Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OWASP ZAP -> ZAP #2103

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -606,7 +606,7 @@ Here are some other tools we sometimes use for checking quality or security,
though they are not currently integrated
into the default "rake" checking task:

* OWASP ZAP web application security scanner.
* ZAP web application security scanner.
You are encouraged to use this and other web application scanners to find and
fix problems.
* Google Chrome auditor. View a web page, then select menu / more tools /
Expand Down
2 changes: 1 addition & 1 deletion app/views/static_pages/home.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@
alt: 'GnuPG', title: 'GnuPG' %></a>
<a href="<%= projects_dir %>/24" class="earner-logo">
<%= image_tag 'project-logos/ZAP.png', width: 48, height: 48,
alt: 'OWASP ZAP', title: 'OWASP ZAP' %></a>
alt: 'ZAP', title: 'ZAP' %></a>
<a href="<%= projects_dir %>/249" class="earner-logo">
<%= image_tag 'project-logos/gnu.png', width: 50, height: 48,
alt: 'GNU Make', title: 'GNU Make' %><span
Expand Down
4 changes: 2 additions & 2 deletions config/locales/translation.ja.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1037,7 +1037,7 @@ ja:
動的解析ツールは、ソフトウェアを特定の入力で実行して検査します。たとえば、プロジェクトは、ファジングツール(<a
href="http://lcamtuf.coredump.cx/afl/">アメリカンファジーロップ</a>など)やウェブ
アプリケーション スキャナ(例:<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">
OWASP ZAP </a>または<a href="https://w3af.org/"> w3af </a>)です。場合によっては、<a
ZAP </a>または<a href="https://w3af.org/"> w3af </a>)です。場合によっては、<a
href="https://github.com/google/oss-fuzz#introduction">
OSS-Fuzz </a>プロジェクトがプロジェクトにファズテストを適用する可能性があります。この基準のために、動的分析ツールは、様々な種類の問題を探すために何らかの方法で入力を変更するか<em>または</em>少なくとも80%のブランチ
カバレッジを持つ自動テスト スイートである必要があります。 <a href="https://en.wikipedia.org/wiki/Dynamic_program_analysis">動的解析に関するWikipediaのページ</a>と<a
Expand Down Expand Up @@ -1811,4 +1811,4 @@ ja:
</ol>
self_certification_p01_html: <h3 id="criteria_self_certification">なぜ自己認証なのか?</h3>
self_certification_p02_html: >-
<p> 私たちが自己認証を採用した理由は、多くのプロジェクト(小さなプロジェクトであっても)が参加できるようにするためです。何百万ものFLOSSプロジェクトがあり、サードパーティにお金を払って個々に評価することはできません。プロジェクトが虚偽の主張をするリスクはありますが、そのリスクは小さく、ユーザーが自分で主張を確認でき、虚偽の主張を無効にすることができます。また、自動化を使用して虚偽の主張を無効にできるため、結果に自信を持つことができます。</p>
<p> 私たちが自己認証を採用した理由は、多くのプロジェクト(小さなプロジェクトであっても)が参加できるようにするためです。何百万ものFLOSSプロジェクトがあり、サードパーティにお金を払って個々に評価することはできません。プロジェクトが虚偽の主張をするリスクはありますが、そのリスクは小さく、ユーザーが自分で主張を確認でき、虚偽の主張を無効にすることができます。また、自動化を使用して虚偽の主張を無効にできるため、結果に自信を持つことができます。</p>
4 changes: 2 additions & 2 deletions config/locales/translation.zh-CN.yml
Original file line number Diff line number Diff line change
Expand Up @@ -883,7 +883,7 @@ zh-CN:
details: >-
动态分析工具通过执行特定输入来检查软件。例如,项目可以使用模糊工具(例如,<a href="http://lcamtuf.coredump.cx/afl/">
American Fuzzy Lop </a>)或Web应用扫描程序(例如,<a href ="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">
OWASP ZAP </a>或<a href="http://w3af.org/"> w3af </a>)。在某些情况下,<a
ZAP </a>或<a href="http://w3af.org/"> w3af </a>)。在某些情况下,<a
href="https://github.com/google/oss-fuzz#introduction">
OSS-Fuzz </a>项目可以对您的项目应用模糊测试。为满足此条款,动态分析工具需要以某种方式改变输入,以寻找各种问题,或者将其作为一个具有至少80%分支覆盖率的自动测试套件。
<a href="https://en.wikipedia.org/wiki/Dynamic_program_analysis">动态分析维基百科页面</a>和<a
Expand Down Expand Up @@ -1485,4 +1485,4 @@ zh-CN:
criteria_why_p04_html:
criteria_why_p05_html:
self_certification_p01_html: <h3 id="criteria_self_certification">为什么要自我认证?</h3>
self_certification_p02_html:
self_certification_p02_html:
2 changes: 1 addition & 1 deletion criteria/criteria.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1396,7 +1396,7 @@
more contributors have an increased likelihood of continuing.
<a href="http://www.alluxio.org/docs/master/en/Contributing-to-Alluxio.html">Alluxio uses SMALLFIX</a>
and
<a href="https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug">OWASP ZAP uses IdealFirstBug</a>.
<a href="https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug">ZAP uses IdealFirstBug</a>.
This is related to criterion installation_development_quick.
- require_2FA:
category: MUST
Expand Down
2 changes: 1 addition & 1 deletion docs/criteria.md
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@ There is an implied criterion that we should mention here:

