Denied use of ZAP by InfoSec team due to Nexus scan results
39 views
Skip to first unread message
John Kent
Feb 11, 2019, 12:51:33 PM2/11/19
to OWASP ZAP User Group
My team was denied use of OWASP Zed Attack Proxy Project 2.7.0 due to the following Nexus scan results:
sonatype-2007-0004 apache-httpclient : commons-httpclient : 3.1 Open
CVE-2014-0114 commons-beanutils : commons-beanutils : 1.8.3 Open
sonatype-2017-0359 org.apache.httpcomponents : httpclient : 4.5 Open
CVE-2016-1000338 org.bouncycastle : bcprov-jdk15on : 1.52 Open
CVE-2016-1000340 org.bouncycastle : bcprov-jdk15on : 1.52 Open
CVE-2016-1000342 org.bouncycastle : bcprov-jdk15on : 1.52 Open
CVE-2016-1000343 org.bouncycastle : bcprov-jdk15on : 1.52 Open
CVE-2016-1000344 org.bouncycastle : bcprov-jdk15on : 1.52 Open
Simon Bennetts
Feb 11, 2019, 1:00:57 PM2/11/19
to OWASP ZAP User Group
Hi John,
Thanks for letting us know.
I've created issue #5221 for this and we'll also update this thread when we've had a chance to look into it.
Cheers,
Simon
kingthorin+owaspzap
Feb 11, 2019, 1:07:40 PM2/11/19
to OWASP ZAP User Group
Are you aware as to whether they performed any further analysis of impact/risk or are just blindly trusting the result?
hauschu...@gmail.com
Feb 12, 2019, 3:11:41 AM2/12/19
to OWASP ZAP User Group
Surely there's some way you could use ZAP to deny Nessus due to a X-Frame-Options Header Not Set or something... ;)
kingthorin+owaspzap
Feb 12, 2019, 6:14:59 AM2/12/19
to OWASP ZAP User Group
So that leads to a few things. First Sonatype Nexus != Tenable Nessus 👍
From what I gather they're either analyzing the install package (or the system after ZAP is installed), not just banging away from the network.
Third, I think the original poster is trying to work with the process not subvert it somehow.
Lastly, if it's come up for one person it is likely to come up for others, so we (the ZAP team) would like to fix things or provide details/answers to any concerns.
From what I gather they're either analyzing the install package (or the system after ZAP is installed), not just banging away from the network.
Third, I think the original poster is trying to work with the process not subvert it somehow.
Lastly, if it's come up for one person it is likely to come up for others, so we (the ZAP team) would like to fix things or provide details/answers to any concerns.
hauschu...@gmail.com
Feb 12, 2019, 6:51:57 AM2/12/19
to OWASP ZAP User Group
Haha holy crap, I definitely read that as 'nessus' for some reason....
Anyway, that wasn't a serious suggestion...my attempt at 'cheeky humor' was apparently not properly captured by my carefully placed winky smiley!
Everyone here is obviously doing good honest work for the betterment of the platform specifically and security in general, so my apologies if it appeared I was implying anything to the contrary!
kingthorin+owaspzap
Feb 12, 2019, 8:41:15 AM2/12/19
to OWASP ZAP User Group
Maybe I just wasn't sufficiently caffeinated :) No worries.
Reply all
Reply to author
Forward
0 new messages