How to generate report in Modern Html report format from command line?

[Shrey]

I  am running

zap.bat -port 8090 -silent -openapifile /Users/xxxxx/Downloads/yyyy.openapi.yaml -quickurl https://pxxxxxxxx -quickout /Users/xxxxxx/Desktop/myresult.html -quickprogress


my config.xml file is 

<reports>
        <display>true</display>
        <title>ZAP Scanning Report</title>
        <description/>
        <template>modern</template>
        <report>
            <theme>
                <risk-confidence-html>original</risk-confidence-html>
                <modern>corporate</modern>
                <traditional-html-plus>light</traditional-html-plus>
            </theme>
            <sections>
                <risk-confidence-html>siteRiskCounts</risk-confidence-html>
                <risk-confidence-html>responseBody</risk-confidence-html>
                <risk-confidence-html>appendix</risk-confidence-html>
                <risk-confidence-html>alertTypes</risk-confidence-html>
                <risk-confidence-html>responseHeader</risk-confidence-html>
                <risk-confidence-html>alertTypeCounts</risk-confidence-html>
                <risk-confidence-html>riskConfidenceCounts</risk-confidence-html>
                <risk-confidence-html>alerts</risk-confidence-html>
                <risk-confidence-html>aboutThisReport</risk-confidence-html>
                <risk-confidence-html>contents</risk-confidence-html>
                <risk-confidence-html>requestBody</risk-confidence-html>
                <risk-confidence-html>reportDescription</risk-confidence-html>
                <risk-confidence-html>reportParameters</risk-confidence-html>
                <risk-confidence-html>requestHeader</risk-confidence-html>
                <risk-confidence-html>summaries</risk-confidence-html>
                <high-level-report>vulnerabilityImpact</high-level-report>
                <high-level-report>bugsCountChart</high-level-report>
                <high-level-report>riskSummaryChart</high-level-report>
                <modern>passingrules</modern>
                <modern>instancecount</modern>
                <modern>alertdetails</modern>
                <modern>alertcount</modern>
                <modern>params</modern>
                <modern>chart</modern>
                <modern>statistics</modern>
                <traditional-html>instancecount</traditional-html>
                <traditional-html>alertdetails</traditional-html>
                <traditional-html>alertcount</traditional-html>
                <traditional-html-plus>passingrules</traditional-html-plus>
                <traditional-html-plus>instancecount</traditional-html-plus>
                <traditional-html-plus>alertdetails</traditional-html-plus>
                <traditional-html-plus>alertcount</traditional-html-plus>
                <traditional-html-plus>params</traditional-html-plus>
                <traditional-html-plus>chart</traditional-html-plus>
                <traditional-html-plus>statistics</traditional-html-plus>
                <traditional-md>instancecount</traditional-md>
                <traditional-md>alertdetails</traditional-md>
                <traditional-md>alertcount</traditional-md>
            </sections>
        </report>



however when the scan finishes, It is generating report in traditional-html format.
any idea how can I overcome this issue.

[Simon Bennetts]

Hiya.

The "quick" commandline options are very limited and not really recommended for "serious" use.

Have a look at the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/

That has a lot more flexibility.

You can create and test AF plans in the ZAP Desktop and then export them to a yaml file which you can run from the commandline.

Cheers,

Simon

[Shrey]

Hi,

Thank you for the response.

I have looked into AF and I have one follow up question.

I have around 20 openAPI definition  url/files, How could I import all of them into one yaml file. 

should I keep adding OpenAPI parameters in my yaml file. 

for example:

- parameters:
    apiFile: "C:\\Users\\xxxxxx\\Downloads\\p1.openapi.yaml"
    apiUrl: ""
    targetUrl: ""
  name: "openapi"
  type: "openapi"

- parameters:
    apiFile: "C:\\Users\\xxxxxx\\Downloads\\p2.openapi.yaml"
    apiUrl: ""
    targetUrl: ""
  name: "openapi"
  type: "openapi"

- parameters:
    apiFile: "C:\\Users\\xxxxxx\\Downloads\\p3.openapi.yaml"
    apiUrl: ""
    targetUrl: ""
  name: "openapi"
  type: "openapi"

Regards,
Shrey

[Shrey]

and is there a Script for this

[psiinon]

What are you trying to achieve?If these are separate endpoints then personally I'd run ZAP against them one at a time.

That way the individual scans are quicker and the results are easier to associate with each endpoint.

However if you want you can include as many "openapi" jobs in an AF plan as you want.

The closest scripts we have are the mass baseline ones: https://github.com/zaproxy/community-scripts/tree/main/api/mass-baseline

However they have not been updated for many years and do not use the AF.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b50c64ac-9ff2-452e-bcd5-11152117c128n%40googlegroups.com.

--

OWASP ZAP Project leader

[Shrey]

HI Simon,

Thank you for you guidance. Yes my main aim is to include many "openapi" jobs in an AF plan and create one single report. Also I really appreciate for providing me with the script, it will give some heads-up to achieve my goal.

however, currently I'm running ZAP from command line:

java %jvmopts% -jar zap-2.12.0.jar -port 8090 -silent  -openapifile /Users/xxxxx/Downloads/yyyy.openapi.yaml   -openapifile /Users/xxxxx/Downloads/bbb.openapi.yaml    ^
 -config script.scripts.name="Authentication" ^
 -config script.scripts.engine="Graal.js" ^
 -config script.scripts.type=httpsender ^
 -config script.scripts.enabled=true ^
 -config script.scripts.file="C:\Users\xxxxx\OWASP ZAP\scripts\scripts\httpsender\Authentication.js" ^
 -config reports.template="modern" ^
  -quickurl https://pxxxxxxxx -quickout /Users/xxxxxx/Desktop/myresult.html -quickprogress  -cmd

 and in my terminal, I can see  some error:

1688338408210   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of 'abcabcabc'.
1688338408526   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of ' abcabcabc  '.
1688338408863   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of ' abcabcabc  '.
JavaScript error: , line 0: NotSupportedError: Window protocol 'NetError' doesn't match uri  https://pxxxxxxxx /yyyy/zzzz/login?loginFailed=true?
1688338410702   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of ' abcabcabc  '.
1688338410757   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of ' abcabcabc  '.
1688338410814   Marionette      WARN    Ignoring event 'pageshow' because document has an invalid readyState of ' abcabcabc  '.

Could please enlighten me for the above error and is something related to ZAP or the Script I have configured.

[psiinon]

You can create and test your plans in the ZAP Desktop.

We dont have a plan exactly like the one you describe, but heres on for importing an OpenAPI definition: https://github.com/zaproxy/zaproxy/blob/main/docker/integration_tests/configs/plans/petstore-openapi.yaml

See https://www.zaproxy.org/docs/automate/automation-framework/ for details of all of the jobs.

Re the errors - those are all coming from Firefox and so can be ingnored.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/153f99a8-78fc-4309-880c-4ce87b337285n%40googlegroups.com.