Issue with Scan findings

Abhijit Das7 · 3 weeks ago

Hi Team,

While running the Scan Application for the custom application, we are encountering the following scan finding:
“Review the identified UI Page to determine whether a unique ACL should be created to limit access to only relevant users.”

An ACL has already been created for the UI Page with role-based restrictions in place.

I have added a custom role under Requires role: x_xyz_it.ven_user.

I also reran the scan after disabling Admin Override in the ACL; however, the scan finding still persists.

I am unsure why this scan result is appearing as a false positive. Could someone please advise why this is occurring or suggest how it can be resolved?

cc: @Ankur Bawiskar

Thanks in advance

lauri457 · 3 weeks ago

The scan doesn't work with scoped ui pages. Ui page names don't include namespaces so current.name won't match the name on the acl which is in format: [namespace]_[name].

(function (finding, current) {
	var gr = new GlideRecord('sys_security_acl');
	gr.addEncodedQuery('active=true^type=ui_page^name=' + current.name);
	gr.query();
	if(gr.getRowCount() == 0) {
		finding.setCurrentSource(current);
		finding.setValue('finding_details', 'The UI Page "' + current.name + '" does not have'
			+ ' a corresponding ACL and uses the default UI Page ACL. This may allow unexpected users to'
			+ ' access the UI Page.');
		finding.increment();
	}
})(finding, current);

See for example the scripted logic for the acl related list on ui pages. You'd need to write a new scan to implement this logic in the scan

(function refineQuery(current, parent) {
    var uiPageName = '';
    if (parent.sys_scope == 'global') {
        uiPageName = parent.name;
    } else {
        uiPageName = parent.sys_scope.scope + '_' + parent.name;
    }
    current.addQuery("name", uiPageName);
    current.addQuery("type", "ui_page");
    current.addQuery("operation", "read");
})(current, parent);

Abhijit Das7 · 3 weeks ago

Hi @lauri457,

How can I rewrite new scan? Can you please provide me detailed steps to rewrite new scan?

And is it possible for us to solve this scan finding without writing new scan?

Thanks in advance

lauri457 · 3 weeks ago

Just insert from the existing one with a script but empty the protection policy field. I think the record was protected so no you can't edit it. You can use auto flush to remove the oob record from your instance. Table checks don't scan oob records otherwise there would probably be more findings.

As for the script itself you can just paste those two snippets from above to a gpt and it should be able to give you a new version. Even m365 copilot was able to achieve it and add some "best practice" to it

(function (finding, current) {
    var uiPageName;
    // Match the same logic ServiceNow uses for UI Page ACL
    if (current.sys_scope == 'global') {
        uiPageName = current.name;
    } else {
        uiPageName = current.sys_scope.scope + '_' + current.name;
    }

    var gr = new GlideRecord('sys_security_acl');
    gr.addQuery('active', true);
    gr.addQuery('type', 'ui_page');
    gr.addQuery('operation', 'read');
    gr.addQuery('name', uiPageName);
    gr.query();

    if (!gr.hasNext()) {
        finding.setCurrentSource(current);
        finding.setValue(
            'finding_details',
            'The UI Page "' + current.name + '" does not have a corresponding ACL (' +
            uiPageName + ') and uses the default UI Page ACL. This may allow unexpected users to ' +
            'access the UI Page.'
        );
        finding.increment();
    }

})(finding, current);