Zap Baseline Scan Progress File and report

[Marcel R.]

Hello,

i am using the ZAP in Gitlab in a yml file with docker. And i have a progress file in which i have my findings that are in progress. I have now some questions:

1) How do i write in this progress file more URLs with the same topic. Like Vulnerable JS Library [10003] x 4. I have 4 Urls but in the progress file the syntax looks like this: https://www.zaproxy.org/docs/docker/baseline-scan/ 

And it only marks 1of this 4 URLS for in progress, how do i get the other 3 urls?

I tried it out to just do this 4 times with different urls, but then the pipeline crashes.

2) How can i exclude these things from my generated report so that the report only shows me the other things. These progress file marks only show up in the gitlab pipeline log.

3) In my Gitlab pipeline i can see that the ZAP has sometimes in some topics 10 or more findings and in my generated report it says 3 findings in that topic? How is that possible?

I hope someone can help me out on this :-)

Thanks,

Marcel

[Simon Bennetts]

Hi Marcel,

One of the known problems with the packaged scans is that the alerts are processed outside of ZAP.

This means that ZAP knows nothing about exclusions, in progress items etc and so the report will differ from the packaged scan output.

Thats one of the reasons why we're working on the new Automation Framework.

That will handle everything inside ZAP and so will not suffer from these problems.

We will be migrating the packaged scans to use the Automation Framework in the coming weeks (and manybe months).

This does mean that we will probably not be fixing and existing issues with the packaged scans as they stand unless they cause significant problems for people.

Cheers,

Simon

[AJ]

Hey Simon, 

I see there hasn't been any follow up on this issue. Any updates on if progress files and updating the report output to in-progress was looked at for the Automation Framework updates?

We ran into a similar issues with exceptions via OUTSCOPE, however the alert hook has been implemented to update the confidence level. If not the automation framework, has assigning a new confidence level for in-progress work been explored? Confidence ratings from here do not show an in-progress option available as of writing this: https://www.zaproxy.org/docs/desktop/ui/dialogs/addalert/

Thanks, 

AJ

[Simon Bennetts]

Sorry, too much to do and not enough time :/

So no progress on progress files I'm afraid.

The Automation Framework is still our intended direction but we are also juggling lots of other things.

The AF does now support the alertFilter job which allows you to change the confidence: https://www.zaproxy.org/docs/desktop/addons/alert-filters/automation/

Cheers,

Simon

[AJ]

Hey Simon, 

No worries, thanks for the response. Are you saying for now, we could treat anything defined in the progress file by modifying the alert filter to be "False Positive'? At least until there is an official "in-progress" designation within the AF or other planned functionality? 

Thanks, 

AJ

[kingthorin+owaspzap]

If you're trying to designate alerts as being worked on you could tag them via Alert Tags.

[AJ]

That's an interesting idea. Are you referring to this here? https://www.zaproxy.org/docs/desktop/start/features/alerts/

Does the alert override modification reflect in the security report output as well? Looks interesting. 

Thanks, 

AJ

[kingthorin+owaspzap]

Alert Overrides will change the report output, however obviously you need to have them in place before running the scan. More here:  OWASP ZAP – Customize Alert Details (zaproxy.org)

As for Alert Tags, I meant this functionality:  OWASP ZAP – Add Alert dialog (zaproxy.org)