Skip to content

Commit c6000a2

Browse files
kingthorinkingthorin
committed
various: Add TEST_TIMING alert tag
Update: CHANGELOGs, scan rules, unittests. Signed-off-by: kingthorin <[email protected]>
1 parent a643664 commit c6000a2

25 files changed

+247
-31
lines changed

addOns/ascanrules/CHANGELOG.md

+3
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
1010
### Fixed
1111
- External Redirect scan rule to regenerate anti CSRF tokens.
1212

13+
### Changed
14+
- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.
15+
1316
## [70] - 2025-01-09
1417
### Changed
1518
- Update minimum ZAP version to 2.16.0.

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java

+30-5
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,8 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin
9898
CommonAlertTag.toMap(
9999
CommonAlertTag.OWASP_2021_A03_INJECTION,
100100
CommonAlertTag.OWASP_2017_A01_INJECTION,
101-
CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ));
101+
CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ,
102+
CommonAlertTag.TEST_TIMING));
102103
alertTags.put(PolicyTag.API.getTag(), "");
103104
alertTags.put(PolicyTag.DEV_CICD.getTag(), "");
104105
alertTags.put(PolicyTag.DEV_STD.getTag(), "");
@@ -367,6 +368,15 @@ public Map<String, String> getAlertTags() {
367368
return ALERT_TAGS;
368369
}
369370

371+
private Map<String, String> getNeededAlertTags(TestType type) {
372+
Map<String, String> alertTags = new HashMap<>();
373+
alertTags.putAll(getAlertTags());
374+
if (TestType.FEEDBACK.equals(type)) {
375+
alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
376+
}
377+
return alertTags;
378+
}
379+
370380
@Override
371381
public int getCweId() {
372382
return 78;
@@ -584,7 +594,14 @@ private boolean testCommandInjection(
584594
paramValue);
585595
String otherInfo = getOtherInfo(TestType.FEEDBACK, paramValue);
586596

587-
buildAlert(paramName, paramValue, matcher.group(), otherInfo, msg).raise();
597+
buildAlert(
598+
paramName,
599+
paramValue,
600+
matcher.group(),
601+
otherInfo,
602+
TestType.FEEDBACK,
603+
msg)
604+
.raise();
588605

589606
// All done. No need to look for vulnerabilities on subsequent
590607
// payloads on the same request (to reduce performance impact)
@@ -670,7 +687,8 @@ private boolean testCommandInjection(
670687
String otherInfo = getOtherInfo(TestType.TIME, paramValue);
671688

672689
// just attach this alert to the last sent message
673-
buildAlert(paramName, paramValue, "", otherInfo, message.get()).raise();
690+
buildAlert(paramName, paramValue, "", otherInfo, TestType.TIME, message.get())
691+
.raise();
674692

675693
// All done. No need to look for vulnerabilities on subsequent
676694
// payloads on the same request (to reduce performance impact)
@@ -719,14 +737,20 @@ private static String insertUninitVar(String cmd) {
719737
}
720738

721739
private AlertBuilder buildAlert(
722-
String param, String attack, String evidence, String otherInfo, HttpMessage msg) {
740+
String param,
741+
String attack,
742+
String evidence,
743+
String otherInfo,
744+
TestType type,
745+
HttpMessage msg) {
723746
return newAlert()
724747
.setConfidence(Alert.CONFIDENCE_MEDIUM)
725748
.setParam(param)
726749
.setAttack(attack)
727750
.setEvidence(evidence)
728751
.setMessage(msg)
729-
.setOtherInfo(otherInfo);
752+
.setOtherInfo(otherInfo)
753+
.setTags(getNeededAlertTags(type));
730754
}
731755

732756
@Override
@@ -737,6 +761,7 @@ public List<Alert> getExampleAlerts() {
737761
"a;cat /etc/passwd ",
738762
"root:x:0:0",
739763
getOtherInfo(TestType.FEEDBACK, "a;cat /etc/passwd "),
764+
TestType.FEEDBACK,
740765
null)
741766
.build());
742767
}

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -199,7 +199,8 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
199199
CommonAlertTag.toMap(
200200
CommonAlertTag.OWASP_2021_A03_INJECTION,
201201
CommonAlertTag.OWASP_2017_A01_INJECTION,
202-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
202+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
203+
CommonAlertTag.TEST_TIMING));
203204
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
204205
alertTags.put(PolicyTag.QA_STD.getTag(), "");
205206
alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,8 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin
144144
CommonAlertTag.toMap(
145145
CommonAlertTag.OWASP_2021_A03_INJECTION,
146146
CommonAlertTag.OWASP_2017_A01_INJECTION,
147-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
147+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
148+
CommonAlertTag.TEST_TIMING));
148149
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
149150
alertTags.put(PolicyTag.QA_STD.getTag(), "");
150151
alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -218,7 +218,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
218218
CommonAlertTag.toMap(
219219
CommonAlertTag.OWASP_2021_A03_INJECTION,
220220
CommonAlertTag.OWASP_2017_A01_INJECTION,
221-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
221+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
222+
CommonAlertTag.TEST_TIMING));
222223
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
223224
alertTags.put(PolicyTag.QA_STD.getTag(), "");
224225
alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,8 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin
154154
CommonAlertTag.toMap(
155155
CommonAlertTag.OWASP_2021_A03_INJECTION,
156156
CommonAlertTag.OWASP_2017_A01_INJECTION,
157-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
157+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
158+
CommonAlertTag.TEST_TIMING));
158159
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
159160
alertTags.put(PolicyTag.QA_STD.getTag(), "");
160161
alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,8 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin
196196
CommonAlertTag.toMap(
197197
CommonAlertTag.OWASP_2021_A03_INJECTION,
198198
CommonAlertTag.OWASP_2017_A01_INJECTION,
199-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
199+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
200+
CommonAlertTag.TEST_TIMING));
200201
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
201202
alertTags.put(PolicyTag.QA_STD.getTag(), "");
202203
alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java

