Location of reports created via CLI (ZAP via Docker)
814 views
Skip to first unread message
Pietro Abano
Dec 18, 2022, 7:14:22 AM12/18/22
to OWASP ZAP User Group
Could someone more experienced explain where I can find the scan report if I run ZAP like this?
docker run -v /zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /reports/cli-zap-report-testphp.html
As I understand it:
/zap = is a local directory (on the host)
/zap/wrk/ = is a directory in the running container (inaccessible after the scan)
While the scan (visible on the screen) seems to finish OK, there's nothing in the /zap local host directory, nor anywhere on the local host.
I have also tried variants such as -v $(pwd):/zap/wrk/:rw, still I can find no results anywhere.
Thank you!
docker run -v /zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /reports/cli-zap-report-testphp.html
As I understand it:
/zap = is a local directory (on the host)
/zap/wrk/ = is a directory in the running container (inaccessible after the scan)
While the scan (visible on the screen) seems to finish OK, there's nothing in the /zap local host directory, nor anywhere on the local host.
I have also tried variants such as -v $(pwd):/zap/wrk/:rw, still I can find no results anywhere.
Thank you!
kingthorin+owaspzap
Dec 18, 2022, 7:49:10 AM12/18/22
to OWASP ZAP User Group
Per your quoted command you wrote the report to some reports directory in the root of the container, not to the mounted volume.
kingthorin+owaspzap
Dec 18, 2022, 10:04:15 AM12/18/22
to OWASP ZAP User Group
Okay so here's the scoop:
docker run -v /zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /reports/cli-zap-report-testphp.html
You've mounted /zap from the host to /zap/work but then you've written to /reports/cli-zap-report-testphp.html which isn't inside /zap/work.
I'd suggest you probably want something like:
docker run -v /zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /zap/work/reports/cli-zap-report-testphp.html
Then once it's complete on your host you should have: /zap/reports/cli-zap-report-testphp.html
(Assuming /zap actually exists on the host, I'm not sure how docker handles that if it doesn't exist to start with.)
> Hi,
>
> thank you for trying to help.
> The thing is - I don't see anything in the container either.
>
> Trying to find where the report is stored while ZAP is being executed, like here in /zap:
>
> zap@9a758cce14f9:/zap$ ls
> CHANGELOG.md container lang license scripts xml zap-api-scan.py zap-full-scan.py zap-x.sh zap.ico zap_common.py README db lib plugin webswing zap-D-2022-12-13.jar zap-baseline.py zap-webswing.sh zap.bat zap.sh
>
> or here in the home directory of the zap user (still inside the container):
> CHANGELOG.md container lang license scripts xml zap-api-scan.py zap-full-scan.py zap-x.sh zap.ico zap_common.py README db lib plugin webswing zap-D-2022-12-13.jar zap-baseline.py zap-webswing.sh zap.bat zap.sh
>
> or here in the home directory of the zap user (still inside the container):
> zap@9a758cce14f9:/home/zap$ ls -la
> total 36
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 .
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 ..
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 .ZAP_D
> -rw-r--r-- 1 zap zap 220 Mar 27 2022 .bash_logout
> -rw-r--r-- 1 zap zap 3526 Mar 27 2022 .bashrc
> -rw-r--r-- 1 zap zap 807 Mar 27 2022 .profile
> drwxr-xr-x 2 zap zap 4096 Dec 13 11:53 .vnc
> -rw-r--r-- 1 zap zap 165 Dec 13 11:54 .wget-hsts
> -rwxr-xr-x 1 zap zap 39 Dec 13 11:51 .xinitrc
> total 36
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 .
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 ..
> drwxr-xr-x 1 zap zap 4096 Dec 13 11:51 .ZAP_D
> -rw-r--r-- 1 zap zap 220 Mar 27 2022 .bash_logout
> -rw-r--r-- 1 zap zap 3526 Mar 27 2022 .bashrc
> -rw-r--r-- 1 zap zap 807 Mar 27 2022 .profile
> drwxr-xr-x 2 zap zap 4096 Dec 13 11:53 .vnc
> -rw-r--r-- 1 zap zap 165 Dec 13 11:54 .wget-hsts
> -rwxr-xr-x 1 zap zap 39 Dec 13 11:51 .xinitrc
>
> I thought by using -v I could map the container to the local host directory and find the report there.
> Obviously I am doing something wrong as everybody else is getting the report and can find it as well.
> I'll keep trying to discover what it is.
>
> Anyway, thanks again.
>
> PA
Pietro Abano
Feb 28, 2023, 4:08:51 AM2/28/23
to OWASP ZAP User Group
OK. My fault, I seem to finally understand it; for this to work:
docker run -v /zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /reports/cli-zap-report-testphp.html
it should be written like this:
docker run -v zap:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t http://testphp.vulnweb.com/ -r /reports/cli-zap-report-testphp.html
where "zap" - is a docker volume (actually mapping to "/var/lib/docker/volumes/zap/_data" on the host's filesystem) and "/zap/wrk/" is the directory inside the container - which I did not have in my container.
Simon Bennetts
Feb 28, 2023, 4:18:35 AM2/28/23
to OWASP ZAP User Group
No.
The "docker run -v /zap:/zap/wrk/:rw" part is fine.
The problem is the "-r /reports/cli-zap-report-testphp.html" part.
That writes your report to "/reports" which is no longer accessible when the image finishes.
Change it to "-r /zap/wrk/cli-zap-report-testphp.html"
Cheers,
Simon
Pietro Abano
Feb 28, 2023, 3:14:12 PM2/28/23
to OWASP ZAP User Group
Yes, Simon,
you were right, thank you! At least it did work without the -r /zap/wrk/, just with plain -r cli-zap-report-testphp.html.
Anyway, in the successful scenario I mentioned above - it did work when I run the scan via the webswing in browser, I was then saving the report manually to /home/zap (inside the container) and then I was able found it in the docker volume on the localhost.
Thank you one more time for help.
Kindest regards,
Pietro
Simon Bennetts
Mar 1, 2023, 4:04:01 AM3/1/23
to OWASP ZAP User Group
Thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages