ZAP API - JSON report for a specific site

[Sam Hourai]

Hello,

I'm very new to ZAP and the question I'm going to ask may be silly but I use ZAP API to scan various websites and when I generate the report json like this :

headers = {

        'Accept': 'application/json',

        'X-ZAP-API-Key': apiKey

    }

vulnResult = requests.get('http://localhost:8090/OTHER/core/other/jsonreport/', params={}, headers = headers)

vulnResult = vulnResult.json()

All the sites are present in the report. Is there a way to "filter" (or clear) this report so that there is only one site present in the report directly from the api or do I have to process it afterwards in python?

Thank you !

[Simon Bennetts]

Hi Sam,

Welcome aboard, and dont worry about asking "silly" questions - they're never really silly!

You are using the "old" ZAP reports which are quite limited.

We have a new reporting add-on which has its own API endpoints: https://www.zaproxy.org/docs/desktop/addons/report-generation/api/

The JSON report that it generates does allow you to just report on one site.

Cheers,

Simon

[Sam Hourai]

Thank you very much I will take a look at that ! 

[Sam Hourai]

Hey Simon it's me again ^^

I struggle to use this addon,
I managed to install and import it but I can't use it and I dont see any examples in the documentation :/
Could you help me ?
Here is what I do:

from zapv2 import ZAPv2, reports

result = reports.generate("reportTitle.json","report.json" )

And here is the error I got :

generate() missing 1 required positional argument: 'template'

But I don't even know if that's the way to do it?
Again, I'm a student, I'm new to python and I'm even more new to Owasp Zap so sorry if this is something stupid to ask

Thank you! 

[Sam Hourai]

Hi Simon, sorry to bother you but it still doesnt work, any idea ? 
Thank you !

[Simon Bennetts]

No idea at all :)

But thats because all you've told me is that "it doesnt work" ;)

What have you tried?

In what way does it not work?

I'm not a mind reader ...

Cheers,

Simon

[Simon Bennetts]

Although to be fare you did say more in your previous message :P

First up - try using the ZAP Desktop if you can - that way you can play around with the reporting much more easily.

Then try using the API UI - point your browser at the host and port ZAP is listenning on, then yoiu can interact with the API that way and see what you need to specify for the calls.

Cheers,

Simon

[psiinon]

Yes, I did see that after my first post, hence the second one :)

And the advice in the second one still stands - try it in the ZAP desktop then the ZAP API UI...

On Thu, Feb 3, 2022 at 12:38 PM Sam Hourai <samh...@gmail.com> wrote:

Maybe you haven't seen that I replied with this yesterday :

"

I struggle to use this addon,
I managed to install and import it but I can't use it and I dont see any examples in the documentation :/
Could you help me ?
Here is what I do:

from zapv2 import ZAPv2, reports

result = reports.generate("reportTitle.json","report.json" )

And here is the error I got :

generate() missing 1 required positional argument: 'template'

But I don't even know if that's the way to do it?
Again, I'm a student, I'm new to python and I'm even more new to Owasp Zap so sorry if this is something stupid to ask

"

Thank you ! 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6190913a-4140-4046-af30-3197bbc5d20fn%40googlegroups.com.

--

OWASP ZAP Project leader

[Sam Hourai]

I finally made it!
What is unfortunate is that it generates a file and does not send the data directly in response to the requests.
But opening it afterwards, no problem.
I'm posting the solution in case it helps someone someday:

#Get JSON Report

headers = {

        'Accept': 'application/json',

        'X-ZAP-API-Key': apiKey

}

generateFile = requests.get('http://localhost:8090/JSON/reports/action/generate/', params={

        'title' : 'reportTitle',

        'template' : 'traditional-json',

        'sites' : target,

        'reportFileName' : 'jsonreport'

}, headers = headers)

#Response = {'generate': '/home/user/jsonreport.json'}

generateFile = generateFile.json()

jsonreportPath = generateFile['generate']

#Open file and save json data into vulnResult

 with open(jsonreportPath) as json_file:

  vulnResult = json.load(json_file)

return vulnResult

Thank you very much again!

[Simon Bennetts]

No problem - good to hear its working for you and thanks for sharing the solution :)

[Garrison]

Sorry to resurrect this thread, but once the report is generated from the new API (reports/action/generate) is there a way to download the file through an API? I'm running ZAP as a daemon under docker and controlling it remotely from our build environment and cant find a good way of retrieving the reports once they are generated.  Am I missing something obvious?

Thanks!

[Sean]

Same! I can't figure out how to generate only the report from one site. What would the config be with docker? -config api.action.generate....I am lost trying to figure this one out. I can obviously do this in the GUI but I'm having a hell of a time trying to figure this out with docker and the api. 

I'm about here:

docker run -d -p 8080:8080 -v /opt/ZAP_TEST/gui_tests/:/zap/wrk/:rw --name zap-container owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -configfile /zap/wrk/cli_config -autorun /zap/wrk/spider.yaml -newsession /zap/wrk/target.session -addoninstall spiderAjax -addoninstall spider

add -config api? APpreciate the help.

[thc...@gmail.com]

That's not yet possible, there's an issue tracking that:
https://github.com/zaproxy/zaproxy/issues/7821


You would have to retrieve it by other means.

Best regards.

>>>>> <https://groups.google.com/d/msgid/zaproxy-users/6190913a-4140-4046-af30-3197bbc5d20fn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>>>
>>>
>

[thc...@gmail.com]

You would have to use the ZAP API, it's described in:
https://www.zaproxy.org/docs/desktop/addons/report-generation/api/

Best regards.