zap as a stage in jenkins pipeline for testing GET and POST API

[Mrinal Deo]

I want to run ZAP automated test as Jenkins stage which should scan all the REST API endpoints including GET,POST,PUT,PATCH.

I am able to do it from ZAP GUI tool  by adding swagger as Open-API but the same thing i want to have through command line.

I tried ZAP-CLI but was unable to test the POST or include Open-API swagger in zap-cli.

Please help. It's very urgent.

 

[kingthorin+owaspzap]

zap-cli is third party, if there are features you need best to go directly to them.

[Simon Bennetts]

Have you tried using the API scan script directly from Jenkins? https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan

[Anil r]

Simon,

If that target URL is 2 way SSL enabled then how we can add that certificate in trust store.

In Zap UI I was able to import that certificate in trust store and it worked there but how can I achieve the same when I am using scripts in jenkins

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f353f08d-0d38-4b29-b546-8550a55e8cff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mrinal Deo]

Hi Simon,

I have tried ZAP-API-SCAN and it is working as expected for the openAPI url which are not 2-way-SSL enabled.

What configurations are needed to enable ZAP-API-scan to access the 2-way-SSL enabled openAPI url.

Also when i ran the command "docker run -t owasp/zap2docker-weekly zap-api-scan.py -t <openAPI URL> -f openapi -J result_json".

It threw an error saying zap/wrk is not mounted ,after assuming the wrk directory needs to be created i manually cretaed wrk directory inside the container and then it did work .

So , can we not achieve the result  to be saved in json  file directly /display directly into the console in json format without triggering another command to create a "wrk" directory inside zap or can the wrk directory be created as a part of the owasp/zap2docker-weekly  .

To sum it up we need two help in two things mentioned below:

1. How to achieve access to 2-way-ssl enabled openAPI url.
2. How to display the scan results directly onto console in json format.

Thanks,

Mrinal Deo

[Simon Bennetts]

The 'wrk' directory is covered in the Baseline scan page linked off the API scan page: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan

If you use 'file' params then you need to mount the directory those file are in or will be generated in, eg

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \
    -t https://www.example.com -g gen.conf -r testreport.html

We still have a PR open for adding a client cert via the command line: https://github.com/zaproxy/zaproxy/pull/4892

I'll see if I can get that progressed...

[Mrinal Deo]

Hi Simon,

Thanks for your quick reply Simon. I have followed your suggestion and now i am getting below errors: 

 

zap-api-scan.py -d -t ______https://mytargetUrl/swagger.json -f openapi -J result_json

13:12:49 2018-09-19 13:12:43,538 Target: ______mytargetUrl/swagger.json

13:12:49 2018-09-19 13:12:43,538 Could not find custom hooks file at /home/zap/.zap_hooks.py 

13:12:49 2018-09-19 13:12:43,538 Trigger hook: cli_opts, args: 1

13:12:49 2018-09-19 13:12:43,538 Using port: 57987

13:12:49 2018-09-19 13:12:43,538 Trigger hook: start_zap, args: 2

13:12:49 2018-09-19 13:12:43,538 Starting ZAP

13:12:49 2018-09-19 13:12:43,538 Params: ['zap-x.sh', '-daemon', '-port', '57987', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-addonupdate', '-addoninstall', 'pscanrulesBeta']

13:12:53 Sep 19, 2018 1:12:46 PM java.util.prefs.FileSystemPreferences$1 run

13:12:53 INFO: Created user preferences directory.

13:12:56 2018-09-19 13:12:49,597 ZAP Version D-2018-09-17

13:12:56 2018-09-19 13:12:49,597 Took 6 seconds

13:12:56 2018-09-19 13:12:49,598 Trigger hook: zap_started, args: 2

13:12:56 2018-09-19 13:12:49,610 Trigger hook: importing_openapi, args: 2

13:12:56 2018-09-19 13:12:49,610 Import OpenAPI URL ______mytargetUrl/swagger.json

