buildanything 1.8.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +3 -3
- package/.claude-plugin/plugin.json +9 -3
- package/CHANGELOG.md +57 -0
- package/README.md +2 -2
- package/agents/a11y-architect.md +166 -0
- package/agents/business-model.md +80 -29
- package/agents/code-architect.md +75 -0
- package/agents/code-reviewer.md +255 -0
- package/agents/code-simplifier.md +64 -0
- package/agents/design-brand-guardian.md +293 -53
- package/agents/design-critic.md +139 -0
- package/agents/design-inclusive-visuals-specialist.md +6 -19
- package/agents/design-ui-designer.md +335 -56
- package/agents/design-ux-architect.md +403 -55
- package/agents/design-ux-researcher.md +264 -49
- package/agents/engineering-ai-engineer.md +26 -36
- package/agents/engineering-backend-architect.md +185 -36
- package/agents/engineering-data-engineer.md +225 -43
- package/agents/engineering-devops-automator.md +227 -74
- package/agents/engineering-frontend-developer.md +210 -34
- package/agents/engineering-mobile-app-builder.md +6 -1
- package/agents/engineering-rapid-prototyper.md +30 -9
- package/agents/engineering-security-engineer.md +263 -61
- package/agents/engineering-senior-developer.md +128 -19
- package/agents/engineering-sre.md +84 -0
- package/agents/engineering-technical-writer.md +285 -41
- package/agents/feature-intel.md +110 -0
- package/agents/ios-app-review-guardian.md +19 -2
- package/agents/ios-foundation-models-specialist.md +20 -2
- package/agents/ios-storekit-specialist.md +9 -2
- package/agents/ios-swift-architect.md +28 -1
- package/agents/ios-swift-search.md +8 -1
- package/agents/ios-swift-ui-design.md +33 -1
- package/agents/marketing-app-store-optimizer.md +246 -64
- package/agents/planner.md +216 -0
- package/agents/pr-test-analyzer.md +63 -0
- package/agents/product-feedback-synthesizer.md +8 -2
- package/agents/refactor-cleaner.md +102 -0
- package/agents/security-reviewer.md +128 -0
- package/agents/silent-failure-hunter.md +54 -0
- package/agents/swift-build-resolver.md +119 -0
- package/agents/swift-reviewer.md +112 -0
- package/agents/tech-feasibility.md +21 -1
- package/agents/testing-api-tester.md +236 -59
- package/agents/testing-evidence-collector.md +26 -1
- package/agents/testing-performance-benchmarker.md +21 -1
- package/agents/testing-reality-checker.md +6 -1
- package/agents/visual-research.md +116 -0
- package/bin/adapters/cycle-counter-tool.ts +155 -0
- package/bin/adapters/scribe-tool.ts +71 -0
- package/bin/adapters/state-save-tool.ts +130 -0
- package/bin/adapters/write-lease-tool.ts +127 -0
- package/bin/buildanything-runtime.js +15 -0
- package/bin/buildanything-runtime.ts +328 -0
- package/bin/setup.js +83 -8
- package/commands/add-feature.md +2 -0
- package/commands/build.md +782 -266
- package/commands/fix.md +1 -1
- package/commands/self-check.md +121 -0
- package/commands/setup.md +50 -9
- package/commands/ux-review.md +2 -2
- package/commands/verify.md +6 -9
- package/docs/migration/agents.yaml +729 -0
- package/docs/migration/phase-graph.yaml +1088 -0
- package/docs/migration/sdk-host-compat.md +18 -0
- package/hooks/compile-writer-owner-cache.ts +171 -0
- package/hooks/hooks.json +36 -0
- package/hooks/pre-tool-use +19 -0
- package/hooks/pre-tool-use.ts +776 -0
- package/hooks/record-mode-transitions.ts +178 -0
- package/hooks/session-start +71 -1
- package/hooks/subagent-start +17 -0
- package/hooks/subagent-start.ts +471 -0
- package/hooks/subagent-stop +17 -0
- package/hooks/subagent-stop.ts +153 -0
- package/package.json +24 -4
- package/protocols/architecture-schema.md +171 -0
- package/protocols/decision-log.md +131 -0
- package/protocols/ios-context.md +10 -11
- package/protocols/ios-phase-branches.md +208 -33
- package/protocols/launch-readiness.md +258 -0
- package/protocols/metric-loop.md +62 -2
- package/protocols/smoke-test.md +9 -1
- package/protocols/state-schema.json +388 -0
- package/protocols/state-schema.md +172 -0
- package/protocols/verify.md +62 -2
- package/protocols/visual-dna.md +185 -0
- package/protocols/web-phase-branches.md +222 -72
- package/skills/ios/_VENDORED.md +2 -0
- package/skills/ios/app-store-connect-metadata/SKILL.md +148 -0
- package/skills/ios/asc-privacy-manifest/SKILL.md +350 -0
- package/skills/ios/hig-components-content/SKILL.md +86 -0
- package/skills/ios/hig-components-content/references/activity-views.md +79 -0
- package/skills/ios/hig-components-content/references/charts.md +180 -0
- package/skills/ios/hig-components-content/references/collections.md +48 -0
- package/skills/ios/hig-components-content/references/color-wells.md +42 -0
- package/skills/ios/hig-components-content/references/image-views.md +82 -0
- package/skills/ios/hig-components-content/references/image-wells.md +34 -0
- package/skills/ios/hig-components-content/references/lockups.md +78 -0
- package/skills/ios/hig-components-content/references/web-views.md +36 -0
- package/skills/ios/hig-components-controls/SKILL.md +88 -0
- package/skills/ios/hig-components-controls/references/combo-boxes.md +40 -0
- package/skills/ios/hig-components-controls/references/controls.md +112 -0
- package/skills/ios/hig-components-controls/references/gauges.md +74 -0
- package/skills/ios/hig-components-controls/references/labels.md +92 -0
- package/skills/ios/hig-components-controls/references/pickers.md +128 -0
- package/skills/ios/hig-components-controls/references/rating-indicators.md +38 -0
- package/skills/ios/hig-components-controls/references/segmented-controls.md +94 -0
- package/skills/ios/hig-components-controls/references/sliders.md +92 -0
- package/skills/ios/hig-components-controls/references/steppers.md +40 -0
- package/skills/ios/hig-components-controls/references/text-fields.md +88 -0
- package/skills/ios/hig-components-controls/references/text-views.md +56 -0
- package/skills/ios/hig-components-controls/references/toggles.md +127 -0
- package/skills/ios/hig-components-controls/references/token-fields.md +48 -0
- package/skills/ios/hig-components-controls/references/virtual-keyboards.md +156 -0
- package/skills/ios/hig-components-dialogs/SKILL.md +76 -0
- package/skills/ios/hig-components-dialogs/references/action-sheets.md +74 -0
- package/skills/ios/hig-components-dialogs/references/alerts.md +158 -0
- package/skills/ios/hig-components-dialogs/references/digit-entry-views.md +32 -0
- package/skills/ios/hig-components-dialogs/references/popovers.md +81 -0
- package/skills/ios/hig-components-dialogs/references/sheets.md +157 -0
- package/skills/ios/hig-components-layout/SKILL.md +99 -0
- package/skills/ios/hig-components-layout/references/boxes.md +48 -0
- package/skills/ios/hig-components-layout/references/column-views.md +44 -0
- package/skills/ios/hig-components-layout/references/lists-and-tables.md +99 -0
- package/skills/ios/hig-components-layout/references/ornaments.md +56 -0
- package/skills/ios/hig-components-layout/references/outline-views.md +64 -0
- package/skills/ios/hig-components-layout/references/panels.md +75 -0
- package/skills/ios/hig-components-layout/references/scroll-views.md +123 -0
- package/skills/ios/hig-components-layout/references/sidebars.md +109 -0
- package/skills/ios/hig-components-layout/references/split-views.md +110 -0
- package/skills/ios/hig-components-layout/references/tab-bars.md +173 -0
- package/skills/ios/hig-components-layout/references/tab-views.md +68 -0
- package/skills/ios/hig-components-layout/references/windows.md +188 -0
- package/skills/ios/hig-components-menus/SKILL.md +81 -0
- package/skills/ios/hig-components-menus/references/action-button.md +61 -0
- package/skills/ios/hig-components-menus/references/buttons.md +261 -0
- package/skills/ios/hig-components-menus/references/context-menus.md +105 -0
