Merge pull request #64 from secureCodeBox/fix/truncate-zap-otherinfo-fields

Truncate overly long fields in ZAP Findings

Author: rfelber

scanners/zap/parser/__snapshots__/parser.test.js.snap

@@ -1,49 +1,67 @@
 function riskToSeverity(risk) {
   switch (parseInt(risk, 10)) {
     case 0:
-      return 'INFORMATIONAL';
+      return "INFORMATIONAL";
     case 1:
-      return 'LOW';
+      return "LOW";
     case 2:
-      return 'MEDIUM';
+      return "MEDIUM";
     default:
-      return 'HIGH';
+      return "HIGH";
   }
 }
 
-function stripHtmlTags(str)
-{
-   if ((!str) || ( str === null ) || ( str === '' ))
-       return false;
-  else
-   str = str.toString();
-  return str.replace(/<[^>]*>/g, '');
+function stripHtmlTags(str) {
+  if (!str || str === null || str === "") {
+    return false;
+  } else {
+    str = str.toString();
+  }
+  return str.replace(/<[^>]*>/g, "");
+}
+
+function truncate({ text, maxLength = 2048 }) {
+  if (!text || text.length < maxLength) {
+    return text;
+  }
+
+  return `${text.slice(0, maxLength)}...`;
 }
 
 async function parse(fileContent) {
   return fileContent.site.flatMap(
-    ({ '@name': location, '@host': host, alerts }) => {
-      return alerts.map(alert => {
+    ({ "@name": location, "@host": host, alerts }) => {
+      return alerts.map((alert) => {
+        const findingUrls = (alert.instances || []).map((instance) => {
+          return {
+            ...instance,
+            evidence: truncate({ text: instance.evidence, maxLength: 256 }),
+          };
+        });
+
         return {
           name: stripHtmlTags(alert.name),
           description: stripHtmlTags(alert.desc),
           hint: alert.hint,
           category: alert.alert || stripHtmlTags(alert.name),
           location,
-          osi_layer: 'APPLICATION',
+          osi_layer: "APPLICATION",
           severity: riskToSeverity(alert.riskcode),
           attributes: {
             host: host,
             zap_confidence: alert.confidence || null,
             zap_count: alert.count || null,
             zap_solution: stripHtmlTags(alert.solution) || null,
-            zap_otherinfo: stripHtmlTags(alert.otherinfo) || null,
+            zap_otherinfo: truncate({
+              text: stripHtmlTags(alert.otherinfo) || null,
+              maxLength: 2048,
+            }),
             zap_reference: stripHtmlTags(alert.reference) || null,
             zap_cweid: alert.cweid || null,
             zap_wascid: alert.wascid || null,
             zap_riskcode: alert.riskcode || null,
             zap_pluginid: alert.pluginid || null,
-            zap_finding_urls: alert.instances || null,
+            zap_finding_urls: findingUrls,
           },
         };
       });