OWASP Zap Github Action
956 views
Skip to first unread message
david foley
Oct 7, 2021, 3:40:16 PM10/7/21
to OWASP ZAP Developer Group
Having an issue since today with a Github Action
# Run Pen Testing on the Production WebPage
Owasp:
runs-on: ubuntu-latest
needs: k6_load_test
steps:
- name: Web Scanner
uses: zaproxy/action-...@v0.5.0
with:
token: ${{ secrets.TOKEN_GITHUB }}
target: 'https://'
Run zaproxy/action-...@v0.5.0
9[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
10starting the program
11github run id :1317614377
12/usr/bin/docker pull owasp/zap2docker-stable -q
152021-10-07 19:30:45,776 Could not find custom hooks file at /home/zap/.zap_hooks.py
16Using the Automation Framework
17Unable to copy yaml file to /zap/wrk/zap.yaml
18Add-on downloaded to: /root/.ZAP/plugin/reports-release-0.8.0.zap
20Add-on downloaded to: /root/.ZAP/plugin/reports-release-0.8.0.zap
21Add-on downloaded to: /root/.ZAP/plugin/pscanrulesBeta-beta-27.zap
222021-10-07 19:31:04,145 Failed to access summary file /home/zap/zap_out.json
23Error: failed to scan the target: Error: The process '/usr/bin/docker' failed with exit code 3
# Run Pen Testing on the Production WebPage
Owasp:
runs-on: ubuntu-latest
needs: k6_load_test
steps:
- name: Web Scanner
uses: zaproxy/action-...@v0.5.0
with:
token: ${{ secrets.TOKEN_GITHUB }}
target: 'https://'
Message has been deleted
psiinon
Oct 8, 2021, 7:50:19 AM10/8/21
to OWASP ZAP Developer Group
Thank you for reporting this issue - we've actually hit it with our daily scan of zaproxy.org too.
We're looking into this as a matter of urgency and will update this thread as soon as we have something to report.
Cheers,
Simon
psiinon
Oct 8, 2021, 10:50:42 AM10/8/21
to OWASP ZAP Developer Group
We have pushed a new stable docker image which should fix this problem - its worked for us.
There is a new version of the baseline action as well which we recommend you use but the previous versions should still work anyway.
Give it a go and let us know if it works for you or not.
Many thanks,
Simon
Neil McAlister
Oct 14, 2021, 9:54:30 AM10/14/21
to OWASP ZAP Developer Group
I've been getting similar issues but using the Azure DevOps OWASP Zap Scanner plugin task: owaspzap@1 since Oct 7th - up to and including today, this was definitely triggered by the latest docker image update.
Status: Downloaded newer image for owasp/zap2docker-stable:latest
2021-10-14 13:06:23,327 Could not find custom hooks file at /home/zap/.zap_hooks.py
Using the Automation Framework
Unable to copy yaml file to /zap/wrk/zap.yaml
Add-on downloaded to: /root/.ZAP/plugin/reports-release-0.9.0.zap
Add-on update check complete
Add-on downloaded to: /root/.ZAP/plugin/reports-release-0.9.0.zap
Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v27/pscanrulesBeta-beta-27.zap
Add-on downloaded to: /root/.ZAP/plugin/reports-release-0.9.0.zap
Add-on downloaded to: /root/.ZAP/plugin/pscanrulesBeta-beta-27.zap
Total of 1 URLs
Runs the scan but then fails at the end
Job report failed to generate report: Exception evaluating OGNL expression: "helper.legacyEscapeText(helper.getHostForSite(site), true)" (template: "/root/.ZAP/reports/traditional-json/report.json" - line 7, col 16)
##[error]Unexpected end of JSON input
psiinon
Oct 14, 2021, 12:09:29 PM10/14/21
to OWASP ZAP Developer Group
This could be a different issue.
Are there any more details given?
psiinon
Oct 15, 2021, 4:45:09 AM10/15/21
to OWASP ZAP Developer Group
Neil,
We pushed out an update to the Reports add-on which we're hoping will fix this issue.
Has that fixed it for you?
Cheers,
Simon
Neil McAlister
Oct 15, 2021, 5:20:41 AM10/15/21
to OWASP ZAP Developer Group
Hi Simon - Thanks for this - certainly an improvement today! The Scanner task '- task: owaspzap@1' in the pipeline YAML - now runs OK - it didn't from 7/10 all the way through to yesterday - assumed your changed fixed that.
The only thing that doesn't work now is the post reporting task '- task: PublishTestResults@2' in the pipeline YAML - which is odd indeed. The error is now No Result Found to Publish '/home/vsts/work/1/s/owaspzap/www.microsoft.com.xml'.
