From 06f483b35abfd9beda51318ecefd1e999a0e37ec Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 00:50:29 -0400
Subject: [PATCH 1/2] uri regex fix

---
 zap/src/scan.py | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/zap/src/scan.py b/zap/src/scan.py
index cb9799db..1c1a9150 100755
--- a/zap/src/scan.py
+++ b/zap/src/scan.py
@@ -3,10 +3,10 @@
 Runs ZAP scan, uploads results to Code Dx and GCS, and alerts Slack.
 """
 
+import csv
 import logging
 import os
 import re
-import csv
 from datetime import datetime, timedelta
 from enum import Enum
 from os import getenv
@@ -359,7 +359,12 @@ def slack_alert_without_report(  # pylint: disable=too-many-arguments
         logging.info("Alert sent to Slack channel for DefectDojo upload report")
 
 # match a hash after a hyphen or dot, and only match 8 or 9 characters of hex
-URI_HASH_REGEX = re.compile(r"[-\.][a-zA-Z0-9]{8,9}(?![a-fA-F0-9])")
+URI_HASH_REGEX1 = re.compile(r"[-\.][a-zA-Z0-9]{8,9}(?![a-fA-F0-9])")
+REPLACEMENT1 = ""
+# remote a hash e.g. /assets/index-4au49BA-.js -> /assets/index.js
+URI_HASH_REGEX2 = re.compile(r"index-\w{7}-\.js")  
+REPLACEMENT2 = "index.js"
+
 
 def clean_uri_path(xml_report):
     """
@@ -367,12 +372,17 @@ def clean_uri_path(xml_report):
     """
     tree = ET.parse(xml_report)
     root = tree.getroot()
-    #There's a hash in bundled files that is causing flaws to not match
+    # There's a hash in bundled files that is causing flaws to not match
     # this should remove the hash.
-    for uri in root.iter('uri'):
-        r=urlparse(uri.text)
-        r=r._replace(path=URI_HASH_REGEX.sub('', r.path))
-        uri.text = urlunparse(r)
+    for uri in root.iter("uri"):
+        r = urlparse(uri.text)
+        print(type(r))
+        path_old = r.path
+        r = r._replace(path=URI_HASH_REGEX1.sub(REPLACEMENT1, r.path))
+        r = r._replace(path=URI_HASH_REGEX2.sub(REPLACEMENT2, r.path))
+        if r.path != path_old:
+            logging.info("URI %s -> %s", path_old, r.path)
+            uri.text = urlunparse(r)
     tree.write(xml_report)
 
 def get_codedx_findings_json(cdx,codedx_project):

From e4063c9fe4d050a04f100804119995daa7faeb81 Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 00:56:43 -0400
Subject: [PATCH 2/2] remove debug print

---
 zap/src/scan.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/zap/src/scan.py b/zap/src/scan.py
index 1c1a9150..d232032a 100755
--- a/zap/src/scan.py
+++ b/zap/src/scan.py
@@ -376,7 +376,6 @@ def clean_uri_path(xml_report):
     # this should remove the hash.
     for uri in root.iter("uri"):
         r = urlparse(uri.text)
-        print(type(r))
         path_old = r.path
         r = r._replace(path=URI_HASH_REGEX1.sub(REPLACEMENT1, r.path))
         r = r._replace(path=URI_HASH_REGEX2.sub(REPLACEMENT2, r.path))