+14-1
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,8 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin
221221
CommonAlertTag.toMap(
222222
CommonAlertTag.OWASP_2021_A03_INJECTION,
223223
CommonAlertTag.OWASP_2017_A01_INJECTION,
224-
CommonAlertTag.WSTG_V42_INPV_05_SQLI));
224+
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
225+
CommonAlertTag.TEST_TIMING));
225226
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
226227
ALERT_TAGS = Collections.unmodifiableMap(alertTags);
227228
}
@@ -458,6 +459,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
458459
.setOtherInfo(extraInfo)
459460
.setEvidence(matcher.group())
460461
.setMessage(msgDelay)
462+
.setTags(getNeededAlertTags(true))
461463
.raise();
462464

463465
LOGGER.debug(
@@ -600,6 +602,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
600602
.setOtherInfo(extraInfo)
601603
.setEvidence(extraInfo)
602604
.setMessage(detectableDelayMessage)
605+
.setTags(getNeededAlertTags(false))
603606
.raise();
604607

605608
if (detectableDelayMessage != null)
@@ -752,6 +755,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
752755
.setOtherInfo(extraInfo)
753756
.setEvidence(versionNumber)
754757
.setMessage(unionAttackMessage)
758+
.setTags(getNeededAlertTags(true))
755759
.raise();
756760
break unionLoops;
757761
}
@@ -804,4 +808,13 @@ public int getWascId() {
804808
public Map<String, String> getAlertTags() {
805809
return ALERT_TAGS;
806810
}
811+
812+
private Map<String, String> getNeededAlertTags(boolean isFeedbackbased) {
813+
Map<String, String> alertTags = new HashMap<>();
814+
alertTags.putAll(getAlertTags());
815+
if (isFeedbackbased) {
816+
alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
817+
}
818+
return alertTags;
819+
}
807820
}

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,8 @@ public class SstiBlindScanRule extends AbstractAppParamPlugin implements CommonA
6161
CommonAlertTag.toMap(
6262
CommonAlertTag.OWASP_2021_A03_INJECTION,
6363
CommonAlertTag.OWASP_2017_A01_INJECTION,
64-
CommonAlertTag.WSTG_V42_INPV_18_SSTI));
64+
CommonAlertTag.WSTG_V42_INPV_18_SSTI,
65+
CommonAlertTag.TEST_TIMING));
6566
alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE);
6667
alertTags.put(PolicyTag.API.getTag(), "");
6768
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java

+4-1
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
import static org.hamcrest.MatcherAssert.assertThat;
2424
import static org.hamcrest.Matchers.containsString;
2525
import static org.hamcrest.Matchers.equalTo;
26+
import static org.hamcrest.Matchers.hasKey;
2627
import static org.hamcrest.Matchers.hasSize;
2728
import static org.hamcrest.Matchers.is;
2829
import static org.hamcrest.Matchers.not;
@@ -95,7 +96,7 @@ void shouldReturnExpectedMappings() {
9596
// Then
9697
assertThat(cwe, is(equalTo(78)));
9798
assertThat(wasc, is(equalTo(31)));
98-
assertThat(tags.size(), is(equalTo(10)));
99+
assertThat(tags.size(), is(equalTo(11)));
99100
assertThat(
100101
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
101102
is(equalTo(true)));
@@ -378,6 +379,8 @@ void shouldHaveExpectedExampleAlert() {
378379
"The scan rule was able to retrieve the content of a file or "
379380
+ "command by sending [a;cat /etc/passwd ] to the operating "
380381
+ "system running this application.")));
382+
Map<String, String> tags = alert.getTags();
383+
assertThat(tags, not(hasKey(CommonAlertTag.TEST_TIMING.getTag())));
381384
}
382385

