Zap Scan Report is displaying Zero Alerts while running on a Pod

[Rachit Tirthani]

Hi Team,

We have set up Zap, Selenium grip in a Pod/container (Ubuntu). Using Jenkins, we are triggering selenium scripts and Zap is scanning the application in a container.

The problem is we are getting report with Zero alerts once scan is completed whereas when we are scanning the same application in our local windows machine, we are getting couple of alerts in the report.

Please suggest if we are missing on anything.

Thanks,

Rachit

[Simon Bennetts]

I can tell you what we are missing - more information :)

Its impossible for us to tell whats going on without knowing a lot more.

Do you know if ZAP can even access your application from Jenkins?

Is there any difference in time between the 2 scans?

Is there a difference in the number of URLs found in each case?

Is ZAP set up in the same way in each case?

Cheers,

Simon

[Rachit Tirthani]

Please find the details below:

Do you know if ZAP can even access your application from Jenkins?

Yes ZAP can be accessed via Jenkins. Before moving to Pod/Container, we had our ZAP installed in VM and we were accessing via Jenkins. Jenkins was triggering the selenium scripts and which inturn was scanning the application on Virtual machine. Reports were getting generated with expected alerts. But now we have moved to containers (Ubuntu OS), while executing the jobs in Jenkins we are able to see that scan is happening but the issue is that reports are getting generated with zero alerts.

Is there any difference in time between the 2 scans?

Yes there is a diference. Both are scanned at different times. The one in local windows (UI based) is always giving correct results but the one is POD gives the same report with zero alerts everytime. 

Command used for Pod one:

./zap.sh -daemon -host 0.0.0.0 -port 8082 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true

Is there a difference in the number of URLs found in each case?

No. Both are same. Checked in Zap Log file.

Is ZAP set up in the same way in each case?

For POD, we are using docker image. Here is the command: 

owasp/zap2docker-stable

./zap.sh -daemon -host 0.0.0.0 -port 8082 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true

In 2nd case, we are using ZAP in windows machine

[Simon Bennetts]

By "difference in time" I meant "Is there a significant difference in the length of time for each scan?"

If one scan takes one minute and the other takes one hour then that tells us something :)

How are you controlling ZAP?

Is it via custom script, the Jenkins plugin or ?

Cheers,

Simon

[Rachit Tirthani]

Time taken for both the scans are almost the same (5 to 6 min). The one done is Local windows machine and other in POD (Ubuntu) using jenkins

We are controlling ZAP via custom selenium script and not via plugins.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2e2fb19e-b143-4f62-965a-92fa3339efdcn%40googlegroups.com.

--

-Regards,
Rachit Tirthani

[Rachit Tirthani]

Hi Simon,

Please share if you have any idea about the mentioned issue (Zero alerts in the report). We are stuck because of this.

Thanks,

Rachit

--

-Regards,
Rachit Tirthani

[Simon Bennetts]

Hi Rachit,

Which report API are you using?

If you call the alert/view/alertCountsByRisk endpoint what do you get?

Ditto core/view/urls/ - do you get the URLs you ae expecting to see?

Must admit I'm a bit puzzled by this.