I've attached the pipeline Azure DevOps YAML as it was working pre 7th October
The task in question is this one: https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner&ssr=false#overview
The instructions on getting this working are a mishmash between the two docs contained on those 2 sites, but my pipeline does normally work OK
To what element did you recently change? The Docker image, or the AZDO Task owaspzap@1 ?
Thanks
Neil
P.S. Really sorry but my internal work proxy doesn't allow me to attach a file here - so I'll have to paste it below
name: $(date:yyyyMMdd)$(rev:.r)-$(Build.SourceBranch)
trigger:
- main
- master
stages:
- stage: OWASP_ZAP_Stage # !CHANGE! per env
jobs:
# OWASP ZAP Job
- job : OWASP_ZAP
variables:
websiteurl: 'www.microsoft.com'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: DockerInstaller@0
displayName: 'Install Docker image'
inputs:
dockerVersion: '17.09.0-ce'
- task: owaspzap@1
displayName: 'Run OWASP Scan for $(websiteurl)'
inputs:
aggressivemode: false
scantype: 'targetedScan'
url: 'https://$(websiteurl)'
port: '443'
threshold: '999999'
- bash: |
sudo npm install -g handlebars-cmd
cat <<EOF > owaspzap/nunit-template.hbs
<test-run
id="2"
name="Owasp test"
start-time="{{@generated}}">
{{#each site}}<test-suite
id="{{@index}}"
type="Assembly"
name="{{[@name]}}"
result="Failed"
failed="{{alerts.length}}">
<attachments>
<attachment>
<filePath>$BUILD_SOURCESDIRECTORY/owaspzap/report.html</filePath>
</attachment>
</attachments>
{{#each alerts}}<test-case
id="{{@index}}"
name="{{alert}}"
result="Failed"
fullname="{{alert}}"
time="1">
<failure>
<message>
<![CDATA[{{{desc}}}]]>
</message>
<stack-trace>
<![CDATA[
Solution:
{{{solution}}}
Reference:
{{{reference}}}
instances:{{#each instances}}
* {{uri}}
- {{method}}
{{#if evidence}}- {{{evidence}}}{{/if}}
{{/each}}]]>
</stack-trace>
</failure>
</test-case>
{{/each}}
</test-suite>
{{/each}}
</test-run>
EOF
displayName: 'OWASP NUnit template'
condition: always()
- task: Bash@3
inputs:
targetType: 'inline'
script: 'ls -laR'
- bash: ' handlebars owaspzap/report.json < owaspzap/nunit-template.hbs > owaspzap/$(websiteurl).xml'
displayName: 'Generate NUnit type file for $(websiteurl)'
condition: always()
# Publish results to AZDO Test page
- task: PublishTestResults@2
displayName: 'Publish Test Results to AZDO'
inputs:
testResultsFormat: NUnit
testResultsFiles: 'owaspzap/$(websiteurl).xml'
testRunTitle: '$(websiteurl)'
condition: always()
psiinon
Oct 15, 2021, 6:57:17 AM10/15/21
to OWASP ZAP Developer Group
We updated the docker image.
We dont manage the Visual Studio ZAP Scanner Pipeline so the yaml file means nothing to me.
It could well be something that we have changed but I dont know what that might be - you'll have to raise this with CSE-DevOps
If you do that on a public forum then please post the details here so we can keep an eye on it and give any info needed.
Cheers,
Simon
Neil McAlister
Oct 18, 2021, 4:56:17 AM10/18/21
to OWASP ZAP Developer Group
Thanks Simon - is there a change log for the Docker Image you have updated please? - especially in relation to the reporting changes - as I think this is what is now broken in my reporting chain in the YAML file above
Cheers
Cheers
Neil
psiinon
Oct 18, 2021, 5:12:25 AM10/18/21
to OWASP ZAP Developer Group
Hi Neil,
Yes, the docker change log is here: https://github.com/zaproxy/zaproxy/blob/main/docker/CHANGELOG.md
Cheers,
Simon
Neil McAlister
Oct 21, 2021, 5:50:02 AM10/21/21
to OWASP ZAP Developer Group
Thanks Simon - I've re-written my pipeline now to stop using the AZDO task from a third party - now I am just using the Docker image and .py file directly - rather than this task doing it
The task itself did run OK, but the reporting JSON file exported had empty contents - so hence my re-write.
The AZDO task is pretty much dead now - as you can see on their Github here - I've posted my solution over there if it helps anyone here
Cheers
Neil
Reply all
Reply to author
Forward
0 new messages