- package/skills/ios/hig-components-menus/references/disclosure-controls.md +84 -0
- package/skills/ios/hig-components-menus/references/dock-menus.md +40 -0
- package/skills/ios/hig-components-menus/references/edit-menus.md +88 -0
- package/skills/ios/hig-components-menus/references/menus.md +171 -0
- package/skills/ios/hig-components-menus/references/pop-up-buttons.md +70 -0
- package/skills/ios/hig-components-menus/references/pull-down-buttons.md +77 -0
- package/skills/ios/hig-components-menus/references/the-menu-bar.md +303 -0
- package/skills/ios/hig-components-menus/references/toolbars.md +256 -0
- package/skills/ios/hig-components-search/SKILL.md +68 -0
- package/skills/ios/hig-components-search/references/page-controls.md +120 -0
- package/skills/ios/hig-components-search/references/path-controls.md +40 -0
- package/skills/ios/hig-components-search/references/search-fields.md +189 -0
- package/skills/ios/hig-components-status/SKILL.md +80 -0
- package/skills/ios/hig-components-status/references/activity-rings.md +105 -0
- package/skills/ios/hig-components-status/references/progress-indicators.md +116 -0
- package/skills/ios/hig-components-status/references/status-bars.md +38 -0
- package/skills/ios/hig-components-system/SKILL.md +88 -0
- package/skills/ios/hig-components-system/references/app-clips.md +387 -0
- package/skills/ios/hig-components-system/references/app-shortcuts.md +114 -0
- package/skills/ios/hig-components-system/references/complications.md +425 -0
- package/skills/ios/hig-components-system/references/home-screen-quick-actions.md +42 -0
- package/skills/ios/hig-components-system/references/live-activities.md +442 -0
- package/skills/ios/hig-components-system/references/notifications.md +153 -0
- package/skills/ios/hig-components-system/references/top-shelf.md +135 -0
- package/skills/ios/hig-components-system/references/watch-faces.md +40 -0
- package/skills/ios/hig-components-system/references/widgets.md +517 -0
- package/skills/ios/hig-foundations/SKILL.md +98 -0
- package/skills/ios/hig-foundations/references/accessibility.md +291 -0
- package/skills/ios/hig-foundations/references/app-icons.md +210 -0
- package/skills/ios/hig-foundations/references/branding.md +44 -0
- package/skills/ios/hig-foundations/references/color.md +274 -0
- package/skills/ios/hig-foundations/references/dark-mode.md +116 -0
- package/skills/ios/hig-foundations/references/icons.md +263 -0
- package/skills/ios/hig-foundations/references/images.md +176 -0
- package/skills/ios/hig-foundations/references/immersive-experiences.md +174 -0
- package/skills/ios/hig-foundations/references/inclusion.md +189 -0
- package/skills/ios/hig-foundations/references/layout.md +425 -0
- package/skills/ios/hig-foundations/references/materials.md +238 -0
- package/skills/ios/hig-foundations/references/motion.md +103 -0
- package/skills/ios/hig-foundations/references/privacy.md +231 -0
- package/skills/ios/hig-foundations/references/right-to-left.md +206 -0
- package/skills/ios/hig-foundations/references/sf-symbols.md +310 -0
- package/skills/ios/hig-foundations/references/spatial-layout.md +142 -0
- package/skills/ios/hig-foundations/references/typography.md +1146 -0
- package/skills/ios/hig-foundations/references/writing.md +91 -0
- package/skills/ios/hig-inputs/SKILL.md +94 -0
- package/skills/ios/hig-inputs/references/apple-pencil-and-scribble.md +148 -0
- package/skills/ios/hig-inputs/references/camera-control.md +107 -0
- package/skills/ios/hig-inputs/references/digital-crown.md +83 -0
- package/skills/ios/hig-inputs/references/eyes.md +120 -0
- package/skills/ios/hig-inputs/references/focus-and-selection.md +120 -0
- package/skills/ios/hig-inputs/references/game-controls.md +156 -0
- package/skills/ios/hig-inputs/references/gestures.md +208 -0
- package/skills/ios/hig-inputs/references/gyro-and-accelerometer.md +40 -0
- package/skills/ios/hig-inputs/references/keyboards.md +234 -0
- package/skills/ios/hig-inputs/references/nearby-interactions.md +70 -0
- package/skills/ios/hig-inputs/references/pointing-devices.md +237 -0
- package/skills/ios/hig-inputs/references/remotes.md +67 -0
- package/skills/ios/hig-inputs/references/spatial-interactions.md +70 -0
- package/skills/ios/hig-patterns/SKILL.md +104 -0
- package/skills/ios/hig-patterns/references/charting-data.md +81 -0
- package/skills/ios/hig-patterns/references/collaboration-and-sharing.md +86 -0
- package/skills/ios/hig-patterns/references/drag-and-drop.md +134 -0
- package/skills/ios/hig-patterns/references/entering-data.md +69 -0
- package/skills/ios/hig-patterns/references/feedback.md +67 -0
- package/skills/ios/hig-patterns/references/file-management.md +135 -0
- package/skills/ios/hig-patterns/references/going-full-screen.md +79 -0
- package/skills/ios/hig-patterns/references/launching.md +81 -0
- package/skills/ios/hig-patterns/references/live-viewing-apps.md +79 -0
- package/skills/ios/hig-patterns/references/loading.md +59 -0
- package/skills/ios/hig-patterns/references/managing-accounts.md +107 -0
- package/skills/ios/hig-patterns/references/managing-notifications.md +99 -0
- package/skills/ios/hig-patterns/references/modality.md +82 -0
- package/skills/ios/hig-patterns/references/multitasking.md +131 -0
- package/skills/ios/hig-patterns/references/offering-help.md +117 -0
- package/skills/ios/hig-patterns/references/onboarding.md +69 -0
- package/skills/ios/hig-patterns/references/playing-audio.md +124 -0
- package/skills/ios/hig-patterns/references/playing-haptics.md +280 -0
- package/skills/ios/hig-patterns/references/playing-video.md +180 -0
- package/skills/ios/hig-patterns/references/printing.md +50 -0
- package/skills/ios/hig-patterns/references/ratings-and-reviews.md +48 -0
- package/skills/ios/hig-patterns/references/searching.md +70 -0
- package/skills/ios/hig-patterns/references/settings.md +84 -0
- package/skills/ios/hig-patterns/references/undo-and-redo.md +58 -0
- package/skills/ios/hig-patterns/references/workouts.md +76 -0
- package/skills/ios/hig-platforms/SKILL.md +84 -0
- package/skills/ios/hig-platforms/references/designing-for-games.md +159 -0
- package/skills/ios/hig-platforms/references/designing-for-ios.md +66 -0
- package/skills/ios/hig-platforms/references/designing-for-ipados.md +64 -0
- package/skills/ios/hig-platforms/references/designing-for-macos.md +70 -0
- package/skills/ios/hig-platforms/references/designing-for-tvos.md +68 -0
- package/skills/ios/hig-platforms/references/designing-for-visionos.md +85 -0
- package/skills/ios/hig-platforms/references/designing-for-watchos.md +74 -0
- package/skills/ios/hig-project-context/SKILL.md +133 -0
- package/skills/ios/hig-technologies/SKILL.md +107 -0
- package/skills/ios/hig-technologies/references/airplay.md +125 -0
- package/skills/ios/hig-technologies/references/always-on.md +62 -0
- package/skills/ios/hig-technologies/references/apple-pay.md +441 -0
- package/skills/ios/hig-technologies/references/augmented-reality.md +247 -0
- package/skills/ios/hig-technologies/references/carekit.md +224 -0
- package/skills/ios/hig-technologies/references/carplay.md +119 -0
- package/skills/ios/hig-technologies/references/game-center.md +343 -0
- package/skills/ios/hig-technologies/references/generative-ai.md +110 -0
- package/skills/ios/hig-technologies/references/healthkit.md +120 -0
- package/skills/ios/hig-technologies/references/homekit.md +343 -0
- package/skills/ios/hig-technologies/references/icloud.md +52 -0
- package/skills/ios/hig-technologies/references/id-verifier.md +73 -0
- package/skills/ios/hig-technologies/references/imessage-apps-and-stickers.md +105 -0
- package/skills/ios/hig-technologies/references/in-app-purchase.md +263 -0
