ascanrulesBeta: Add example alerts to Session Fixation scan rule

[chenjingen-jane]

Overview

This PR adds the getExampleAlerts() method to the Session Fixation Scan Rule (SessionFixationScanRule.java) in ascanrulesBeta.
The purpose is to provide example alerts for the ZAP documentation generator and to follow the new de facto standard for all scan rules.

Changes

• Added getExampleAlerts() method
• Returns a list with one example Alert:
  • id: 40013
  • name: Session Fixation
  • risk: HIGH
  • confidence: MEDIUM
  • description, solution, reference: pulled from Constant.messages
  • URI: https://www.example.com
• No other addOns have been modified

---

Related Issues

• Required to implement example alerts for ZAP documentation pages
• Follows standard proposed in: ascanrulesBeta: Add more example alerts #5329

---

Testing / CI Notes

• Only :addOns:ascanrulesBeta:compileJava is relevant
• Local compilation passes successfully using:

$env:GRADLE_OPTS="-Xmx3g -Dfile.encoding=UTF-8"
./gradlew :addOns:ascanrulesBeta:compileJava

[chenjingen-jane]

Hello @thc202, I’ve made some updates to the code. Could you please review it and let me know your thoughts?

[psiinon]

Checkmarx One – Scan Summary & Details – 513912a2-12f7-49c5-bd56-beff0a3327f1

Great job! No new security vulnerabilities introduced in this pull request

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[thc202]

Which PR do you want to keep?

[chenjingen-jane]

Which PR do you want to keep?

"I would like to keep this PR (#7059) as it contains my most recent updates and fixes. You can close the other one. I will focus on fixing the test failures in this branch. Sorry for the duplication!

[chenjingen-jane]

Hi @thc202, since we've settled on this PR, could you please approve the workflow so I can see the test results and fix any potential failures? Thanks!

[thc202]

You should do that before pushing, not wait for CI (use the task :aO:ascanrulesBeta:check to check everything). Note that the changes are still not correct, you should extract a method that both the example and the scan logic use.
The changelog still needs to be updated.

[chenjingen-jane]

Hi @thc202,
I’ve extracted the shared method for session fixation alerts and added the example alert as suggested. I also applied formatting fixes (spotlessApply).

The :check task still fails due to a deprecated URL constructor in the existing code, which I cannot change. My changes are ready for review.

Please let me know if any further adjustments are needed.

Thanks!

[kingthorin]

Unit tests should be updated.
Changelog should be updated.

Check PRs which reference the original issue for examples/guidance.

[thc202]

#7059 (comment)

Use Java 17 instead (that should build without deprecation warns). Note that different descriptions usually imply different alert refs, analyze how the scan rule is raising the alerts and how that will impact the examples/refs.

[chenjingen-jane]

Hi @thc202

I’ve updated the SessionFixationScanRule and its unit tests to use the shared alert builder. The CHANGELOG.md has also been updated. I’ve amended the commit and force-pushed to the remote branch.

The branch is now clean and ready for review. There are a couple of local untracked files (java_pid22508.hprof and jdk17.zip) that are not part of this PR.

Please let me know if there’s anything else I should address.

[thc202]

See previous comments about the refs and how the alerts are being raised.

[thc202]

Thank you!

[kingthorin]

Thanks