New ZAP client APIs - PNP and Node.js

[psiinon]

I've just spotted that 2 new versions of the ZAP client API and now available in PHP and Node.js - I've linked to them from https://code.google.com/p/zaproxy/wiki/RelatedProjects
They are 'unofficial' so I've no idea what state they are actually in.
If the authors are in this group them fyi I'd be very happy for you to make them 'official' and move them into the zaproxy repo .. but I'm equally happy for you to keep them separate.
Its always good to see things like this going on - if anyone else spots any other ZAP related projects then please post them to this group :)

Cheers,

Simon

[Keith Hamasaki]

Hi Simon -

I'm the one who wrote the Node.js client. I have a generator written but I don't really know how to contribute it to the project. Any pointers you have would be helpful.

Thanks,

Keith

[psiinon]

Hey Keith,

You're already contributing by writing the Node.js client :D
We have some info on the wiki: https://code.google.com/p/zaproxy/wiki/GetInvolved
But the best way is to start a dialog on this list, which you've just done :)

So I think there are various aspects to this: the generator and the Node.js API code, the docs and the API package.

The generator would logically live with the other ones in the api package.
I had a quick look but couldnt see your generator code. If you could link to it (or post it here) then we can give it a quick once over - as soon as its in a good state you can check it in.

I'm completely open as to when the Node.js API code lives (with the caveat below) - you can keep it in your own repo, or copy/move it to the ZAP repo.

For the docs you could just link to your existing docs from https://code.google.com/p/zaproxy/wiki/ApiDetails although if you feel like adding more info there then that would be great.

Regarding the API package, wheres the best place for it?
Its currently on npmjs.org which looks good - we've put the Python API on pypi.
However we also have the 'official' APIs on http://sourceforge.net/projects/zaproxy/files/client-api/ - I'm very happy for the Node.js one to go on there as well, we just need to work out how it will be updated, eg when we do future releases).
Are you happy maintaining the API on your own or would you like us to include it in our build / release process?
If you'd like us to do it then we'd need to work out how to include it in our build scripts etc.

Many thanks,

Simon

[yuki sov]

Hi Simon,

I'm the writer of the PHP client API. If the client API is included in the ZAP source code, who'll maintain the API after that?

Best,

Yuki

[psiinon]

I'm hoping you will - we'll give you commit access :)
My PHP skills are sadly lacking ;)
ZAP is a community project - the more people who get involved the better!

Many thanks,

Simon

[Keith Hamasaki]

Here is the generator code. The other part of it is the Node.js API code, as you point out, which currently consists of three files - index.js, which provides the client object, package.json, which is used by npm, and README.md, which has the documentation. Right now I just had the generator output the generated files to the nodejs/api/src/zapv2 folder (I basically mirrored the python folder structure) and then I copied them into a separate folder where I packaged everything up for Github/npm.

I think it would be great if we could include all of this as part of the build process, and just have the build output uploaded to npm directly instead of having to keep it separately on Github. We could also have it generate a tgz that is hosted on SourceForge. I'm not exactly sure how to make that happen.

Keith

[psiinon]

That looks good to me :)
I've given you commit access, so please add it to the zaproxy project.

The api generation is only partially automated right now.
I manually run the code generators. The java api is handle by the ant build byt the python api I still have to build manually.
This should really all be handled by the build file.
How are you with ant scripts? ;)
Let me know how far you can get with this - the more the better of course ;)
I can upload the tgz file to SourceForge as long as you let me know how to generate it.

Oh, and let me know how you'd like to appear in the credits :)

Many thanks!

Simon

[yuki sov]

Okay. I think it's a nice thing that an api eventually becomes integrated into their parent's source code!

As you know, I have two repositories that related to my PHP API code.

I basically developed these according to the python api in the ZAP repository:)

1. php-owasp-zap-v2 (https://github.com/yukisov/php-owasp-zap-v2)

2. php-api-generator-for-owasp-zap(https://github.com/yukisov/php-api-generator-for-owasp-zap)

The first one is the client API itself and the second one is its generator. The ZAP source code needs only the second one in theory. In its generating steps(I described these steps in the above GitHub page, anything wrong?), we need to not only add the files to the ZAP repository but also add lines to build.xml.

