Log file not updating when run via CICD pipeline
67 views
Skip to first unread message
Lia
Sep 15, 2023, 3:35:43 AM9/15/23
to ZAP User Group
Hi,
I am running ZAP scan in CICD pipeline via self hosted runner.
What I noticed from running ZAP in laptop versus in pipeline is that whenever ZAP is started locally, the log file will automatically update itself or be created if missing from directory.
While in pipeline, if I remove the log file from OWASP ZAP folder, when the scan starts, no log file is created nor will it automatically update itself.
Any help/advice on this please? I would like to retrieve the updated log file as an artifact to track the scan's process.
Simon Bennetts
Sep 15, 2023, 3:45:52 AM9/15/23
to ZAP User Group
What path are you using for the log file?
What OS are you using, and which version of ZAP?
If ZAP runs then it will create and update the zap.log file so you are probably looking in the wrong place.
Cheers,
Simon
Lia
Sep 15, 2023, 3:53:07 AM9/15/23
to ZAP User Group
Hi Simon,
The log file will always appear in C:\Users\Local User\OWASP ZAP whenever I run ZAP locally no matter via GUI or command line.
I did not change the path, it is the default path.
The machine which the self hoster runner is installed is Windows, and the installed version of ZAP is the latest, v2.13.0.
I am looking at the same place where the log file always appears as I have tried using ZAP locally first before trying it out in CICD pipeline.
The log file is missing/not updated only when I run the scan via pipeline.
Any idea why?
thc...@gmail.com
Sep 15, 2023, 4:44:14 AM9/15/23
to zaprox...@googlegroups.com
Are you sure ZAP is being executed with that/same user? Maybe it's using
a different home directory.
If you can check ZAP's output, at the start it should indicate which
home directory is using.
Best regards.
On 15/09/2023 08:53, Lia wrote:
> Hi Simon,
>
> The log file will always appear in *C:\Users\Local User\OWASP ZAP *whenever
a different home directory.
If you can check ZAP's output, at the start it should indicate which
home directory is using.
Best regards.
On 15/09/2023 08:53, Lia wrote:
> Hi Simon,
>
Lia
Sep 15, 2023, 4:54:21 AM9/15/23
to ZAP User Group
Hi thc202,
I'm not sure how to check if it is executed with the same user or the home directory.
Attached is the job log from the runner when the ZAP scan is run via pipeline.
The bold sentence is the command used to execute the ZAP scan.
$ cd "C:\Program Files\OWASP\Zed Attack Proxy\"
$ .\zap.bat -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun File.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\sessions\\path\\to\\session"
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\WINDOWS\system32\config\systemprofile\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\WINDOWS\system32\config\systemprofile\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.13.0.jar -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun File.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\path\\to\\session"
Job authentication set method = form
Job authentication set parameters = {ommited}
Job verification set method = response
Job verification set loggedInRegex = body_onload();submitInitForm('1');UserLogin('','1');
Job verification set loggedOutRegex = <a href="JavaScript:Navigate('Login')"> <span id=>Click Here to Login</span></a>
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl =
Job verification set pollPostData =
Job sessionManagement set method = cookie
Job sessionManagement set parameters = {}
Job users set name = ADMIN
Job users set credentials = {password=, username=}
Job import set type = url
Job import set fileName = C:\Program Files\OWASP\Zed Attack Proxy\URL_List.txt
Job activeScan set context = File
Job activeScan set user = USER
Job activeScan set policy =
Job activeScan set maxRuleDurationInMins = 0
Job activeScan set maxScanDurationInMins = 0
Job activeScan set addQueryParam = true
Job activeScan set delayInMs = 0
Job activeScan set handleAntiCSRFTokens = true
Job activeScan set injectPluginIdInHeader = false
Job activeScan set scanHeadersAllRequests = true
Job activeScan set threadPerHost = 16
Job activeScan set defaultStrength = high
Job activeScan set defaultThreshold = medium
Job report set template = traditional-pdf
Job report set reportDir = C:\GitLab-Runner\builds\3qC2hysoG\
Job report set reportFile = ZAP_REPORT
Job report set reportTitle = ZAP Scanning Report
Job report set reportDescription =
Job report set displayReport = false
Job import started
Job import finished, time taken: 00:00:00
Job activeScan started
Job activeScan set default strength to HIGH
Job activeScan set default threshold to MEDIUM
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\WINDOWS\system32\config\systemprofile\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\WINDOWS\system32\config\systemprofile\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.13.0.jar -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun File.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\path\\to\\session"
Job authentication set method = form
Job authentication set parameters = {ommited}
Job verification set method = response
Job verification set loggedInRegex = body_onload();submitInitForm('1');UserLogin('','1');
Job verification set loggedOutRegex = <a href="JavaScript:Navigate('Login')"> <span id=>Click Here to Login</span></a>
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl =
Job verification set pollPostData =
Job sessionManagement set method = cookie
Job sessionManagement set parameters = {}
Job users set name = ADMIN
Job users set credentials = {password=, username=}
Job import set type = url
Job import set fileName = C:\Program Files\OWASP\Zed Attack Proxy\URL_List.txt
Job activeScan set context = File
Job activeScan set user = USER
Job activeScan set policy =
Job activeScan set maxRuleDurationInMins = 0
Job activeScan set maxScanDurationInMins = 0
Job activeScan set addQueryParam = true
Job activeScan set delayInMs = 0
Job activeScan set handleAntiCSRFTokens = true
Job activeScan set injectPluginIdInHeader = false
Job activeScan set scanHeadersAllRequests = true
Job activeScan set threadPerHost = 16
Job activeScan set defaultStrength = high
Job activeScan set defaultThreshold = medium
Job report set template = traditional-pdf
Job report set reportDir = C:\GitLab-Runner\builds\3qC2hysoG\
Job report set reportFile = ZAP_REPORT
Job report set reportTitle = ZAP Scanning Report
Job report set reportDescription =
Job report set displayReport = false
Job import started
Job import finished, time taken: 00:00:00
Job activeScan started
Job activeScan set default strength to HIGH
Job activeScan set default threshold to MEDIUM
thc...@gmail.com
Sep 15, 2023, 5:09:49 AM9/15/23
to zaprox...@googlegroups.com
Based on that output it seems the home directory is in:
C:\WINDOWS\system32\config\systemprofile\OWASP ZAP\
Best regards.
Lia
Sep 15, 2023, 5:23:25 AM9/15/23
to ZAP User Group
Oh wow! The log file is in here, thank you!
Out of curiosity, why does it appear in this path when I run it via pipeline?
Compared to when ZAP is run locally, it is always in here: C:\Users\Local User\OWASP ZAP
thc...@gmail.com
Sep 18, 2023, 4:11:16 AM9/18/23
to zaprox...@googlegroups.com
ZAP defaults to the home of the user that started ZAP, which when
running in the pipeline is that one.
Best regards.
running in the pipeline is that one.
Best regards.
Reply all
Reply to author
Forward
0 new messages