required in case someone wants to perform additional tasks (esp. if the login sequence involves a third party site...).

Describe the solution you'd like
Currently, one can right click a Site folder and select Exclude from and then one of Proxy, Scanner, or Spider:
image
I'd like to see Reports in the list.

Describe alternatives you've considered
While one in Alerts can choose Show only URLs in Scope, or Link with Sites Selection (I suspect I'd rather it to be Link with Sites selection, but that's a different story), that doesn't have any impact on reporting.

Usability add-on enhancement
Source
picture jsoref

Most helpful comment

I'm not sure we should provide "Exclude from Reports" (maybe once the reporting capabilities are consolidated), instead we should allow to choose what's included when configuring the report.

picture thc202 on 4 Dec 2019
👍2

All 3 comments

I think this might be facilitated by the Export Report addon, but I'd have to test to be sure. You can either report based on Context or we already have a ticket open for reporting based on Context.

The CustomReport addon definitely allows you to select "In Scope" (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsScope), select which Alerts you want (or which Risk levels), and which alert details to include.

kingthorin picture kingthorin on 4 Dec 2019

Hmm, they're quite different, one has color coded alert backgrounds (serif) with no icon, the other has a different font (sans serif) and an icon with a centered heading.

And for reasons that aren't obvious, there are more items in the scoped report than in the one I was using before :-(.

I really need #5732 (and I need to file another asking for a table by URL...)

jsoref picture jsoref on 4 Dec 2019
👍1

I'm not sure we should provide "Exclude from Reports" (maybe once the reporting capabilities are consolidated), instead we should allow to choose what's included when configuring the report.

thc202 picture thc202 on 4 Dec 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

globeone picture globeone  路  3Comments
psiinon picture psiinon  路  3Comments
FastNinja picture FastNinja  路  4Comments
thc202 picture thc202  路  3Comments
g0rbe picture g0rbe  路  4Comments