Unable to disable addon update in ZAP Docker
157 views
Skip to first unread message
JS Chuah
Apr 5, 2023, 4:38:30 AM4/5/23
to OWASP ZAP User Group
The latest ZAP Docker version (2.12.0) seems to break my API scanning CI pipeline and I am still investigating. (Looks like the options.prop is no longer working for me)
I wish to continue to use the older version (s2023-03-03), but keep getting errors regarding addon update/install even with the "-silent" option.
Can I continue to use the older version with addon update/install disabled? Below is my docker command.
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable:w2023-03-03 zap-api-scan.py -t ${openApiSpec} -f openapi -d -n my-app.context -I -c default.conf -r zap_report_html.html -x zap_report_xml.xml -J zap_report_json.json -z "-configfile /zap/wrk/options.prop -silent"
Thank you so much!
Simon Bennetts
Apr 5, 2023, 4:45:33 AM4/5/23
to OWASP ZAP User Group
Can you explain what the symptoms are?
What does your options.prop file contain (you can obfuscate anything sensitive)?
Are there any error in the zap.log file?
I'm not aware of any known issues that could be related to this so right now we dont have much to go on :/
Cheers,
Simon
JS Chuah
Apr 5, 2023, 4:45:49 AM4/5/23
to OWASP ZAP User Group
Sorry, there was a type in my previous post, the docker image version mentioned in the previous post should be "s2023-03-03" not "w2023-03-03".
JS Chuah
Apr 5, 2023, 4:54:33 AM4/5/23
to OWASP ZAP User Group
Hi Simon,
May I know how to get the zap.log? We are running the docker command in Jenkins.
Thank you for the prompt reply.
May I know how to get the zap.log? We are running the docker command in Jenkins.
In version
2.12.0, we found no error in Jenkins log. However, we also found no record was inserted into our database even after the scanning, unlike in previous version, we can see many records inserted into the database via the POST method. So I suspect either the replacer or formhandler is not working correctly after the update.
Below is the content of my options.prop
replacer.full_list(0).description=token
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer xxxxxxxxxxx
formhandler.fields.field(0).fieldId=appid
formhandler.fields.field(0).value=
formhandler.fields.field(0).enabled=true
formhandler.fields.field(1).fieldId=createdby
formhandler.fields.field(1).value=
formhandler.fields.field(1).enabled=true
formhandler.fields.field(2).fieldId=createddt
formhandler.fields.field(2).value=
formhandler.fields.field(2).enabled=true
formhandler.fields.field(3).fieldId=updatedby
formhandler.fields.field(3).value=
formhandler.fields.field(3).enabled=true
formhandler.fields.field(4).fieldId=updateddt
formhandler.fields.field(4).value=
formhandler.fields.field(4).enabled=true
formhandler.fields.field(5).fieldId=version
formhandler.fields.field(5).value=
formhandler.fields.field(5).enabled=true
replacer.full_list(0).description=token
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer xxxxxxxxxxx
formhandler.fields.field(0).fieldId=appid
formhandler.fields.field(0).value=
formhandler.fields.field(0).enabled=true
formhandler.fields.field(1).fieldId=createdby
formhandler.fields.field(1).value=
formhandler.fields.field(1).enabled=true
formhandler.fields.field(2).fieldId=createddt
formhandler.fields.field(2).value=
formhandler.fields.field(2).enabled=true
formhandler.fields.field(3).fieldId=updatedby
formhandler.fields.field(3).value=
formhandler.fields.field(3).enabled=true
formhandler.fields.field(4).fieldId=updateddt
formhandler.fields.field(4).value=
formhandler.fields.field(4).enabled=true
formhandler.fields.field(5).fieldId=version
formhandler.fields.field(5).value=
formhandler.fields.field(5).enabled=true
Simon Bennetts
Apr 5, 2023, 4:56:40 AM4/5/23
to OWASP ZAP User Group
It links to other FAQs which explain how to find the ZAP default directory for different OSs.
If ZAP can run then there will be a zap.log file.
