Is there a way to display ZAP alerts in Jenkins dashboard itself?

[Lakmi SK]

Hi,

With the below softwares, I'm able to invoke ZAP from Jenkins.

zaproxy plugin v1.1.1

ZAP Tool - 2.4.0

Jenkins v1.586

But the reports are written to Jenkins workspace. So I need to navigate to that particular folder. 

Instead can I see the ZAP scan output in Jenkins dashboard itself? 

Thanks,

Lakmi

[Ludovic704]

Hi Lakmi,

For the moment, it's not possible to see the ZAP report in Jenkins dashboard but it could be a good idea !

What do you want to see in Jenkins dashboard from the ZAP report ?

• Only a link to the file ?
• The alerts number by level ?
• Display all alerts and their description ?

You can also open an issue here to add this new feature in future version of ZAProxy plugin.

Thank you for your feedback.

Regards,

Ludovic.

[Simon Bennetts]

I think options for a link to the file and alerts by level would be really useful.
Displaying all of the alerts and their descriptions might be too overwhelming, but if someone has got their app to the point where they usually get no alerts them this might be useful.

Do you have options for flagging false positives?
I suspect there are loads of other metrics we _should_ report (via ZAP as well as the plugin) to help users understand if their app is being scanned effectively.
I really need to play with this, as I can think of loads of possibilities :D

One thing we could use it for is testing ZAP vs vulnerable apps like wavsep, firing range and webseclab.
I'd then want to know how well ZAP scores against these apps, with the build failing if we score lower than expected.
I realise this is an unusual usecase ;)

Cheers,

Simon

[Ludovic704]

My company and me also currently working on a SonarQube plugin displaying alerts from the ZAP report file. For the moment, it looks like that :

And clicking on a specific level, SonarQube displays all issues (description, solution, ...) from ZAP report according to the level.

So for the moment, I'm focusing on this SonarQube plugin.

Otherwise, I don't have any option for flagging false positives.

Regards,

Ludovic.

[Simon Bennetts]

Awesome - really looking forward to seeing this!

Many thanks,

Simon

[Ludovic704]

We have in mind to integrate this future plugin with the dependency-check-sonar-plugin to create a global OWASP sonar plugin. I think it will be great if we can regroup all OWASP sonar plugin in only one.

Regards,

Ludovic.

[Ludovic704]

And to get back to the initial question, you can used a plugin named "HTML Publisher Plugin" to display a link to the ZAP HTML report.

Regards,

Ludovic. 

Le mercredi 10 juin 2015 06:33:12 UTC+2, Lakmi a écrit :

[psiinon]

A global OWASP Sonar plugin sounds great :)

However if this ended up covering a large number of OWASP projects then it might get a bit difficult to manage, especially with the different project roadmaps.

Eg what happens if different versions of the product plugins are incompatible - you could then up with a complex matrix of versions to support.

I'm definitely not arguing against having a global OWASP plugin, just that having project specific ones as well could still be very useful.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

OWASP ZAP Project leader

[Lakmi]

Hi,

Thank you so much for letting me know HTML Publisher plugin. I tried & it works.

Also, excited to see sonarqube ZAP plugin in making :)

Regards,

Lakmi

[Johann Ollivier Lapeyre]

A global OWASP Sonar plugin sounds great :)

However if this ended up covering a large number of OWASP projects then it might get a bit difficult to manage, especially with the different project roadmaps.

Eg what happens if different versions of the product plugins are incompatible - you could then up with a complex matrix of versions to support.

I'm definitely not arguing against having a global OWASP plugin, just that having project specific ones as well could still be very useful.

 Hi,

I'm collegue of Ludovic704 and "product owner"  for his work. Your concern could be valid, but i would like to  

enlighten some point:

- First, some project are very open to accept new plugin (we saw that for example with our Jenkins ZAP plugin) but it 's not exactly the same with sonarqube. It 's quite hard, and with a voting commettee. So, large number of OWASP project number will never happening, ever. At least one would be nice.... This is the strong argument to have in mind to have a global OWASP plugin: be attractive for Sonarqube's guys and keep  potential capacity to manage many owasp tools in the future [at least the ones valuable in sonar].

- The uses cases are quite simple: parse a report and push the data to sonar. So, from a code point of view, every tools [actually dependency-check and zap] are well splited, with no interdependency, because the reports, data structure and rules are not the same, resulting in very low risk of roadmap and collision issues. The common part are very utilitary: sonar's registery, neutral langage...  

- There are yet some choices to take about visualisation (common vulnerabilities widget, separated widget, both...). Something we have yet to talk with Steve Springett, actual leader of Sonar 's OWASP Dependency Check plugin and which decide at the end the global plugin: accepting or not our approching pull request.

Cheers

Johann Ollivier-Lapeyre

[Harneet Kaur]

Hi Ludovic

I have also been trying to work on a similar thing. I am getting .html file as a zap report but I was thinking to customize it so that it is able to show false negatives. Will you be able to give me a little bit guidance on the configuration and integrating zap with SonarQube in Jenkins?

Regards,

Harneet