- package/skills/ios/hig-technologies/references/live-photos.md +54 -0
- package/skills/ios/hig-technologies/references/mac-catalyst.md +216 -0
- package/skills/ios/hig-technologies/references/machine-learning.md +394 -0
- package/skills/ios/hig-technologies/references/maps.md +221 -0
- package/skills/ios/hig-technologies/references/nfc.md +51 -0
- package/skills/ios/hig-technologies/references/photo-editing.md +40 -0
- package/skills/ios/hig-technologies/references/researchkit.md +134 -0
- package/skills/ios/hig-technologies/references/shareplay.md +142 -0
- package/skills/ios/hig-technologies/references/shazamkit.md +47 -0
- package/skills/ios/hig-technologies/references/sign-in-with-apple.md +288 -0
- package/skills/ios/hig-technologies/references/siri.md +523 -0
- package/skills/ios/hig-technologies/references/tap-to-pay-on-iphone.md +208 -0
- package/skills/ios/hig-technologies/references/voiceover.md +90 -0
- package/skills/ios/hig-technologies/references/wallet.md +420 -0
- package/skills/ios/ios-bootstrap/SKILL.md +16 -7
- package/skills/ios/swift-actor-persistence/SKILL.md +143 -0
- package/skills/ios/swift-concurrency-6-2/SKILL.md +216 -0
- package/skills/ios/swift-protocol-di-testing/SKILL.md +190 -0
- package/skills/ios/swiftui-design-tokens/SKILL.md +475 -0
- package/skills/ios/writing-for-interfaces/SKILL.md +75 -0
- package/skills/web/accessibility/SKILL.md +146 -0
- package/skills/web/aceternity-ui/SKILL.md +719 -0
- package/skills/web/aceternity-ui/metadata.json +10 -0
- package/skills/web/api-design/SKILL.md +523 -0
- package/skills/web/chart-accessibility/SKILL.md +332 -0
- package/skills/web/composition-patterns/AGENTS.md +946 -0
- package/skills/web/composition-patterns/README.md +60 -0
- package/skills/web/composition-patterns/SKILL.md +89 -0
- package/skills/web/composition-patterns/metadata.json +11 -0
- package/skills/web/composition-patterns/rules/_sections.md +29 -0
- package/skills/web/composition-patterns/rules/_template.md +24 -0
- package/skills/web/composition-patterns/rules/architecture-avoid-boolean-props.md +100 -0
- package/skills/web/composition-patterns/rules/architecture-compound-components.md +112 -0
- package/skills/web/composition-patterns/rules/patterns-children-over-render-props.md +87 -0
- package/skills/web/composition-patterns/rules/patterns-explicit-variants.md +100 -0
- package/skills/web/composition-patterns/rules/react19-no-forwardref.md +42 -0
- package/skills/web/composition-patterns/rules/state-context-interface.md +191 -0
- package/skills/web/composition-patterns/rules/state-decouple-implementation.md +113 -0
- package/skills/web/composition-patterns/rules/state-lift-state.md +125 -0
- package/skills/web/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/skills/web/database-migrations/SKILL.md +429 -0
- package/skills/web/deployment-patterns/SKILL.md +427 -0
- package/skills/web/docker-patterns/SKILL.md +364 -0
- package/skills/web/e2e-testing/SKILL.md +326 -0
- package/skills/web/lighthouse-ci/SKILL.md +361 -0
- package/skills/web/mcp-server-patterns/SKILL.md +69 -0
- package/skills/web/next-best-practices/SKILL.md +153 -0
- package/skills/web/next-best-practices/async-patterns.md +87 -0
- package/skills/web/next-best-practices/bundling.md +180 -0
- package/skills/web/next-best-practices/data-patterns.md +297 -0
- package/skills/web/next-best-practices/debug-tricks.md +105 -0
- package/skills/web/next-best-practices/directives.md +73 -0
- package/skills/web/next-best-practices/error-handling.md +227 -0
- package/skills/web/next-best-practices/file-conventions.md +140 -0
- package/skills/web/next-best-practices/font.md +245 -0
- package/skills/web/next-best-practices/functions.md +108 -0
- package/skills/web/next-best-practices/hydration-error.md +91 -0
- package/skills/web/next-best-practices/image.md +173 -0
- package/skills/web/next-best-practices/metadata.md +301 -0
- package/skills/web/next-best-practices/parallel-routes.md +287 -0
- package/skills/web/next-best-practices/route-handlers.md +146 -0
- package/skills/web/next-best-practices/rsc-boundaries.md +159 -0
- package/skills/web/next-best-practices/runtime-selection.md +39 -0
- package/skills/web/next-best-practices/scripts.md +141 -0
- package/skills/web/next-best-practices/self-hosting.md +371 -0
- package/skills/web/next-best-practices/suspense-boundaries.md +67 -0
- package/skills/web/next-cache-components/SKILL.md +411 -0
- package/skills/web/postgres-best-practices/SKILL.md +14 -0
- package/skills/web/postgres-best-practices/references/schema-design.md +9 -0
- package/skills/web/react-best-practices/AGENTS.md +3810 -0
- package/skills/web/react-best-practices/README.md +123 -0
- package/skills/web/react-best-practices/SKILL.md +149 -0
- package/skills/web/react-best-practices/metadata.json +15 -0
- package/skills/web/react-best-practices/rules/_sections.md +46 -0
- package/skills/web/react-best-practices/rules/_template.md +28 -0
- package/skills/web/react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/skills/web/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills/web/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills/web/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills/web/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills/web/react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/skills/web/react-best-practices/rules/async-defer-await.md +82 -0
- package/skills/web/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills/web/react-best-practices/rules/async-parallel.md +28 -0
- package/skills/web/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills/web/react-best-practices/rules/bundle-analyzable-paths.md +63 -0
- package/skills/web/react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/skills/web/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills/web/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills/web/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills/web/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills/web/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills/web/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills/web/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills/web/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills/web/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills/web/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills/web/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills/web/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills/web/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills/web/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills/web/react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/skills/web/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills/web/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills/web/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills/web/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills/web/react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/skills/web/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills/web/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills/web/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills/web/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills/web/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills/web/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills/web/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills/web/react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/skills/web/react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/skills/web/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills/web/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills/web/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills/web/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills/web/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills/web/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills/web/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills/web/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills/web/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/skills/web/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills/web/react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/skills/web/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/skills/web/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills/web/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills/web/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills/web/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills/web/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills/web/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills/web/react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/skills/web/react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/skills/web/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills/web/react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/skills/web/react-best-practices/rules/server-serialization.md +38 -0
- package/skills/web/seo/SKILL.md +154 -0
- package/skills/web/web-design-guidelines/SKILL.md +39 -0
- package/skills/web/zap-scan-config/SKILL.md +444 -0
- package/skills/web/zap-scan-config/assets/.gitkeep +9 -0
- package/skills/web/zap-scan-config/assets/github_action.yml +207 -0
- package/skills/web/zap-scan-config/assets/gitlab_ci.yml +226 -0
- package/skills/web/zap-scan-config/assets/zap_automation.yaml +196 -0
- package/skills/web/zap-scan-config/assets/zap_context.xml +192 -0
- package/skills/web/zap-scan-config/references/EXAMPLE.md +40 -0
- package/skills/web/zap-scan-config/references/api_testing_guide.md +475 -0
- package/skills/web/zap-scan-config/references/authentication_guide.md +431 -0
- package/skills/web/zap-scan-config/references/false_positive_handling.md +427 -0
- package/skills/web/zap-scan-config/references/owasp_mapping.md +255 -0
- package/src/lrr/aggregator.ts +80 -0
- package/src/orchestrator/hooks/context-header.ts +95 -0
- package/src/orchestrator/hooks/token-accounting-emitter.ts +77 -0
- package/src/orchestrator/hooks/token-accounting.ts +101 -0
- package/src/orchestrator/mcp/cycle-counter.ts +129 -0
- package/src/orchestrator/mcp/scribe.ts +283 -0
- package/src/orchestrator/mcp/state-save.ts +149 -0
- package/src/orchestrator/mcp/write-lease.ts +167 -0
- package/src/orchestrator/phase4-shared-context.ts +41 -0
- package/src/orchestrator/schemas/backward-edge.ts +46 -0
- package/agents/agentic-identity-trust.md +0 -121
- package/agents/data-consolidation-agent.md +0 -39
- package/agents/design-image-prompt-engineer.md +0 -105
- package/agents/design-visual-storyteller.md +0 -147
- package/agents/design-whimsy-injector.md +0 -89
- package/agents/engineering-autonomous-optimization-architect.md +0 -105
- package/agents/market-intel.md +0 -35
- package/agents/marketing-instagram-curator.md +0 -111
- package/agents/marketing-reddit-community-builder.md +0 -121
- package/agents/marketing-social-media-strategist.md +0 -74
- package/agents/marketing-tiktok-strategist.md +0 -123
- package/agents/marketing-twitter-engager.md +0 -124
- package/agents/marketing-wechat-official-account.md +0 -143
- package/agents/marketing-xiaohongshu-specialist.md +0 -136
- package/agents/marketing-zhihu-strategist.md +0 -160
- package/agents/product-behavioral-nudge-engine.md +0 -78
- package/agents/project-management-experiment-tracker.md +0 -102
- package/agents/report-distribution-agent.md +0 -43
- package/agents/risk-analysis.md +0 -45
- package/agents/sales-data-extraction-agent.md +0 -46
- package/agents/specialized-cultural-intelligence-strategist.md +0 -65
- package/agents/specialized-developer-advocate.md +0 -146
- package/agents/support-analytics-reporter.md +0 -133
- package/agents/support-executive-summary-generator.md +0 -64
- package/agents/support-finance-tracker.md +0 -145
- package/agents/support-legal-compliance-checker.md +0 -129
- package/agents/support-support-responder.md +0 -91
- package/agents/testing-accessibility-auditor.md +0 -110
- package/agents/testing-test-results-analyzer.md +0 -97
- package/agents/testing-tool-evaluator.md +0 -76
- package/agents/testing-workflow-optimizer.md +0 -99
- package/agents/user-research.md +0 -40
- package/protocols/brainstorm.md +0 -99
- package/protocols/design.md +0 -269
- package/protocols/planning.md +0 -87
- package/skills/ios/ios-hig/SKILL.md +0 -41
- package/skills/ios/ios-hig/references/accessibility.md +0 -81
- package/skills/ios/ios-hig/references/content.md +0 -142
- package/skills/ios/ios-hig/references/feedback.md +0 -123
- package/skills/ios/ios-hig/references/interaction.md +0 -199
- package/skills/ios/ios-hig/references/performance-platform.md +0 -129
- package/skills/ios/ios-hig/references/privacy-permissions.md +0 -181
- package/skills/ios/ios-hig/references/visual-design.md +0 -84
|
@@ -0,0 +1,427 @@
|
|
|
1
|
+
# ZAP False Positive Handling Guide
|
|
2
|
+
|
|
3
|
+
Guide for identifying, verifying, and suppressing false positives in OWASP ZAP scan results.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
DAST tools like ZAP generate false positives - alerts for issues that aren't actually exploitable vulnerabilities. This guide helps you:
|
|
8
|
+
|
|
9
|
+
1. Identify common false positives
|
|
10
|
+
2. Verify findings manually
|
|
11
|
+
3. Suppress false positives in future scans
|
|
12
|
+
4. Tune scan policies
|
|
13
|
+
|
|
14
|
+
## Common False Positives
|
|
15
|
+
|
|
16
|
+
### 1. X-Content-Type-Options Missing
|
|
17
|
+
|
|
18
|
+
**Alert:** Missing X-Content-Type-Options header
|
|
19
|
+
|
|
20
|
+
**False Positive Scenario:**
|
|
21
|
+
- Static content served by CDNs
|
|
22
|
+
- Third-party resources
|
|
23
|
+
- Legacy browsers not supported
|
|
24
|
+
|
|
25
|
+
**Verification:**
|
|
26
|
+
```bash
|
|
27
|
+
curl -I https://example.com/static/script.js
|
|
28
|
+
# Check if browser performs MIME sniffing
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**When to Suppress:**
|
|
32
|
+
- Static content only (CSS, JS, images)
|
|
33
|
+
- Content served from trusted CDN
|
|
34
|
+
- No user-controlled content in responses
|
|
35
|
+
|
|
36
|
+
**Suppression Rule:**
|
|
37
|
+
```tsv
|
|
38
|
+
10021 https://cdn.example.com/.* .* 693 IGNORE
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### 2. Cookie Without Secure Flag
|
|
42
|
+
|
|
43
|
+
**Alert:** Cookie without Secure flag set
|
|
44
|
+
|
|
45
|
+
**False Positive Scenario:**
|
|
46
|
+
- Development/testing environments (HTTP)
|
|
47
|
+
- Non-sensitive cookies (analytics, preferences)
|
|
48
|
+
- Localhost testing
|
|
49
|
+
|
|
50
|
+
**Verification:**
|
|
51
|
+
```bash
|
|
52
|
+
curl -I https://example.com
|
|
53
|
+
# Check Set-Cookie headers
|
|
54
|
+
# Verify if cookie contains sensitive data
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
**When to Suppress:**
|
|
58
|
+
- Non-sensitive cookies (theme preference, language)
|
|
59
|
+
- HTTP-only development environments
|
|
60
|
+
- Third-party analytics cookies
|
|
61
|
+
|
|
62
|
+
**Suppression Rule:**
|
|
63
|
+
```tsv
|
|
64
|
+
10054 https://example.com.* _ga|_gid|theme 614 WARN
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### 3. Cross-Domain JavaScript Source File Inclusion
|
|
68
|
+
|
|
69
|
+
**Alert:** JavaScript loaded from external domain
|
|
70
|
+
|
|
71
|
+
**False Positive Scenario:**
|
|
72
|
+
- Legitimate CDN usage (jQuery, Bootstrap, etc.)
