Yet another ZAP Maven (and SonarQube) Plugin
396 views
Skip to first unread message
Thiago Porciúncula
Jan 6, 2016, 11:00:06 AM1/6/16
to OWASP ZAP Developer Group
We've been working with ZAP for a while now, and we came up with a couple of plugins we want to present.
We are aware of the existence of currently working and updated Maven and SonarQube plugins for ZAP. However, when we first started working, they weren't updated or were non-existent. Also, we were always compromised to open our projects regardless.
We intend to maintain these plugins as far as they are relevant to us (and I believe they will be relevant at least for a good while). Here they are:
ZAP Maven Plugin: https://github.com/pdsoftplan/zap-maven-plugin
ZAP SonarQube Plugin: https://github.com/pdsoftplan/sonar-zap
You can find more about them on their respective pages. I believe the main difference between our solutions is that our Maven plugin supports authentication (including CAS authentication) and that our SonarQube plugin is simpler: it just keeps track of the number of ZAP alerts identified, without treating them as SonarQube issues nor showing information about any specific alert.
We're open to suggestions and contributions :)
Cheers!
--
Thiago Porciúncula
Preeti Jaybhar
Apr 20, 2016, 6:31:43 AM4/20/16
to OWASP ZAP Developer Group
Hi Thiago,
I am using ZAP Maven Plugin https://github.com/pdsoftplan/zap-maven-plugin.
I am getting error -
[INFO] Starting ZAP analysis at target: http://example.com/
[INFO] --- Starting analysis ---
[INFO] Spider : http://example.com/
[ERROR] Error running Spider.
br.com.softplan.security.zap.zaproxy.clientapi.core.ClientApiException: Does Not Exist (does_not_exist) :
To solve this error, I want to use include the URLs in Default Context created in the new session.
The "context" setting in Configuration parameters does not help.
Could you guide on how to use/set Default Context in pom?
Thiago Porciúncula
Apr 20, 2016, 7:00:30 AM4/20/16
to OWASP ZAP Developer Group
Hey Preeti,
First, could you please post the current configuration you're using for the plugin?
Are you trying to include more than one URL within the context? Try starting working with just one, and for that just set the targetUrl parameter. See if that works first and let me know how it goes.
Preeti Jaybhar
Apr 20, 2016, 8:17:11 AM4/20/16
to OWASP ZAP Developer Group
Hi Thiago,
The current configuration is:
<plugin>
<groupId>br.com.softplan.security.zap</groupId>
<artifactId>zap-maven-plugin</artifactId>
<version>1.2.0-0</version>
<configuration>
<zapHost>localhost</zapHost>
<zapPort>8091</zapPort>
<targetUrl>http://localhost:8080/</targetUrl>
<zapPath>C:\Program Files (x86)\OWASP\Zed Attack Proxy</zapPath>
<zapApiKey></zapApiKey>
<shouldStartNewSession>False</shouldStartNewSession>
</configuration>
<executions>
<execution>
<id>start-zap</id>
<phase>pre-integration-test</phase>
<goals>
<goal>startZap</goal>
</goals>
</execution>
<execution>
<id>analyze</id>
<phase>post-integration-test</phase>
<goals>
<goal>analyze</goal>
</goals>
</execution>
</executions>
</plugin>
In BaseAnalyzer.class (baseanalyzer.PNG attached), the contextname parameter is blank . When I set the contextname to "Default Context" the error (br.com.softplan.security.zap.zaproxy.clientapi.core.ClientApiException: Does Not Exist) is resolved.
So could you give provision to 1. Set the Default Context in Configuration Parameters or 2. Create a new context in Configuration Parameters for newly created session.
Thank you,
Preeti
Thiago Porciúncula
Apr 20, 2016, 8:35:55 AM4/20/16
to OWASP ZAP Developer Group
What version of ZAP are you using? I think you might be stumbling across some of the issues involving the contextname parameter for the Spider, which is a fairly new parameter on ZAP's API.
Could you please test the plugin on the latest ZAP build? You can download it from the link below:
Also, since you're already involved debugging the plugin's code, can you try invoking the api.spider.scan method passing null for the contextname? I got this idea from this issue here:
But it should work with an empty contextname too. This was the original issue about this parameter:
And according to this commit that was merged in this issue, it should ignore empty context names (and use the Default Context instead):
Preeti Jaybhar
Apr 20, 2016, 8:49:59 AM4/20/16
to OWASP ZAP Developer Group
Hi Thiago,
I am not able to understand how to use the latest zap api in the plugin's code.
Also, I have passed null for the contextname, but the same error is thrown.
Thiago Porciúncula
Apr 20, 2016, 9:27:34 AM4/20/16
to OWASP ZAP Developer Group
I mean the actual ZAP, the one you have installed on your machine. I believe you're using the latest stable version (2.4.3), and I also believe you can fix your issue if you use the latest pre-release version (w2016-04-18). What version are you using?
This is a issue related to ZAP itself and its API, so if you update it you'll probably have it fixed.