JS Chuah
Apr 5, 2023, 5:35:16 AM4/5/23
to OWASP ZAP User Group
Hi Simon,
I have attached the log generated by running version 2.12.0.
I don't see any major error in the log, however I found it strange that /api/applications (my only API in api-spec.yaml) was never mentioned in the log. Is this normal?
I don't see any major error in the log, however I found it strange that /api/applications (my only API in api-spec.yaml) was never mentioned in the log. Is this normal?
Thanks so much.
JS Chuah
Apr 5, 2023, 5:41:44 AM4/5/23
to OWASP ZAP User Group
Hi Simon,
Is it normal that the value for "formhandler.fields.field(0).enabled" is "true was null"?
2023-04-05 09:07:15,472 [main ] INFO AbstractParam - Setting config formhandler.fields.field(0).enabled = true was null
Is it normal that the value for "formhandler.fields.field(0).enabled" is "true was null"?
2023-04-05 09:07:15,472 [main ] INFO AbstractParam - Setting config formhandler.fields.field(0).enabled = true was null
JS Chuah
Apr 5, 2023, 5:48:08 AM4/5/23
to OWASP ZAP User Group
I found it strange that the values from line 7 to line 34 are all appended with "was null"
thc...@gmail.com
Apr 5, 2023, 5:08:48 PM4/5/23
to zaprox...@googlegroups.com
That's normal.
There's a new version of Form Handler add-on that should fix that issue.
Best regards.
On 05/04/2023 10:48, JS Chuah wrote:
> I found it strange that the values from line 7 to line 34 are all appended
> with "was null"
>
> On Wednesday, April 5, 2023 at 5:41:44 PM UTC+8 JS Chuah wrote:
>
>> Hi Simon,
>>
>> Is it normal that the value for "formhandler.fields.field(0).enabled" is "*true
>> was null*"?
>>>>>> -
There's a new version of Form Handler add-on that should fix that issue.
Best regards.
On 05/04/2023 10:48, JS Chuah wrote:
> I found it strange that the values from line 7 to line 34 are all appended
> with "was null"
>
> On Wednesday, April 5, 2023 at 5:41:44 PM UTC+8 JS Chuah wrote:
>
>> Hi Simon,
>>
>> was null*"?
>>
>> 2023-04-05 09:07:15,472 [main ] INFO AbstractParam - Setting config
>> formhandler.fields.field(0).enabled = *true was null*
>> 2023-04-05 09:07:15,472 [main ] INFO AbstractParam - Setting config
JS Chuah
Apr 6, 2023, 6:04:45 AM4/6/23
to OWASP ZAP User Group
Hi
May I confirm is the form replacer issue fixed? I'm still having the same issue.
thc...@gmail.com
Apr 6, 2023, 6:14:17 AM4/6/23
to zaprox...@googlegroups.com
Which image are you using now and with which command line args?
Best regards.
Best regards.
JS Chuah
Apr 6, 2023, 6:40:45 AM4/6/23
to OWASP ZAP User Group
Hi,
This is my command using 2.12.0. I am still unable to authenticate to my REST API. It was working in the previous version. (You can refer to previous post for my options.prop) Thank you so much!
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable:2.12.0 zap-api-scan.py -t ${openApiSpec} -f openapi -d -n my-app.context -I -c default.conf -r zap_report_html.html -x zap_report_xml.xml -J zap_report_json.json -z "-configfile /zap/wrk/options.prop"
thc...@gmail.com
Apr 10, 2023, 10:11:00 AM4/10/23
to zaprox...@googlegroups.com
Answered in:
https://groups.google.com/g/zaproxy-users/c/JmhnwHVqg6M/m/Sx9dN11BCgAJ
The latest image should no longer have that problem.
Best regards.
https://groups.google.com/g/zaproxy-users/c/JmhnwHVqg6M/m/Sx9dN11BCgAJ
The latest image should no longer have that problem.
Best regards.
Reply all
Reply to author
Forward
0 new messages