|
|
73
|
+
- Third-party integrations (Google Analytics, Stripe)
|
|
74
|
+
- Using Subresource Integrity (SRI)
|
|
75
|
+
|
|
76
|
+
**Verification:**
|
|
77
|
+
```html
|
|
78
|
+
<!-- Check if SRI is used -->
|
|
79
|
+
<script src="https://cdn.example.com/library.js"
|
|
80
|
+
integrity="sha384-HASH"
|
|
81
|
+
crossorigin="anonymous"></script>
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
**When to Suppress:**
|
|
85
|
+
- CDN resources with SRI
|
|
86
|
+
- Trusted third-party services
|
|
87
|
+
- Company-owned CDN domains
|
|
88
|
+
|
|
89
|
+
**Suppression Rule:**
|
|
90
|
+
```tsv
|
|
91
|
+
10017 https://example.com/.* https://cdn.jsdelivr.net/.* 829 IGNORE
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
### 4. Timestamp Disclosure
|
|
95
|
+
|
|
96
|
+
**Alert:** Unix timestamps found in response
|
|
97
|
+
|
|
98
|
+
**False Positive Scenario:**
|
|
99
|
+
- Legitimate timestamp fields in API responses
|
|
100
|
+
- Non-sensitive metadata
|
|
101
|
+
- Public timestamps (post dates, etc.)
|
|
102
|
+
|
|
103
|
+
**Verification:**
|
|
104
|
+
```json
|
|
105
|
+
{
|
|
106
|
+
"created_at": 1640995200, // Legitimate field
|
|
107
|
+
"post_date": "2022-01-01"
|
|
108
|
+
}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
**When to Suppress:**
|
|
112
|
+
- API responses with datetime fields
|
|
113
|
+
- Public-facing timestamps
|
|
114
|
+
- Non-sensitive metadata
|
|
115
|
+
|
|
116
|
+
**Suppression Rule:**
|
|
117
|
+
```tsv
|
|
118
|
+
10096 https://api.example.com/.* created_at|updated_at 200 IGNORE
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
### 5. Server Version Disclosure
|
|
122
|
+
|
|
123
|
+
**Alert:** Server version exposed in headers
|
|
124
|
+
|
|
125
|
+
**False Positive Scenario:**
|
|
126
|
+
- Behind WAF/load balancer (version is of proxy, not app server)
|
|
127
|
+
- Generic server headers
|
|
128
|
+
- Already public knowledge
|
|
129
|
+
|
|
130
|
+
**Verification:**
|
|
131
|
+
```bash
|
|
132
|
+
curl -I https://example.com | grep Server
|
|
133
|
+
# Check if version matches actual server
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
**When to Suppress:**
|
|
137
|
+
- Proxy/WAF version (not actual app server)
|
|
138
|
+
- Generic headers without version numbers
|
|
139
|
+
- When other compensating controls exist
|
|
140
|
+
|
|
141
|
+
**Suppression Rule:**
|
|
142
|
+
```tsv
|
|
143
|
+
10036 https://example.com.* .* 200 WARN
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
## Verification Methodology
|
|
147
|
+
|
|
148
|
+
### Step 1: Understand the Alert
|
|
149
|
+
|
|
150
|
+
Review ZAP alert details:
|
|
151
|
+
- **Description:** What is the potential vulnerability?
|
|
152
|
+
- **Evidence:** What triggered the alert?
|
|
153
|
+
- **CWE/OWASP Mapping:** What category does it fall under?
|
|
154
|
+
- **Risk Level:** How severe is it?
|
|
155
|
+
|
|
156
|
+
### Step 2: Reproduce Manually
|
|
157
|
+
|
|
158
|
+
Attempt to exploit the vulnerability:
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
# For XSS alerts
|
|
162
|
+
curl "https://example.com/search?q=<script>alert(1)</script>"
|
|
163
|
+
# Check if script is reflected unencoded
|
|
164
|
+
|
|
165
|
+
# For SQL injection alerts
|
|
166
|
+
curl "https://example.com/api/user?id=1' OR '1'='1"
|
|
167
|
+
# Check for SQL errors or unexpected behavior
|
|
168
|
+
|
|
169
|
+
# For path traversal alerts
|
|
170
|
+
curl "https://example.com/download?file=../../etc/passwd"
|
|
171
|
+
# Check if file is accessible
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
### Step 3: Check Context
|
|
175
|
+
|
|
176
|
+
Consider the application context:
|
|
177
|
+
- Is the functionality available to unauthenticated users?
|
|
178
|
+
- Does it handle sensitive data?
|
|
179
|
+
- Are there compensating controls (WAF, input validation)?
|
|
180
|
+
|
|
181
|
+
### Step 4: Document Decision
|
|
182
|
+
|
|
183
|
+
Create documentation for suppression decisions:
|
|
184
|
+
|
|
185
|
+
```markdown
|
|
186
|
+
## Alert: SQL Injection in /api/user
|
|
187
|
+
|
|
188
|
+
**Decision:** False Positive
|
|
189
|
+
|
|
190
|
+
**Rationale:**
|
|
191
|
+
- Endpoint requires authentication
|
|
192
|
+
- Input is validated server-side (allowlist: 0-9 only)
|
|
193
|
+
- WAF rule blocks SQL injection patterns
|
|
194
|
+
- Manual testing confirmed no injection possible
|
|
195
|
+
|
|
196
|
+
**Suppressed:** Yes (Rule ID 40018, /api/user endpoint)
|
|
197
|
+
|
|
198
|
+
**Reviewed by:** security-team@example.com
|
|
199
|
+
**Date:** 2024-01-15
|
|
200
|
+
```
|
|
201
|
+
|
|
202
|
+
## Creating Suppression Rules
|
|
203
|
+
|
|
204
|
+
### Rules File Format
|
|
205
|
+
|
|
206
|
+
ZAP uses TSV (tab-separated values) format:
|
|
207
|
+
|
|
208
|
+
```
|
|
209
|
+
alert_id URL_pattern parameter CWE_id action
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
- **alert_id:** ZAP alert ID (e.g., 40018 for SQL Injection)
|
|
213
|
+
- **URL_pattern:** Regex pattern for URL
|
|
214
|
+
- **parameter:** Parameter name (or .* for all)
|
|
215
|
+
- **CWE_id:** CWE identifier
|
|
216
|
+
- **action:** IGNORE, WARN, or FAIL
|
|
217
|
+
|
|
218
|
+
### Example Rules File
|
|
219
|
+
|
|
220
|
+
`.zap/rules.tsv`:
|
|
221
|
+
|
|
222
|
+
```tsv
|
|
223
|
+
# Suppress X-Content-Type-Options for CDN static content
|
|
224
|
+
10021 https://cdn.example.com/static/.* .* 693 IGNORE
|
|
225
|
+
|
|
226
|
+
# Warn (don't fail) on analytics cookies without Secure flag
|
|
227
|
+
10054 https://example.com/.* _ga|_gid 614 WARN
|
|
228
|
+
|
|
229
|
+
# Ignore timestamp disclosure in API responses
|
|
230
|
+
10096 https://api.example.com/.* .* 200 IGNORE
|
|
231
|
+
|
|
232
|
+
# Ignore legitimate external JavaScript (with SRI)
|
|
233
|
+
10017 https://example.com/.* https://cdn.jsdelivr.net/.* 829 IGNORE
|
|
234
|
+
|
|
235
|
+
# Suppress CSRF warnings for stateless API
|
|
236
|
+
10202 https://api.example.com/.* .* 352 IGNORE
|
|
237
|
+
```
|
|
238
|
+
|
|
239
|
+
### Using Rules File
|
|
240
|
+
|
|
241
|
+
```bash
|
|
242
|
+
# Baseline scan with rules
|
|
243
|
+
docker run -t zaproxy/zap-stable zap-baseline.py \
|
|
244
|
+
-t https://example.com \
|
|
245
|
+
-c .zap/rules.tsv \
|
|
246
|
+
-r report.html
|
|
247
|
+
|
|
248
|
+
# Full scan with rules
|
|
249
|
+