13:13:05 2018-09-19 13:12:58,143 Number of Imported URLs: 9

13:13:05 2018-09-19 13:12:58,143 Import warnings: [u"attribute paths.'/api/api1'(post).[body].type is unexpected", u"attribute paths.'/api/api2'(post).[body].type is unexpected", u"attribute paths.'/api/api3'(post).[body].type is unexpected", u"attribute paths.'/api/api4'(post).[body].type is unexpected", u"attribute paths.'/api/api5'(post).[body].type is unexpected", u"attribute paths.'/api/api6'(post).[body].type is unexpected"]

13:13:05 2018-09-19 13:12:58,143 Normalised target from ______mytargetUrl/swagger.json to mytargetUrl/

13:13:05 2018-09-19 13:12:58,143 Trigger hook: zap_active_scan, args: 3

13:13:05 2018-09-19 13:12:58,143 Active Scan ______mytargetUrl/ with policy API-Minimal

13:13:10 2018-09-19 13:13:03,161 Unexpected error: <type 'exceptions.ValueError'>

13:13:10 Traceback (most recent call last):

13:13:10   File "/zap//zap-api-scan.py", line 420, in main

13:13:10     zap_active_scan(zap, target, scan_policy)

13:13:10   File "/zap/zap_common.py", line 84, in _wrap

13:13:10     return_data = func(*args_list, **kwargs)

13:13:10   File "/zap/zap_common.py", line 398, in zap_active_scan

13:13:10     while(int(zap.ascan.status(ascan_scan_id)) < 100):

13:13:10 ValueError: invalid literal for int() with base 10: 'Does Not Exist'

13:13:10 2018-09-19 13:13:03,162 Failed to find zap_log /zap/zap.out

13:13:10 2018-09-19 13:13:03,162 Trigger hook: pre_exit, args: 3

13:13:10 ERROR <type 'exceptions.ValueError'> 

I try debugging  the error and here is my analysis : 

https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py#L420

From the above line control goes to zap_active_scan method and i am getting the error at this line (https://github.com/zaproxy/zaproxy/blob/develop/docker/zap_common.py#L398).

Here when it is trying to convert ascan_scan_id to integer ,it is throwing an error as mentioned above.

I believe ascan_scan_id is not getting populated. 

Can you please help me out resolving this issue.

 

Thanks,

Mrinal 

[Mrinal Deo]

Can anyone help on this.It's very Urgent.

[Simon Bennetts]

Have a look in the zap.log file: https://github.com/zaproxy/zaproxy/wiki/FAQhelp#check-the-log-file

That should give you more information about what when wrong.

Cheers,

Simon

[Anil r]

Hi Simon,

When I looked at the logs this is what i found

INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 0.0.0.0:55458
12:13:42 6568 [ZAP-Import-OpenAPI-1] WARN org.zaproxy.zap.extension.openapi.ExtensionOpenApi  - attribute paths.'/api/get-invoice-details'(post).[body].type is unexpected
12:13:42 6579 [ZAP-ProxyThread-8] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/JSON/ascan/action/scan/] from [0:0:0:0:0:0:0:1]:
12:13:42 Does Not Exist (does_not_exist) : scanPolicyName
12:13:42 	at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:280)
12:13:42 	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:441)
12:13:42 	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
12:13:42 	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:318)
12:13:42 	at java.lang.Thread.run(Thread.java:748)
12:13:42 11590 [ZAP-ProxyThread-9] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/JSON/ascan/view/status/] from [0:0:0:0:0:0:0:1]:
12:13:42 Does Not Exist (does_not_exist) : scanId
12:13:42 	at org.zaproxy.zap.extension.ascan.ActiveScanAPI.getActiveScan(ActiveScanAPI.java:651)
12:13:42 	at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiView(ActiveScanAPI.java:824)
12:13:42 	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:459)
12:13:42 	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
12:13:42 	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:318)
12:13:42 	at java.lang.Thread.run(Thread.java:748)

I am not getting any error when i run the same docker command in my local. Can you please help here

[Simon Bennetts]

The 'Does Not Exist (does_not_exist) : scanPolicyName' message is a bit of a clue ;)

My guess is that you have the scan policy file locally but you have not added it to the Docker container so its not accessible.

You can mount local directories as per https://github.com/zaproxy/zaproxy/wiki/Docker#zap-baseline-scan