some rules have disappeared from docker-weekly

Describe the bug

I noticed that some rules have completely vanished from docker-weekly (unsure if/what other images are affected). The exact rules that have gone missing are:

40031	WARN	(Out of Band XSS - Active/alpha)
40038	WARN	(Bypassing 403 - Active/alpha)
40040	WARN	(CORS Header - Active/alpha)
40042	WARN	(Spring Actuator Information Leak - Active/alpha)
40043	WARN	(Log4Shell - Active/alpha)
40044	WARN	(Exponential Entity Expansion (Billion Laughs Attack) - Active/alpha)
40045	WARN	(Spring4Shell - Active/alpha)
90035	WARN	(Server Side Template Injection - Active/alpha)
90036	WARN	(Server Side Template Injection (Blind) - Active/alpha)

However, when for example checking the code of ForbiddenBypassScanRule (=40038), it appears it has simply moved from alpha to beta. In the past when this happened, the only differences between the .tsv files were a bunch of alpha changing into beta

One other possible cause could be that running the command (see below) results in the output:

• yesterday: Total of 33 URLs
• today: Total of 25 URLs but I don’t see how that could affect the output of -g

Steps to reproduce the behavior

In both the current docker image as well as the previous one, run:

zap-full-scan.py -j -a -t https://domaine.example -g current-config.tsv

then compare the resulting files.

To make things even weirder, our pipeline succeeded yesterday but failed today, yet they both report the same sha256 hashes. But they have different output; in yesterday’s one, there’s a line in the output somewhere about WARN-NEW: Bypassing 403 [40038] which is completely absent in today’s output.

Expected behavior

A number of lines gets changed. The only effective change is alpha getting replaced by beta a number of times. (it’s possible that some rules are actually deleted (I didn’t check them all) but at least 40038 should still exist)

Software versions

owasp/zap2docker-weekly, but see Steps to reproduce because I’m not sure where it’s getting it from. Yesterday and today both report sha256:561bdacf22f32be7a998de05315bdde72ff0d97f3a174d97c0826811aace6204

Screenshots

I can provide screenshots and/or logs if desired, but I’ll need to scrub a bunch of information from them, which takes time. I don’t mind taking that time, but maybe it’s not even necessary. Just post a comment if you need them.

Errors from the zap.log file

No response

Additional context

It’s probably caused by something in https://github.com/zaproxy/zap-extensions/pull/4049 and/or the 2.12 release and they got lost/forgotten somewhere?

If it is intended to update this way, simply close this issue! The impact isn’t too big (it fails for us because the output of -g is under version control somewhere) since effectively it just runs with a few less rules, and all of the ‘missing’ rules were alpha anyway. No need to manually force-regenerate docker images for this.

Would you like to help fix this issue?

• Yes