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-full-scan.py \
|
|
250
|
+
-t https://example.com \
|
|
251
|
+
-c /zap/wrk/.zap/rules.tsv \
|
|
252
|
+
-r /zap/wrk/report.html
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
## Custom Scan Policies
|
|
256
|
+
|
|
257
|
+
### Disable Entire Scan Rules
|
|
258
|
+
|
|
259
|
+
Create custom scan policy to disable problematic rules:
|
|
260
|
+
|
|
261
|
+
1. **Via ZAP GUI:**
|
|
262
|
+
- Analyze > Scan Policy Manager
|
|
263
|
+
- Create new policy
|
|
264
|
+
- Disable specific rules
|
|
265
|
+
- Export policy file
|
|
266
|
+
|
|
267
|
+
2. **Via Automation Framework:**
|
|
268
|
+
|
|
269
|
+
```yaml
|
|
270
|
+
# zap_automation.yaml
|
|
271
|
+
jobs:
|
|
272
|
+
- type: activeScan
|
|
273
|
+
parameters:
|
|
274
|
+
policy: Custom-Policy
|
|
275
|
+
rules:
|
|
276
|
+
- id: 40018 # SQL Injection
|
|
277
|
+
threshold: MEDIUM
|
|
278
|
+
strength: HIGH
|
|
279
|
+
- id: 10202 # CSRF
|
|
280
|
+
threshold: OFF # Disable completely
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
## Handling Different Alert Types
|
|
284
|
+
|
|
285
|
+
### High-Risk Alerts (Never Suppress Without Verification)
|
|
286
|
+
|
|
287
|
+
- SQL Injection
|
|
288
|
+
- Command Injection
|
|
289
|
+
- Remote Code Execution
|
|
290
|
+
- Authentication Bypass
|
|
291
|
+
- Server-Side Request Forgery (SSRF)
|
|
292
|
+
|
|
293
|
+
**Process:**
|
|
294
|
+
1. Manual verification required
|
|
295
|
+
2. Security team review
|
|
296
|
+
3. Document compensating controls
|
|
297
|
+
4. Re-test after fixes
|
|
298
|
+
|
|
299
|
+
### Medium-Risk Alerts (Contextual Suppression)
|
|
300
|
+
|
|
301
|
+
- XSS (if output is properly encoded)
|
|
302
|
+
- CSRF (if tokens are implemented)
|
|
303
|
+
- Missing headers (if compensating controls exist)
|
|
304
|
+
|
|
305
|
+
**Process:**
|
|
306
|
+
1. Verify finding
|
|
307
|
+
2. Check for compensating controls
|
|
308
|
+
3. Document decision
|
|
309
|
+
4. Suppress with WARN (not IGNORE)
|
|
310
|
+
|
|
311
|
+
### Low-Risk Alerts (Can Be Suppressed)
|
|
312
|
+
|
|
313
|
+
- Informational headers
|
|
314
|
+
- Timestamp disclosure
|
|
315
|
+
- Technology fingerprinting
|
|
316
|
+
|
|
317
|
+
**Process:**
|
|
318
|
+
1. Quick verification
|
|
319
|
+
2. Document reason
|
|
320
|
+
3. Suppress with IGNORE
|
|
321
|
+
|
|
322
|
+
## Quality Assurance
|
|
323
|
+
|
|
324
|
+
### Review Suppression Rules Regularly
|
|
325
|
+
|
|
326
|
+
```bash
|
|
327
|
+
# Monthly review checklist
|
|
328
|
+
- [ ] Review all suppression rules for continued relevance
|
|
329
|
+
- [ ] Check if suppressed issues have been fixed
|
|
330
|
+
- [ ] Verify compensating controls are still in place
|
|
331
|
+
- [ ] Update rules file with new false positives
|
|
332
|
+
```
|
|
333
|
+
|
|
334
|
+
### Track Suppression Metrics
|
|
335
|
+
|
|
336
|
+
Monitor suppression trends:
|
|
337
|
+
|
|
338
|
+
```bash
|
|
339
|
+
# Count suppressions by alert type
|
|
340
|
+
grep -v '^#' .zap/rules.tsv | awk '{print $1}' | sort | uniq -c
|
|
341
|
+
|
|
342
|
+
# Alert if suppression count increases significantly
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
### Peer Review Process
|
|
346
|
+
|
|
347
|
+
Require security team approval for suppressing high-risk alerts:
|
|
348
|
+
|
|
349
|
+
```yaml
|
|
350
|
+
# .github/workflows/security-review.yml
|
|
351
|
+
- name: Check for new suppressions
|
|
352
|
+
run: |
|
|
353
|
+
git diff origin/main .zap/rules.tsv > suppressions.diff
|
|
354
|
+
if [ -s suppressions.diff ]; then
|
|
355
|
+
echo "New suppressions require security team review"
|
|
356
|
+
# Notify security team
|
|
357
|
+
fi
|
|
358
|
+
```
|
|
359
|
+
|
|
360
|
+
## Anti-Patterns to Avoid
|
|
361
|
+
|
|
362
|
+
### ❌ Don't Suppress Everything
|
|
363
|
+
|
|
364
|
+
Never create blanket suppression rules:
|
|
365
|
+
|
|
366
|
+
```tsv
|
|
367
|
+
# BAD: Suppresses all XSS findings
|
|
368
|
+
40012 .* .* 79 IGNORE
|
|
369
|
+
```
|
|
370
|
+
|
|
371
|
+
### ❌ Don't Suppress Without Documentation
|
|
372
|
+
|
|
373
|
+
Always document why a finding is suppressed:
|
|
374
|
+
|
|
375
|
+
```tsv
|
|
376
|
+
# BAD: No context
|
|
377
|
+
10054 https://example.com/.* session_id 614 IGNORE
|
|
378
|
+
|
|
379
|
+
# GOOD: Documented reason
|
|
380
|
+
# Session cookie is HTTPS-only in production; suppressing for staging environment
|
|
381
|
+
10054 https://staging.example.com/.* session_id 614 IGNORE
|
|
382
|
+
```
|
|
383
|
+
|
|
384
|
+
### ❌ Don't Ignore High-Risk Findings
|
|
385
|
+
|
|
386
|
+
Never suppress critical vulnerabilities without thorough investigation:
|
|
387
|
+
|
|
388
|
+
```tsv
|
|
389
|
+
# DANGEROUS: Never suppress SQL injection without verification
|
|
390
|
+
40018 https://example.com/.* .* 89 IGNORE
|
|
391
|
+
```
|
|
392
|
+
|
|
393
|
+
## Tools and Scripts
|
|
394
|
+
|
|
395
|
+
### Analyze ZAP JSON Report
|
|
396
|
+
|
|
397
|
+
```python
|
|
398
|
+
#!/usr/bin/env python3
|
|
399
|
+
import json
|
|
400
|
+
import sys
|
|
401
|
+
|
|
402
|
+
with open('report.json') as f:
|
|
403
|
+
report = json.load(f)
|
|
404
|
+
|
|
405
|
+
false_positives = []
|
|
406
|
+
for site in report['site']:
|
|
407
|
+
for alert in site['alerts']:
|
|
408
|
+
if alert['risk'] in ['High', 'Medium']:
|
|
409
|
+
print(f"{alert['alert']} - {alert['risk']}")
|
|
410
|
+
print(f" URL: {alert['url']}")
|
|
411
|
+
print(f" Evidence: {alert.get('evidence', 'N/A')}")
|
|
412
|
+
print()
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
### Generate Suppression Rules Template
|
|
416
|
+
|
|
417
|
+
```bash
|
|
418
|
+
# Extract unique alert IDs from report
|
|
419
|
+
jq -r '.site[].alerts[] | "\(.pluginid)\t\(.url)\t.*\t\(.cweid)\tWARN"' report.json \
|
|
420
|
+
| sort -u > rules-template.tsv
|
|
421
|
+
```
|
|
422
|
+
|
|
423
|
+
## Additional Resources
|
|
424
|
+
|
|
425
|
+
- [ZAP Alert Details](https://www.zaproxy.org/docs/alerts/)
|
|
426
|
+
- [ZAP Scan Rules](https://www.zaproxy.org/docs/docker/baseline-scan/)
|
|
427
|
+
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
|
|
@@ -0,0 +1,255 @@
|
|
|
1
|
+
# OWASP ZAP Alert Mapping to OWASP Top 10 2021 and CWE
|
|
2
|
+
|
|
3
|
+
This reference maps common OWASP ZAP alerts to OWASP Top 10 2021 categories and CWE (Common Weakness Enumeration) identifiers for compliance and reporting.