383386
private static class PayloadCollectorHandler extends NanoServerHandler {

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@ void shouldReturnExpectedMappings() {
155155
// Then
156156
assertThat(cwe, is(equalTo(89)));
157157
assertThat(wasc, is(equalTo(19)));
158-
assertThat(tags.size(), is(equalTo(7)));
158+
assertThat(tags.size(), is(equalTo(8)));
159159
assertThat(
160160
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
161161
is(equalTo(true)));
@@ -168,6 +168,7 @@ void shouldReturnExpectedMappings() {
168168
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
169169
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
170170
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
171+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
171172
assertThat(
172173
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
173174
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ void shouldReturnExpectedMappings() {
150150
// Then
151151
assertThat(cwe, is(equalTo(89)));
152152
assertThat(wasc, is(equalTo(19)));
153-
assertThat(tags.size(), is(equalTo(7)));
153+
assertThat(tags.size(), is(equalTo(8)));
154154
assertThat(
155155
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
156156
is(equalTo(true)));
@@ -163,6 +163,7 @@ void shouldReturnExpectedMappings() {
163163
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
164164
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
165165
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
166+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
166167
assertThat(
167168
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
168169
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,7 @@ void shouldReturnExpectedMappings() {
149149
// Then
150150
assertThat(cwe, is(equalTo(89)));
151151
assertThat(wasc, is(equalTo(19)));
152-
assertThat(tags.size(), is(equalTo(7)));
152+
assertThat(tags.size(), is(equalTo(8)));
153153
assertThat(
154154
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
155155
is(equalTo(true)));
@@ -162,6 +162,7 @@ void shouldReturnExpectedMappings() {
162162
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
163163
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
164164
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
165+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
165166
assertThat(
166167
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
167168
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,7 @@ void shouldReturnExpectedMappings() {
145145
// Then
146146
assertThat(cwe, is(equalTo(89)));
147147
assertThat(wasc, is(equalTo(19)));
148-
assertThat(tags.size(), is(equalTo(7)));
148+
assertThat(tags.size(), is(equalTo(8)));
149149
assertThat(
150150
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
151151
is(equalTo(true)));
@@ -158,6 +158,7 @@ void shouldReturnExpectedMappings() {
158158
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
159159
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
160160
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
161+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
161162
assertThat(
162163
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
163164
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ void shouldReturnExpectedMappings() {
158158
// Then
159159
assertThat(cwe, is(equalTo(89)));
160160
assertThat(wasc, is(equalTo(19)));
161-
assertThat(tags.size(), is(equalTo(7)));
161+
assertThat(tags.size(), is(equalTo(8)));
162162
assertThat(
163163
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
164164
is(equalTo(true)));
@@ -171,6 +171,7 @@ void shouldReturnExpectedMappings() {
171171
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
172172
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
173173
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
174+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
174175
assertThat(
175176
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
176177
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java

+6-1
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@
2222
import static fi.iki.elonen.NanoHTTPD.newFixedLengthResponse;
2323
import static org.hamcrest.MatcherAssert.assertThat;
2424
import static org.hamcrest.Matchers.equalTo;
25+
import static org.hamcrest.Matchers.hasKey;
2526
import static org.hamcrest.Matchers.is;
27+
import static org.hamcrest.Matchers.not;
2628
import static org.hamcrest.Matchers.startsWith;
2729

2830
import fi.iki.elonen.NanoHTTPD.IHTTPSession;
@@ -114,6 +116,7 @@ protected Response serve(IHTTPSession session) {
114116
equalTo("case randomblob(100000) when not null then 1 else 1 end "));
115117
assertThat(alertsRaised.get(0).getRisk(), equalTo(Alert.RISK_HIGH));
116118
assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
119+
assertThat(alertsRaised.get(0).getTags(), not(hasKey(CommonAlertTag.TEST_TIMING.getTag())));
117120
}
118121

119122
@Test
@@ -155,6 +158,7 @@ protected Response serve(IHTTPSession session) {
155158
assertThat(alertsRaised.get(0).getAttack(), startsWith("case randomblob(100"));
156159
assertThat(alertsRaised.get(0).getRisk(), equalTo(Alert.RISK_HIGH));
157160
assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
161+
assertThat(alertsRaised.get(0).getTags(), is(hasKey(CommonAlertTag.TEST_TIMING.getTag())));
158162
}
159163

160164
@Test
@@ -197,7 +201,7 @@ void shouldReturnExpectedMappings() {
197201
// Then
198202
assertThat(cwe, is(equalTo(89)));
199203
assertThat(wasc, is(equalTo(19)));
200-
assertThat(tags.size(), is(equalTo(4)));
204+
assertThat(tags.size(), is(equalTo(5)));
201205
assertThat(
202206
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
203207
is(equalTo(true)));
@@ -207,6 +211,7 @@ void shouldReturnExpectedMappings() {
207211
assertThat(
208212
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
209213
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
214+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
210215
assertThat(
211216
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
212217
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,7 @@ void shouldReturnExpectedMappings() {
143143
// Then
144144
assertThat(cwe, is(equalTo(1336)));
145145
assertThat(wasc, is(equalTo(20)));
146-
assertThat(tags.size(), is(equalTo(8)));
146+
assertThat(tags.size(), is(equalTo(9)));
147147
assertThat(
148148
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
149149
is(equalTo(true)));
@@ -157,6 +157,7 @@ void shouldReturnExpectedMappings() {
157157
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
158158
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
159159
assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true)));
160+
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
160161
assertThat(
161162
tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
162163
is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue())));

0 commit comments

Comments
 (0)