You can check ZAP releases here:
thc...@gmail.com
Apr 20, 2016, 9:31:19 AM4/20/16
to zaproxy...@googlegroups.com
Right, updating to a newer weekly release fixes the problem, without
further changes in plugin's code.
Otherwise, if you can't update and you are able to change the plugin
code, you _also_ need to exclude the "contextname" parameter when it's
null in the Spider.scan method:
if (contextname != null) {
map.put("contextName", contextname);
}
Best regards.
On 20/04/16 14:27, Thiago Porciúncula wrote:
> I mean the actual ZAP, the one you have installed on your machine. I
> believe you're using the latest stable version (2.4.3), and I also
> believe you can fix your issue if you use the latest pre-release version
> (w2016-04-18). What version are you using?
>
> This is a issue related to ZAP itself and its API, so if you update it
> you'll probably have it fixed.
>
> You can check ZAP releases here:
> https://github.com/zaproxy/zaproxy/releases
>
> On Wednesday, April 20, 2016 at 9:49:59 AM UTC-3, Preeti Jaybhar wrote:
>
> Hi Thiago,
>
> I am not able to understand how to use the latest zap api in the
> plugin's code.
> Also, I have passed /null/ for the /contextname, /but the same error
> is thrown./ /
> for the /contextname/? I got this idea from this issue here:
> https://github.com/zaproxy/zaproxy/issues/2303
> <https://github.com/zaproxy/zaproxy/issues/2303>
>
> But it should work with an empty /contextname/ too. This was the
> that just set the /targetUrl/ parameter. See if that
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
further changes in plugin's code.
Otherwise, if you can't update and you are able to change the plugin
code, you _also_ need to exclude the "contextname" parameter when it's
null in the Spider.scan method:
if (contextname != null) {
map.put("contextName", contextname);
}
Best regards.
On 20/04/16 14:27, Thiago Porciúncula wrote:
> I mean the actual ZAP, the one you have installed on your machine. I
> believe you're using the latest stable version (2.4.3), and I also
> believe you can fix your issue if you use the latest pre-release version
> (w2016-04-18). What version are you using?
>
> This is a issue related to ZAP itself and its API, so if you update it
> you'll probably have it fixed.
>
> You can check ZAP releases here:
> https://github.com/zaproxy/zaproxy/releases
>
> On Wednesday, April 20, 2016 at 9:49:59 AM UTC-3, Preeti Jaybhar wrote:
>
> Hi Thiago,
>
> I am not able to understand how to use the latest zap api in the
> plugin's code.
> is thrown./ /
>
> On Wednesday, April 20, 2016 at 6:05:55 PM UTC+5:30, Thiago
> Porciúncula wrote:
>
> What version of ZAP are you using? I think you might be
> stumbling across some of the issues involving the /contextname/
> On Wednesday, April 20, 2016 at 6:05:55 PM UTC+5:30, Thiago
> Porciúncula wrote:
>
> What version of ZAP are you using? I think you might be
> parameter for the Spider, which is a fairly new parameter on
> ZAP's API.
>
> Could you please test the plugin on the latest ZAP build? You
> can download it from the link below:
> https://github.com/zaproxy/zaproxy/releases/download/w2016-04-18/ZAP_WEEKLY_D-2016-04-18.zip
> <https://github.com/zaproxy/zaproxy/releases/download/w2016-04-18/ZAP_WEEKLY_D-2016-04-18.zip>
>
> Also, since you're already involved debugging the plugin's code,
> can you try invoking the /api.spider.scan/ method passing /null/
> ZAP's API.
>
> Could you please test the plugin on the latest ZAP build? You
> can download it from the link below:
> https://github.com/zaproxy/zaproxy/releases/download/w2016-04-18/ZAP_WEEKLY_D-2016-04-18.zip
> <https://github.com/zaproxy/zaproxy/releases/download/w2016-04-18/ZAP_WEEKLY_D-2016-04-18.zip>
>
> Also, since you're already involved debugging the plugin's code,
> for the /contextname/? I got this idea from this issue here:
> https://github.com/zaproxy/zaproxy/issues/2303
> <https://github.com/zaproxy/zaproxy/issues/2303>
>
> But it should work with an empty /contextname/ too. This was the
> works first and let me know how it goes.
>
> On Wednesday, April 20, 2016 at 7:31:43 AM UTC-3, Preeti
> Jaybhar wrote:
>
> Hi Thiago,
>
> I am using ZAP Maven
> Plugin https://github.com/pdsoftplan/zap-maven-plugin
> <https://github.com/pdsoftplan/zap-maven-plugin>.
>
> On Wednesday, April 20, 2016 at 7:31:43 AM UTC-3, Preeti
> Jaybhar wrote:
>
> Hi Thiago,
>
> I am using ZAP Maven
> Plugin https://github.com/pdsoftplan/zap-maven-plugin
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Preeti Jaybhar
Apr 21, 2016, 2:21:32 AM4/21/16
to OWASP ZAP Developer Group
Hi Thiago & thc202,
The issue is fixed after updating to a latest weekly release.
Thank you for the quick help.
Thank you,
Preeti
Reply all
Reply to author
Forward
0 new messages