More debugging output for zap-api-scan.py (running in K8s)

67 views
Skip to first unread message

Brandon Sterne

unread,
Apr 5, 2024, 8:58:15 PMApr 5
to ZAP User Group
Hello,

I'm able to successfully invoke ZAP via automation framework using ZAP container on my k8s cluster, e.g.:
/zap/zap.sh -silent -cmd -autorun /zap/my-plan.yaml
Found Java version 11.0.22-internal
Available memory: 126773 MB
Using JVM args: -Xmx31693m
Defaulting ZAP install dir to /zap
Job authentication set method = script
...

However, from the same container, when I try to run zap-api-scan.py the scanner doesn't seem to be able to start, and I get no useful output. It dies so quickly, there's not even a zap.log created:

bash-5.2$ /zap/zap-api-scan.py -t /zap/config/api-docs.json -f openapi -d
2024-04-06 00:51:55,185 Trigger hook: cli_opts, args: 1
2024-04-06 00:51:55,185 Using port: 58475
2024-04-06 00:51:55,185 Trigger hook: start_zap, args: 2
2024-04-06 00:51:55,185 Starting ZAP
2024-04-06 00:51:55,186 Failed to start ZAP :(

How can I get more information about what is failing? Thanks in advance!

Best,
Brandon

Brandon Sterne

unread,
Apr 6, 2024, 1:59:16 AMApr 6
to ZAP User Group
I added some debugging output to the zap-api-scan.py script and now see that ZAP is trying to create some kind of job log:
2024-04-06 05:41:04,211 Trigger hook: start_zap, args: 2
2024-04-06 05:41:04,211 Starting ZAP
Error code: 30
Error message: Read-only file system
File name: zap.out
Traceback (most recent call last):
  File "/zap/zap-api-scan-debug.py", line 350, in main
    start_zap(port, params)
  File "/zap/zap_common.py", line 108, in _wrap
    return_data = func(*args_list, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/zap/zap_common.py", line 291, in start_zap
    with open('zap.out', "w") as outfile:
         ^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 30] Read-only file system: 'zap.out'
2024-04-06 05:41:04,212 Failed to start ZAP :(


ZAP doesn't seem to try to do this when invoking it from /zap/zap.sh. I'll either have to launch the container with a writable script (/zap) folder or modify the location it writes its zap.out log.

Simon Bennetts

unread,
Apr 12, 2024, 7:12:55 AMApr 12
to ZAP User Group
Yes, ZAP needs to be able to write to a directory, both for it's logs and the HSQLDB files.
This FAQ explains which directory it will attempt to use by default: https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/
You can specify the directory to use using the "-dir" option: https://www.zaproxy.org/docs/desktop/cmdline/

Cheers,

Simon

Brandon Sterne

unread,
Apr 18, 2024, 1:43:19 PMApr 18
to ZAP User Group
Thanks very much, Simon. Given I'm trying to invoke this from the /zap/zap-api-scan.py wrapper, I can confirm that passing:
/zap/zap-api-scan.py -z "-dir /writable/dir"

Lets me run the scanner successfully. I'm impressed and humbled by your support for this community. Thanks for all you do to support this platform.

Best,
Brandon
Reply all
Reply to author
Forward
0 new messages