<ul>

<li><a name="dynamic_analysis"></a>It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. <sup>[<a href="#dynamic_analysis">dynamic_analysis</a>]</sup><dl><dt><i>Details</i>:<dt> <dd>A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., <a href="http://lcamtuf.coredump.cx/afl/">American Fuzzy Lop</a>) or a web application scanner (e.g., <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">OWASP ZAP</a> or <a href="https://w3af.org/">w3af</a>). In some cases the <a href="https://github.com/google/oss-fuzz#introduction">OSS-Fuzz</a> project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems <em>or</em> be an automated test suite with at least 80% branch coverage. The <a href="https://en.wikipedia.org/wiki/Dynamic_program_analysis">Wikipedia page on dynamic analysis</a> and the <a href="https://www.owasp.org/index.php/Fuzzing">OWASP page on fuzzing</a> identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.</dd><dt><i>Rationale</i>:<dt> <dd>Static source code analysis and dynamic analysis tend to find different kinds of defects (including defects that lead to vulnerabilities), so combining them is more likely to be effective. For example, <a href="https://www.mail-archive.com/[email protected]/msg1513352.html">Linus Torvalds' "Linux 4.14-rc5" announcement (October 15, 2017)</a> notes that "(people are doing) random fuzzing... and it's finding things... Very nice to see."
<li><a name="dynamic_analysis"></a>It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. <sup>[<a href="#dynamic_analysis">dynamic_analysis</a>]</sup><dl><dt><i>Details</i>:<dt> <dd>A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., <a href="http://lcamtuf.coredump.cx/afl/">American Fuzzy Lop</a>) or a web application scanner (e.g., <a href="https://www.zaproxy.org">ZAP</a> or <a href="https://w3af.org/">w3af</a>). In some cases the <a href="https://github.com/google/oss-fuzz#introduction">OSS-Fuzz</a> project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems <em>or</em> be an automated test suite with at least 80% branch coverage. The <a href="https://en.wikipedia.org/wiki/Dynamic_program_analysis">Wikipedia page on dynamic analysis</a> and the <a href="https://www.owasp.org/index.php/Fuzzing">OWASP page on fuzzing</a> identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.</dd><dt><i>Rationale</i>:<dt> <dd>Static source code analysis and dynamic analysis tend to find different kinds of defects (including defects that lead to vulnerabilities), so combining them is more likely to be effective. For example, <a href="https://www.mail-archive.com/[email protected]/msg1513352.html">Linus Torvalds' "Linux 4.14-rc5" announcement (October 15, 2017)</a> notes that "(people are doing) random fuzzing... and it's finding things... Very nice to see."
</dd></dl></li>

<li><a name="dynamic_analysis_unsafe"></a>It is SUGGESTED that if the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. If the project does not produce software written in a memory-unsafe language, choose "not applicable" (N/A). (N/A allowed.) <sup>[<a href="#dynamic_analysis_unsafe">dynamic_analysis_unsafe</a>]</sup><dl><dt><i>Details</i>:<dt> <dd>Examples of mechanisms to detect memory safety problems include <a href="https://github.com/google/sanitizers/wiki/AddressSanitizer">Address Sanitizer (ASAN)</a> (available in GCC and LLVM), <a href="https://clang.llvm.org/docs/MemorySanitizer.html">Memory Sanitizer</a>, and <a href="http://valgrind.org/">valgrind</a>. Other potentially-used tools include <a href="https://clang.llvm.org/docs/ThreadSanitizer.html">thread sanitizer</a> and <a href="https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html">undefined behavior sanitizer</a>. Widespread assertions would also work.</dd></dl></li>
Expand Down
4 changes: 2 additions & 2 deletions docs/implementation.md
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ Put the image in "app/assets/images/project-logos-originals",
copy it to "app/assets/images/project-logos" and rescale to 48 pixels high,
and modify the home page text "app/views/static_pages/home.html.erb".

Here's an example of how we got the OWASP ZAP logo into the originals
Here's an example of how we got the ZAP logo into the originals
directory:

~~~sh
Expand Down Expand Up @@ -1111,7 +1111,7 @@ ALL_DETECTIVES =

## Analysis

We use the OWASP ZAP web application scanner to find potential
We use the ZAP web application scanner to find potential
vulnerabilities.
This lets us fulfill the "dynamic analysis" criterion.

Expand Down
2 changes: 1 addition & 1 deletion docs/other.md
Original file line number Diff line number Diff line change
Expand Up @@ -1495,7 +1495,7 @@ but we discussed possibly upgrading them.
contributors have an increased likelihood of continuing.
<a href="http://www.alluxio.org/docs/master/en/Contributing-to-Alluxio.html">Alluxio uses SMALLFIX</a>
and
<a href="https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug">OWASP ZAP uses IdealFirstBug</a>.
<a href="https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug">ZAP uses IdealFirstBug</a>.
This is related to criterion installation_development_quick.

* <a name="require_2FA"></a>
Expand Down
Loading