|
|
4
|
+
|
|
5
|
+
## OWASP Top 10 2021 Coverage
|
|
6
|
+
|
|
7
|
+
### A01:2021 - Broken Access Control
|
|
8
|
+
|
|
9
|
+
**ZAP Alerts:**
|
|
10
|
+
- Path Traversal (CWE-22)
|
|
11
|
+
- Directory Browsing (CWE-548)
|
|
12
|
+
- Cross-Domain Misconfiguration (CWE-346)
|
|
13
|
+
- Bypassing Access Controls (CWE-284)
|
|
14
|
+
|
|
15
|
+
**Risk Level:** High to Medium
|
|
16
|
+
|
|
17
|
+
**Remediation:**
|
|
18
|
+
- Implement proper access control checks on server-side
|
|
19
|
+
- Use allowlists for file access patterns
|
|
20
|
+
- Disable directory listing
|
|
21
|
+
- Enforce CORS policies strictly
|
|
22
|
+
|
|
23
|
+
### A02:2021 - Cryptographic Failures
|
|
24
|
+
|
|
25
|
+
**ZAP Alerts:**
|
|
26
|
+
- Weak SSL/TLS Ciphers (CWE-327)
|
|
27
|
+
- Cookie Without Secure Flag (CWE-614)
|
|
28
|
+
- Password Autocomplete (CWE-522)
|
|
29
|
+
- Sensitive Information in URL (CWE-598)
|
|
30
|
+
|
|
31
|
+
**Risk Level:** High to Medium
|
|
32
|
+
|
|
33
|
+
**Remediation:**
|
|
34
|
+
- Use TLS 1.2+ with strong cipher suites
|
|
35
|
+
- Set Secure and HttpOnly flags on all cookies
|
|
36
|
+
- Disable autocomplete for sensitive fields
|
|
37
|
+
- Never transmit sensitive data in URLs
|
|
38
|
+
|
|
39
|
+
### A03:2021 - Injection
|
|
40
|
+
|
|
41
|
+
**ZAP Alerts:**
|
|
42
|
+
- SQL Injection (CWE-89)
|
|
43
|
+
- Cross-Site Scripting (XSS) (CWE-79)
|
|
44
|
+
- Command Injection (CWE-78)
|
|
45
|
+
- LDAP Injection (CWE-90)
|
|
46
|
+
- XML Injection (CWE-91)
|
|
47
|
+
- XPath Injection (CWE-643)
|
|
48
|
+
|
|
49
|
+
**Risk Level:** High
|
|
50
|
+
|
|
51
|
+
**Remediation:**
|
|
52
|
+
- Use parameterized queries (prepared statements)
|
|
53
|
+
- Implement context-aware output encoding
|
|
54
|
+
- Validate and sanitize all user input
|
|
55
|
+
- Use allowlists for input validation
|
|
56
|
+
- Implement Content Security Policy (CSP)
|
|
57
|
+
|
|
58
|
+
### A04:2021 - Insecure Design
|
|
59
|
+
|
|
60
|
+
**ZAP Alerts:**
|
|
61
|
+
- Application Error Disclosure (CWE-209)
|
|
62
|
+
- Insufficient Anti-automation (CWE-799)
|
|
63
|
+
- Missing Rate Limiting
|
|
64
|
+
|
|
65
|
+
**Risk Level:** Medium to Low
|
|
66
|
+
|
|
67
|
+
**Remediation:**
|
|
68
|
+
- Implement proper error handling (generic error messages)
|
|
69
|
+
- Add CAPTCHA or rate limiting for sensitive operations
|
|
70
|
+
- Design security controls during architecture phase
|
|
71
|
+
- Implement anti-automation measures
|
|
72
|
+
|
|
73
|
+
### A05:2021 - Security Misconfiguration
|
|
74
|
+
|
|
75
|
+
**ZAP Alerts:**
|
|
76
|
+
- Missing Security Headers (CWE-693)
|
|
77
|
+
- X-Content-Type-Options
|
|
78
|
+
- X-Frame-Options (CWE-1021)
|
|
79
|
+
- Content-Security-Policy
|
|
80
|
+
- Strict-Transport-Security (HSTS)
|
|
81
|
+
- Server Leaks Information (CWE-200)
|
|
82
|
+
- Default Credentials
|
|
83
|
+
- Unnecessary HTTP Methods Enabled (CWE-650)
|
|
84
|
+
|
|
85
|
+
**Risk Level:** Medium to Low
|
|
86
|
+
|
|
87
|
+
**Remediation:**
|
|
88
|
+
- Configure all security headers properly
|
|
89
|
+
- Remove server version headers
|
|
90
|
+
- Disable unnecessary HTTP methods (PUT, DELETE, TRACE)
|
|
91
|
+
- Change default credentials
|
|
92
|
+
- Implement minimal privilege principle
|
|
93
|
+
|
|
94
|
+
### A06:2021 - Vulnerable and Outdated Components
|
|
95
|
+
|
|
96
|
+
**ZAP Alerts:**
|
|
97
|
+
- Outdated Software Version Detected
|
|
98
|
+
- Known Vulnerable Components (requires integration with CVE databases)
|
|
99
|
+
|
|
100
|
+
**Risk Level:** High to Medium
|
|
101
|
+
|
|
102
|
+
**Remediation:**
|
|
103
|
+
- Maintain software inventory
|
|
104
|
+
- Regularly update dependencies and libraries
|
|
105
|
+
- Subscribe to security advisories
|
|
106
|
+
- Use dependency scanning tools (OWASP Dependency-Check, Snyk)
|
|
107
|
+
|
|
108
|
+
### A07:2021 - Identification and Authentication Failures
|
|
109
|
+
|
|
110
|
+
**ZAP Alerts:**
|
|
111
|
+
- Weak Authentication (CWE-287)
|
|
112
|
+
- Session Fixation (CWE-384)
|
|
113
|
+
- Session ID in URL Rewrite (CWE-598)
|
|
114
|
+
- Cookie No HttpOnly Flag (CWE-1004)
|
|
115
|
+
- Credential Enumeration (CWE-209)
|
|
116
|
+
|
|
117
|
+
**Risk Level:** High
|
|
118
|
+
|
|
119
|
+
**Remediation:**
|
|
120
|
+
- Implement multi-factor authentication (MFA)
|
|
121
|
+
- Use secure session management
|
|
122
|
+
- Regenerate session IDs after login
|
|
123
|
+
- Set HttpOnly and Secure flags on session cookies
|
|
124
|
+
- Implement account lockout mechanisms
|
|
125
|
+
- Use generic error messages for authentication failures
|
|
126
|
+
|
|
127
|
+
### A08:2021 - Software and Data Integrity Failures
|
|
128
|
+
|
|
129
|
+
**ZAP Alerts:**
|
|
130
|
+
- Missing Subresource Integrity (SRI) (CWE-353)
|
|
131
|
+
- Insecure Deserialization (CWE-502)
|
|
132
|
+
|
|
133
|
+
**Risk Level:** High to Medium
|
|
134
|
+
|
|
135
|
+
**Remediation:**
|
|
136
|
+
- Implement Subresource Integrity for CDN resources
|
|
137
|
+
- Avoid deserializing untrusted data
|
|
138
|
+
- Use digital signatures for critical data
|
|
139
|
+
- Implement integrity checks
|
|
140
|
+
|
|
141
|
+
### A09:2021 - Security Logging and Monitoring Failures
|
|
142
|
+
|
|
143
|
+
**ZAP Alerts:**
|
|
144
|
+
- Authentication attempts not logged
|
|
145
|
+
- No monitoring of security events
|
|
146
|
+
|
|
147
|
+
