Zaproxy: Directly report false positives from inside ZAP
Issue
At the moment reporting false positives requires numerous steps. New users of ZAP may not know where to report false positives leading to the community missing potential bugs that can be improved and make ZAP better.
Also, the only option is 'delete' of an alert. Meaning that it doesn't show on the report and it's also impossible to create a report on the False Positives found.
Suggestion for improvement
Add two context menu items when right clicking on an alert item.
- [x] ~Mark as False Positive~ Done in https://github.com/zaproxy/zaproxy/pull/5844
- [ ] Report False Positive to the ZAP project
The Mark as False Positive option could just Flag the option as False Positive and put it at the end of the report as a list of False Postives.
The Report False Positive to the ZAP Project item could include the data needed to evaluate the False Positive and automatically start a GitHub ticket, open a browser and fill the ticket with the useful information needed for developers to fix the issue.
Then end user can then fill the ticket with extra information to further clarify the bug. Or remove any identifying information.
Other open source project with similar functionality
Similar to how "ubuntu-bug" also known as "apport" works
https://wiki.ubuntu.com/Apport
globeone
All 3 comments
Also, the only option is 'delete' of an alert. Meaning that it doesn't show on the report and it's also impossible to create a report on the False Positives found.
No you can choose to set any alert as confidence == False Positive, then it's still there and not reported on. (Or optionally reported on if you use one of the report add-ons)
However we could definitely simplify setting it.
kingthorin
on 3 Feb 2020
Context menu for marking alerts False Positive will be in the next weekly release.
kingthorin
on 4 Feb 2020
That's awesome that it got fixed so quickly. We've asked for similar requests from our commercial provider, and they take years to even acknowledge that an issue exists and then come with a half-baked solution that doesn't even work. Kudos to the OWASP ZAP Team!
globeone
on 12 Feb 2020
Related issues
ossie-git
路
3Comments
kingthorin
路
4Comments
jmakr0
路
3Comments
thc202
路
3Comments
mig5
路
3Comments
Most helpful comment
That's awesome that it got fixed so quickly. We've asked for similar requests from our commercial provider, and they take years to even acknowledge that an issue exists and then come with a half-baked solution that doesn't even work. Kudos to the OWASP ZAP Team!