add find-js-file.js to passive rules

[nmwafa]

new passive scan script to find js file

[psiinon]

Checkmarx One – Scan Summary & Details – f8a212fb-7b04-4294-9fc2-8236ec416c7f

Great job! No new security vulnerabilities introduced in this pull request

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

[psiinon]

Is this really a helpful rule?
In my experience apps can reference a lot of JS files. ZAP should find them via spidering so they will be in the Sites Tree. I'm not sure we need Info alerts for them as well.

Review all referenced JavaScript files. Ensure they do not contain sensitive data (e.g., API keys, credentials) and follow secure coding practices.

JS files can be huge so I'm not sure this advice is particularly helpful. It would be much better to implement a rule which actually checked for the sensitive data automatically 😁

[nmwafa]

I think that someone might forget the JS check stage, that's why I made this code. The alert will remind the tester.

It would be much better to implement a rule which actually checked for the sensitive data automatically

Thanks for the suggestion, it's really good. I'll think about making a code for that.