**Risk Level:** Low (detection issue, not vulnerability)
|
|
148
|
+
|
|
149
|
+
**Remediation:**
|
|
150
|
+
- Log all authentication attempts
|
|
151
|
+
- Monitor for security anomalies
|
|
152
|
+
- Implement centralized logging
|
|
153
|
+
- Set up alerts for suspicious activities
|
|
154
|
+
|
|
155
|
+
### A10:2021 - Server-Side Request Forgery (SSRF)
|
|
156
|
+
|
|
157
|
+
**ZAP Alerts:**
|
|
158
|
+
- Server-Side Request Forgery (CWE-918)
|
|
159
|
+
- External Redirect (CWE-601)
|
|
160
|
+
|
|
161
|
+
**Risk Level:** High
|
|
162
|
+
|
|
163
|
+
**Remediation:**
|
|
164
|
+
- Validate and sanitize all URLs
|
|
165
|
+
- Use allowlists for allowed domains
|
|
166
|
+
- Disable unnecessary URL schemas (file://, gopher://)
|
|
167
|
+
- Implement network segmentation
|
|
168
|
+
|
|
169
|
+
## ZAP Alert ID to OWASP/CWE Quick Reference
|
|
170
|
+
|
|
171
|
+
| Alert ID | Alert Name | OWASP 2021 | CWE | Risk |
|
|
172
|
+
|----------|-----------|------------|-----|------|
|
|
173
|
+
| 40018 | SQL Injection | A03 | CWE-89 | High |
|
|
174
|
+
| 40012 | Cross-Site Scripting (Reflected) | A03 | CWE-79 | High |
|
|
175
|
+
| 40014 | Cross-Site Scripting (Persistent) | A03 | CWE-79 | High |
|
|
176
|
+
| 40013 | Cross-Site Scripting (DOM) | A03 | CWE-79 | High |
|
|
177
|
+
| 6 | Path Traversal | A01 | CWE-22 | High |
|
|
178
|
+
| 7 | Remote File Inclusion | A01 | CWE-98 | High |
|
|
179
|
+
| 90019 | Server-Side Code Injection | A03 | CWE-94 | High |
|
|
180
|
+
| 90020 | Remote OS Command Injection | A03 | CWE-78 | High |
|
|
181
|
+
| 90033 | Loosely Scoped Cookie | A07 | CWE-565 | Medium |
|
|
182
|
+
| 10021 | X-Content-Type-Options Missing | A05 | CWE-693 | Low |
|
|
183
|
+
| 10020 | X-Frame-Options Missing | A05 | CWE-1021 | Medium |
|
|
184
|
+
| 10038 | Content Security Policy Missing | A05 | CWE-693 | Medium |
|
|
185
|
+
| 10035 | Strict-Transport-Security Missing | A05 | CWE-319 | Low |
|
|
186
|
+
| 10054 | Cookie Without Secure Flag | A02 | CWE-614 | Medium |
|
|
187
|
+
| 10010 | Cookie No HttpOnly Flag | A07 | CWE-1004 | Medium |
|
|
188
|
+
| 10098 | Cross-Domain Misconfiguration | A01 | CWE-346 | Medium |
|
|
189
|
+
| 10055 | CSP Scanner: Wildcard Directive | A05 | CWE-693 | Medium |
|
|
190
|
+
| 10096 | Timestamp Disclosure | A05 | CWE-200 | Low |
|
|
191
|
+
| 10049 | Weak Authentication Method | A07 | CWE-287 | Medium |
|
|
192
|
+
| 40029 | Server-Side Request Forgery | A10 | CWE-918 | High |
|
|
193
|
+
|
|
194
|
+
## Risk Level Priority Matrix
|
|
195
|
+
|
|
196
|
+
### High Risk (Immediate Action Required)
|
|
197
|
+
- SQL Injection
|
|
198
|
+
- Remote Code Execution
|
|
199
|
+
- Authentication Bypass
|
|
200
|
+
- SSRF
|
|
201
|
+
- XXE (XML External Entity)
|
|
202
|
+
|
|
203
|
+
### Medium Risk (Fix in Current Sprint)
|
|
204
|
+
- XSS (Cross-Site Scripting)
|
|
205
|
+
- CSRF (Cross-Site Request Forgery)
|
|
206
|
+
- Missing Security Headers (CSP, X-Frame-Options)
|
|
207
|
+
- Insecure Cookie Configuration
|
|
208
|
+
- Path Traversal (with limited impact)
|
|
209
|
+
|
|
210
|
+
### Low Risk (Fix in Backlog)
|
|
211
|
+
- Information Disclosure (version headers)
|
|
212
|
+
- Missing Informational Headers
|
|
213
|
+
- Timestamp Disclosure
|
|
214
|
+
- Autocomplete on Form Fields
|
|
215
|
+
|
|
216
|
+
### Informational (Documentation/Awareness)
|
|
217
|
+
- Server Technology Disclosure
|
|
218
|
+
- Application Error Messages
|
|
219
|
+
- Charset Mismatch
|
|
220
|
+
|
|
221
|
+
## Compliance Mapping
|
|
222
|
+
|
|
223
|
+
### PCI-DSS 3.2.1
|
|
224
|
+
- **Requirement 6.5.1** (Injection): SQL Injection, Command Injection, XSS
|
|
225
|
+
- **Requirement 6.5.3** (Insecure Cryptography): Weak SSL/TLS, Insecure Cookies
|
|
226
|
+
- **Requirement 6.5.7** (XSS): All XSS variants
|
|
227
|
+
- **Requirement 6.5.8** (Access Control): Path Traversal, Broken Access Control
|
|
228
|
+
- **Requirement 6.5.10** (Authentication): Weak Authentication, Session Management
|
|
229
|
+
|
|
230
|
+
### NIST 800-53
|
|
231
|
+
- **AC-3** (Access Enforcement): Path Traversal, Authorization Issues
|
|
232
|
+
- **IA-5** (Authenticator Management): Weak Authentication
|
|
233
|
+
- **SC-8** (Transmission Confidentiality): Missing HTTPS, Weak TLS
|
|
234
|
+
- **SI-10** (Information Input Validation): All Injection Flaws
|
|
235
|
+
|
|
236
|
+
### GDPR
|
|
237
|
+
- **Article 32** (Security of Processing): All High/Medium findings affecting data security
|
|
238
|
+
- **Article 25** (Data Protection by Design): Security Misconfigurations
|
|
239
|
+
|
|
240
|
+
## Usage in Reports
|
|
241
|
+
|
|
242
|
+
When generating compliance reports, reference this mapping to:
|
|
243
|
+
|
|
244
|
+
1. **Categorize findings** by OWASP Top 10 category
|
|
245
|
+
2. **Assign CWE IDs** for standardized vulnerability classification
|
|
246
|
+
3. **Map to compliance requirements** for audit trails
|
|
247
|
+
4. **Prioritize remediation** based on risk level and compliance impact
|
|
248
|
+
5. **Track metrics** by OWASP category over time
|
|
249
|
+
|
|
250
|
+
## Additional Resources
|
|
251
|
+
|
|
252
|
+
- [OWASP Top 10 2021](https://owasp.org/Top10/)
|
|
253
|
+
- [CWE Top 25](https://cwe.mitre.org/top25/)
|
|
254
|
+
- [ZAP Alert Details](https://www.zaproxy.org/docs/alerts/)
|
|
255
|
+
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
|