Urgent Help - running zap.bat not finishing in CICD pipeline
168 views
Skip to first unread message
Lia
Sep 27, 2023, 12:12:13 AM9/27/23
to ZAP User Group
Hi there,
![image]()
script:
- cd "C:\Program Files\OWASP\Zed Attack Proxy\"
- .\zap.bat -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun file.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\sessions\\template.session"
[main ] INFO CommandLineBootstrap - OWASP ZAP 2.13.0 terminated.
I tried running .\zap.bat in CICD pipeline. But after the scan completes, the job just keeps loading with the three dots at the left
My gitlab-ci.yml script only contains this:
script:
- cd "C:\Program Files\OWASP\Zed Attack Proxy\"
- .\zap.bat -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun file.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\sessions\\template.session"
after_script:
- echo "after script here!"
- echo "after script here!"
I have tried running the .yml file without the zap.bat command and the job can run finish.
So I do not think it is runner problem.
However, when I check the end of the zap.log file, I saw that ZAP has been terminated:
[main ] INFO CommandLineBootstrap - OWASP ZAP 2.13.0 terminated.
Please advice how can I run zap.bat in CICD? I don't see anybody else having this problem in the user group.
Thanks in advance!
Simon Bennetts
Sep 27, 2023, 4:15:09 AM9/27/23
to ZAP User Group
How long are you waiting for ZAP to exit?
Would it be possible to get a thread dump of the ZAP process?
Many thnaks,
Simon
Lia
Sep 27, 2023, 4:46:23 AM9/27/23
to ZAP User Group
Hi Simon,
Thanks for the reply.
I think the longest I waited for runner to finish is around 500+ minutes.
But the thing is, if I run other command after the zap.bat command, it gets executed but then the runner just keeps loading and does not finish.
If you see the screenshot that i attached at the previous message, the job log shows that it is running the "echo" command and it stops there.
At first I thought it is the self hosted runner's issue, but when i took out "zap.bat" command from my script, it can execute and finish the job successfully.
About the thread dump of ZAP process, I'm not sure how to get it.
Can I trouble you to tell me how to get it?
Simon Bennetts
Sep 27, 2023, 5:20:30 AM9/27/23
to ZAP User Group
Lia
Sep 27, 2023, 7:31:06 AM9/27/23
to ZAP User Group
Hi Simon,
Thank you for the suggestion.
I have refer to the link and change my pipeline script like below:
script:
- cd "C:\Program Files\OWASP\Zed Attack Proxy\"
- cd "C:\Program Files\OWASP\Zed Attack Proxy\"
- .\zap.bat -cmd -config network.connection.timeoutInSecs=180 -config rules.domxss.browserid=chrome-headless -autorun Template8.yaml -session "C:\\Users\\Local User\\OWASP ZAP\\sessions\\template8\\template8.session" > C:\MyLogs\console.log 2>&1
- echo "after zap.bat done"
- echo "after zap.bat done"
after_script:
- echo "after script here!"
- echo "after script here!"
However, the job is still loading and not finish
Attached is the console.log with sensitive info removed. I noticed that the content is just the same as the cmd output when run zap.bat locally.
Any ideas why the job is not run finish?
Many thanks!
Lia
Sep 27, 2023, 10:27:55 PM9/27/23
to ZAP User Group
Hi Simon,
Sorry for the previous message, I realized I have to press on certain keys to trigger the thread dump process.
Here is the console log when I run the zap scan locally on my laptop.
When I try pressing the keys again when I'm running via CICD pipeline, there is no thread dump recorded in the console.log file, so the content is same as the previous file that I send.
Appreciating any help/advice on this.
Thank you.
Simon Bennetts
Sep 28, 2023, 8:02:47 AM9/28/23
to ZAP User Group
It looks like ZAP was still initialising when you created the thread dump.
Can you try again when the Automation Framework plan should have finished?
Cheers,
Simon
Lia
Sep 28, 2023, 8:59:20 AM9/28/23
to ZAP User Group
Hi Simon,
Do you mean to only trigger the thread dump after the scanning is completed?
Because for the previous one, I triggered it when the scan was starting and only copied the file to here after the scan has completed.
Thanks.
Simon Bennetts
Sep 28, 2023, 9:15:23 AM9/28/23
to ZAP User Group
Yes, after the scanning is completed.
You've reported that ZAP is not exiting after an AF plan has finished running.
If the AF plan has not finished running then the thread dump tells us nothing useful.
We want to see which thread(s) is stopping ZAP from exiting once the plan should have been completed.
Cheers,
Simon
Lia
Sep 28, 2023, 1:13:28 PM9/28/23
to ZAP User Group
Hi Simon,
Thanks for the detailed explanation.
In case of any misunderstanding, the issue I am currently having now is CICD job stuck/keeps loading when running the zap.bat command via self-hosted runner. I also mentioned previously that after the scan is complete I am able to see ZAP is terminated via zap.log file:
[main ] INFO CommandLineBootstrap - OWASP ZAP 2.13.0 terminated.
I have tried running the scan again in pipeline but to trigger the thread dump process, I would have to press certain keys on the keyboard.
It does not work as I do not see any thread dump process appearing in the console.log file.
I think it might be due to the GitLab pipeline is in a browser window instead of console like CMD.
The issue of the CICD job not finishing/keeps loading only happens when I run it via pipeline.
But I am not able to trigger the thread dump.
Is there any other way I am able to provide you with the material you need?
Many thanks.
Lia
Oct 1, 2023, 4:55:01 AM10/1/23
to ZAP User Group
Hi there,
Just want to follow up if there anything can be done for this issue? I tried calling zap.bat from another .bat file in CICD pipeline and putting a EXIT script but the runner is still stuck and not finishing normally in the pipeline.
Would really appreciate any help/advice on this matter.
Reply all
Reply to author
Forward
0 new messages