Error while importing swagger json

[Rahul Kojrekar]

Hello,

I am getting following error while importing swagger.json file through URL in ZAP UI output tab.

Failed to parse OpenAPI definition.

java.lang.NullPointerException

at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generateForm(BodyGenerator.java:204)

at org.zaproxy.zap.extension.openapi.converter.swagger.RequestModelConverter.generateBody(RequestModelConverter.java:70)

at org.zaproxy.zap.extension.openapi.converter.swagger.RequestModelConverter.convert(RequestModelConverter.java:42)

at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.convertToRequest(SwaggerConverter.java:165)

at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:159)

at org.zaproxy.zap.extension.openapi.ExtensionOpenApi$3.run(ExtensionOpenApi.java:277)

I am using ZAP 2.10

openapi plugin support 18.0.0

[Rahul Kojrekar]

in ci we are using owasp/zap2docker-stable; docker image.

[Rahul Kojrekar]

Following is the error in Ci job. We are using owasp/zap2docker-stable;

2021-06-22 16:09:23,878 Starting new HTTP connection (1): localhost:8092 2021-06-22 16:09:23,879 http://localhost:8092 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11 2021-06-22 16:09:23,880 Number of Imported URLs: 0 2021-06-22 16:09:23,880 Import warnings: [] 2021-06-22 16:09:23,880 Failed to import any URLs Traceback (most recent call last): File "./zap-api-scan.py", line 456, in main raise NoUrlsException() NoUrlsException Found Java version 11.0.10 Available memory: 31653 MB Using JVM args: -Xmx20480m

[Rahul Kojrekar]

I think this is the issue with zap api scan.py, because our earlier swagger.json is getting parsed correctly and we are not having issues there. The swagger.json which I am attaching it here is giving this issue.

[Rahul Kojrekar]

Hello,

Any update on my issue? could you give me any pointers? I think it's an issue with ZAP importing OPENAPI file.

[Simon Bennetts]

Hiya,

The error is due to one of the elements not having a schema:

"requestBody": {
          "content": {
            "application/x-www-form-urlencoded": {}
          }
        },

Thats a bug in ZAP - we should warn about this rather than throwing an NPE.

I'll look at implementing a fix but in the meantime can you easily change your JSON to either add schema for that element or remove it completely?

Cheers,

Simon

[Simon Bennetts]

FYI the fix is https://github.com/zaproxy/zap-extensions/pull/3017

I can confirm that with the fix applied then your schema is successfully imported.

Cheers,

Simon

[Simon Bennetts]

The OpenAPI add-on has just been released and includes this fix.

Let us know how you get on!

Cheers,

Simon

[Rahul Kojrekar]

Thank you Simon. I updated the OPENAPI addon and now Owasp ZAP UI is able to parse the swagger.json file correctly without any errors. 

Is this fix going to be released in docker version too?

[Simon Bennetts]

The Docker images use the ZAP Marketplace so the fix is already available to them.

However if you are using the weekly release then that will probably not pick it up until next week, as the versions will appear to be the same.

Cheers,

Simon

[Rahul Kojrekar]

we are using zap docker stable images. Is the fix available in these images already?

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Bl2AvQek8ts/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/7a753992-6b79-4966-b62c-9a39931b1c85n%40googlegroups.com.

[Simon Bennetts]

Yes, all of the docker images use the ZAP Marketplace so the fix is available to all of them.

You need to install updates which is done by default by the packaged scans.

If you are not using those then you can use the ''-addonupdate' command line option.

Oh, and I was wrong about the weekly - the fix was merged before the weekly was generated which means it was included in this weeks release.

Cheers,

Simon

[Rahul Kojrekar]

Ran the jenkins zap automation job today with following arguments:

+ docker run -e BUILD_TAG -e JOB_BASE_NAME -t -p 8092:8092 -v /home/ubuntu/workspace/Notification/Notification ZAP Scan/SyncGateway:/zap/wrk/ owasp/zap2docker-weekly /bin/bash -c sed -i -e "s/zap.ascan.scan(target.*/zap.ascan.scan_as_user(target, contextid=2, userid=36, recurse=True, scanpolicyname='Default Policy', method=None, postdata=None)/" zap_common.py ; ./zap-api-scan.py -t NS_swagger.json -f openapi -g gen.conf -r api-scan-Jul-01-2021::22:26.html -n /zap/wrk/Notification.context -d -z " -Xmx20480m -addoninstall exportreport -newsession /zap/wrk/newSession-"01-07-2021-22-26".session" --hook=/zap/wrk/scan-hook.py -P 8092

We are still seeing the issue with importing the opnapi swagger file:

2021-07-01 16:56:25,818 Trigger hook: importing_openapi, args: 2 2021-07-01 16:56:25,818 Import OpenAPI File NS_swagger.json 2021-07-01 16:56:25,819 Starting new HTTP connection (1): localhost:8092 2021-07-01 16:56:26,085 http://localhost:8092 "GET http://zap/JSON/openapi/action/importFile/?file=%2Fzap%2Fwrk%2FNS_swagger.json&apikey= HTTP/1.1" 200 17 2021-07-01 16:56:26,086 Starting new HTTP connection (1): localhost:8092 2021-07-01 16:56:26,087 http://localhost:8092 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 11 2021-07-01 16:56:26,088 Number of Imported URLs: 0 2021-07-01 16:56:26,088 Import warnings: [] 2021-07-01 16:56:26,088 Failed to import any URLs Traceback (most recent call last): File "./zap-api-scan.py", line 456, in main raise NoUrlsException() NoUrlsException Found Java version 11.0.11 Available memory: 31317 MB

On my local ZAP UI it worked ok after updating the addon.