In addition, I uploaded the first one to Packagist(https://packagist.org/packages/yukisov/php-owasp-zap-v2), which is a major PHP package repository, under my account so that users can easily install the api into their PHP project using Composer(https://getcomposer.org/), which is a major PHP package installer. So we'll need the ZAP's account of Packagist if we want.

Thanks,

Yuki

[Keith Hamasaki]

Hi Simon -

Thanks for all of your help with this. I committed the generator file but before I commit the changes to actually run it I had a question about the generation process. I found the generate-apis ant task and that is what I am using to generate my API files, but out of the box when I run it I get errors:

Error: Could not find or load main class org.zaproxy.zap.extension.api.JavaAPIGenerator

I can fix these by tweaking the classpath - if I add the following two lines to the classpath in generate-apis it works:

            <pathelement location="./zap/zap.jar" />

            <pathelement location="./zap" />

Before I commit that I just wanted to make sure that I'm not missing something that would make this work.

Thanks,

Keith

[psiinon]

Hi Yuki,

Sorry for the delayed reply.
I've given you commit access to zaproxy so you can commit your code when you are happy with it.

I think a ZAP account on Packagist would be a very good idea.
And I'm happy for you to set up and manage that account if you want :)
Is it possible for multiple users to have access to the same account?
If so please add me in, otherwise just share the credentials in a suitably secure way?
We can discuss that off list.

Many thanks,

Simon

[psiinon]

Feel free to add those in - looks like a sensible change.

Cheers,

Simon

[Victor Pereira]

Hi I didn't find my project, in the related Projects, but https://github.com/vpereira/owasp_zap, I'm using it well integrated with cucumber and selenium and its working well.

regards

Victor

[Stephen de Vries]

On 11 Jun 2014, at 10:53, Victor Pereira <vpere...@gmail.com> wrote:
>
> Hi I didn't find my project, in the related Projects, but https://github.com/vpereira/owasp_zap, I'm using it well integrated with cucumber and selenium and its working well.

Very nice! Do you have an example project that shows how you’re doing the zap + cucumber testing?

[Victor Pereira]

Its a internal project, so I cannot share too much information.. I do have, however some example code that was extracted from my implementation

https://gist.github.com/vpereira/5b8686e502cdfc6e5785

[Victor Pereira]

just one point that I forgot to mention: i wasnt be able to get everything up and running on localhost.. maybe its because firefox bypasses the proxy for localhost, however I did force it, didn't work as well.. So how it worked for me is cucumber + proxy in one boxe and my application running in a remote host.

[yuki sov]

Hi, Simon

I've uploaded the PHP client API onto Packagist as the name 'zaproxy/php-owasp-zap-v2' under the user 'zaproxy' [1] and I removed the previous package that I uploaded before. It seems that I can add other accounts to the package as a maintainer. So let's see If this works well. If you create your account on Packagist [2], please let me know your username and I'll try to add your account as a maintainer. Or If this approach doesn't work the way you want, for example, you can send me your public key for GPG. Then I'll encrypt the password of the 'zaproxy' account on Packagist and send it back to you.

When I'm ready, I'll commit the generator java file (in the directory trunk/src/org/zaproxy/zap/extension/api/), PHP client API files (in the directory 'trunk/php/api/src/Zap/', including the files that could be created by building the zaproxy as Python API's doing), and the three lines [3] into the task 'generate-apis' in the trunk/build/build.xml file. Please let me know if there are any problems.

[1] https://packagist.org/packages/zaproxy/php-owasp-zap-v2

[2] https://packagist.org/register/

[3] https://github.com/yukisov/php-api-generator-for-owasp-zap/blob/master/build.xml.patch

Thanks,

Yuki

[psiinon]

Sorry, this slipped through the net :(
I've added it to the related projects page and to the API details page.
Is this project related to https://github.com/SUSE/owasp_zap in any way?
Would you like this to become an 'official' ZAP API?

Many thanks,

Simon