Jenkins & Owasp ZAP plugin error
331 views
Skip to first unread message
rama rama Krishna Krishna
Aug 11, 2017, 5:02:25 AM8/11/17
to ZAP Jenkins Plugin
Hello There,
I will be glad if any one can help me out with Jenkins and ZAP plugin integration
existing setup
- OS: Ubuntu
- Jenkins installed "apt-get install Jenkins"
- Official ZAP plug-in
from the Jenkins i have installed
1. Official Zap Plug-in version 1.1.0 (unofficial version is not working in my system for some reason)
2. Custom tool Plug-in
3. JDK 8
4.user and group for Jenkins folder as Jenkins:Jenkins (so permission part is taken care)
i follow this document
https://wiki.jenkins.io/display/JENKINS/ZAProxy+Plugin
from the custom tool plugin I gave ZAP git UrL
https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAP_2.6.0_Linux.tar.gz
directory as: ZAP_2.6.0
- created a jenkin free style project
- under the build section
- add - execute ZAP
host: localhost
port : 8090 (these are the setting i gave in jenkins)
rest left default
ZAP dir as : ~/.ZAP
load session: - saved a OWASP Zap session from Zap tool and later copied to workspace,
- do i compulsory need to give these, bcoz i have other jobs running on jenkins and i dont want to install OWASP zap and save a session
can this session be created through jenkins any posibility
rest.... like in context, out of context & etc are take care by me.
Here is my requirement
- we have a build triggered every 2 days and we want to run OWASP ZAP as part of the build. we want to take care of false positives, so once the zap scanning is done we should get a report(html format) without the false positives
- in the ZAP tool i can configure every thing, but now we want this step to integrate in jenkins
Here are my few questions
1. when i configured zap (giturl) from custom tools....its not creating any .ZAP folder(checked the hidden folders too)..checked after "build now step"
2. the below step is taking lots of time
-
I will be glad if any one can help me out with Jenkins and ZAP plugin integration
existing setup
- OS: Ubuntu
- Jenkins installed "apt-get install Jenkins"
- Official ZAP plug-in
from the Jenkins i have installed
1. Official Zap Plug-in version 1.1.0 (unofficial version is not working in my system for some reason)
2. Custom tool Plug-in
3. JDK 8
4.user and group for Jenkins folder as Jenkins:Jenkins (so permission part is taken care)
i follow this document
https://wiki.jenkins.io/display/JENKINS/ZAProxy+Plugin
from the custom tool plugin I gave ZAP git UrL
https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAP_2.6.0_Linux.tar.gz
directory as: ZAP_2.6.0
- created a jenkin free style project
- under the build section
- add - execute ZAP
host: localhost
port : 8090 (these are the setting i gave in jenkins)
rest left default
ZAP dir as : ~/.ZAP
load session: - saved a OWASP Zap session from Zap tool and later copied to workspace,
- do i compulsory need to give these, bcoz i have other jobs running on jenkins and i dont want to install OWASP zap and save a session
can this session be created through jenkins any posibility
rest.... like in context, out of context & etc are take care by me.
Here is my requirement
- we have a build triggered every 2 days and we want to run OWASP ZAP as part of the build. we want to take care of false positives, so once the zap scanning is done we should get a report(html format) without the false positives
- in the ZAP tool i can configure every thing, but now we want this step to integrate in jenkins
Here are my few questions
1. when i configured zap (giturl) from custom tools....its not creating any .ZAP folder(checked the hidden folders too)..checked after "build now step"
2. the below step is taking lots of time
Unpacking https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAP_2.6.0_Linux.tar.gz to /root/.jenkins/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/ZAP_6-0 on Jenkins
3. can i create a dynamic session instead of creating and saving a session from ZAP tool
4. how can i update ZAP from jenkins
Waiting for the response
Thanks in advance
-
lil_men69
Aug 15, 2017, 9:55:33 AM8/15/17
to ZAP Jenkins Plugin
Hi,
i don't understand all your issues. May be i could help you with few things
first try the official plugin version : https://wiki.jenkins.io/display/JENKINS/zap+plugin
there is how to configure a job : https://wiki.jenkins.io/display/JENKINS/Configure+the+Job
-Your requirement:
** false positives are handled with Alert filters in the plugin : some tips here : https://issues.jenkins-ci.org/browse/JENKINS-39985
Questions :
1 -- can't help when zap finished to Unpack, when it 's running it should created a ZAP dir as : ~/.ZAP
2 -- fore the time, you can't do better only if you have a mirror in your local network
3 -- radio block save session in the plugin should be the solution
4 -- with jenkins console scripting or a job with script shell command
there is link with tips : https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline
the cmdline could be ./zap.sh -daemon -addonupdate
Cheers
Me
i don't understand all your issues. May be i could help you with few things
first try the official plugin version : https://wiki.jenkins.io/display/JENKINS/zap+plugin
there is how to configure a job : https://wiki.jenkins.io/display/JENKINS/Configure+the+Job
-Your requirement:
** false positives are handled with Alert filters in the plugin : some tips here : https://issues.jenkins-ci.org/browse/JENKINS-39985
Questions :
1 -- can't help when zap finished to Unpack, when it 's running it should created a ZAP dir as : ~/.ZAP
2 -- fore the time, you can't do better only if you have a mirror in your local network
3 -- radio block save session in the plugin should be the solution
4 -- with jenkins console scripting or a job with script shell command
there is link with tips : https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline
the cmdline could be ./zap.sh -daemon -addonupdate
Cheers
Me
JordanGS
Aug 15, 2017, 10:28:42 AM8/15/17
to ZAP Jenkins Plugin
1. Jenkins is missing escalated permissions to create/edit/modify files and folders would be the most likely culprit.
2. Either use a mirror on your local network as a previous user has said or look into installing it on your system. I can't speak for your network connection but that step takes me roughly 45-90seconds. If that is too long, i would suggest opening a ticket with the custom tools plugin team. What is long for you?
3. Elaborate by dynamic session? You can load a session that your made with ZAP (GUI) or you can create a new session in the ZAP Jenkins Job config. Look at Session Management Section
4. The previous reply will work only if using ZAPROXY_HOME and having installed it manually rather than using custom tools to install it as far as i know. Not always a smart idea to rush forward since new fixes might be introduced but new bugs as well. Which is why i always recommend using the Standard releases such as 2.6.0 and 2.7.0 rather than weeklies.
2. Either use a mirror on your local network as a previous user has said or look into installing it on your system. I can't speak for your network connection but that step takes me roughly 45-90seconds. If that is too long, i would suggest opening a ticket with the custom tools plugin team. What is long for you?
3. Elaborate by dynamic session? You can load a session that your made with ZAP (GUI) or you can create a new session in the ZAP Jenkins Job config. Look at Session Management Section
4. The previous reply will work only if using ZAPROXY_HOME and having installed it manually rather than using custom tools to install it as far as i know. Not always a smart idea to rush forward since new fixes might be introduced but new bugs as well. Which is why i always recommend using the Standard releases such as 2.6.0 and 2.7.0 rather than weeklies.
Reply all
Reply to author
Forward
0 new messages