Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use custom context file for OWASP Zap Scanner #8

Open
whulbert opened this issue May 20, 2020 · 7 comments
Open

Unable to use custom context file for OWASP Zap Scanner #8

whulbert opened this issue May 20, 2020 · 7 comments
Labels
OwaspZap

Comments

@whulbert
Copy link

I am unable to use a custom context file for the OWASP Zap Scanner. I've been able to successfully run the scan, but was hoping to use a custom context for authentication. I created the context file locally and have tried using the file checked into a repo or downloaded using the Download secure file task and none of these methods pulls in and uses the context file.

Here is the YAML from the OWASP Zap Scanner task:

steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    threshold: 1000
    scantype: targetedScan
    url: 'https://my.publicsite.com/dev/'
    provideCustomContext: true
    contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
    port: 443

Not sure if I am using the custom context file incorrectly or there is some setting I need to turn on to have it be pulled in, but let me know if you need anything else from me.
@navarojc
Copy link

navarojc commented Jul 16, 2020
edited
Loading

Hi @doymturner ,

I got the same issue. The scanner task didn't use custom context file. After checked, it seems the input name is incorrect.

In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext.

let customContextProvided = tl.getBoolInput("providedCustomContext", false);

Thanks,
Navaroj C.

@navarojc
Copy link

@whulbert

You can try to update the input name of the task. So the YAML will be. FYI, it works for me.

steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    threshold: 1000
    scantype: targetedScan
    url: 'https://my.publicsite.com/dev/'
    providedCustomContext: true
    contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
    port: 443

@whulbert
Copy link
Author

Thanks @navarojc for looking into this! I am unfortunately still using the classic pipeline editor in Azure DevOps so I don't think I can manually change the input name at this time. Will have to spend some time converting over to YAML.

@rsuela
Copy link

rsuela commented Mar 1, 2021
edited
Loading

Hi @navarojc

I changed my task to "CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1" but I still can't see my context being passed in the docker run. Anyone can help?

2021-03-01T22:30:06.5890183Z ##[section]Starting: ZAP Scanner
2021-03-01T22:30:06.5895823Z ==============================================================================
2021-03-01T22:30:06.5896095Z Task : OWASP Zap Scanner
2021-03-01T22:30:06.5896344Z Description : Utilize the OWASP/ZAP scanner within Azure DevOps
2021-03-01T22:30:06.5896556Z Version : 1.0.1
2021-03-01T22:30:06.5896753Z Author : Doyle Turner, Anthony Turner
2021-03-01T22:30:06.5896952Z Help :
2021-03-01T22:30:06.5897179Z ==============================================================================
2021-03-01T22:30:06.9813387Z [command]/usr/bin/chmod 777 /home/vsts/work/1/s/owaspzap
2021-03-01T22:30:06.9870422Z [command]/usr/bin/id -u root
2021-03-01T22:30:06.9901673Z 0
2021-03-01T22:30:06.9919502Z [command]/usr/bin/docker run -u 0 -v /home/vsts/work/1/s/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t { redacted } -J report.json -r report.html
2021-03-01T22:30:07.7607530Z Unable to find image 'owasp/zap2docker-stable:latest' locally
2021-03-01T22:30:11.3719563Z latest: Pulling from owasp/zap2docker-stable
2021-03-01T22:30:11.3723473Z 83ee3a23efb7: Pulling fs layer
2021-03-01T22:30:11.3724696Z db98fc6f11f0: Pulling fs layer

@tsluyter
Copy link
Contributor

tsluyter commented Mar 8, 2021
edited
Loading

In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext.
let customContextProvided = tl.getBoolInput("providedCustomContext", false);

@navarojc : thank you for identifying both the bug and the work-around.

I can confirm that the plugin code has a bug in it. The officially documented option provideCustomContext: true gets ignored and you have to use the typo version **provided**CustomContext: true.

Ideally we would create a fix ourselves and submit it through a pull request. I hope that the project team still pay attention to our activity.

EDIT: Oh, great. The actual code isn't part of this repository. This is only the documentation. 👎

@BSamodien can your team help on resolving this bug in the plugin?

@tsluyter
Copy link
Contributor

tsluyter commented Mar 8, 2021

Along similar lines I've noticed that you can point at the correct file location all you want, ZAP isn't going to find it because the file is not copied into the correct ZAP working directory. There's all kinds of wonkiness going on with this plugin.

@DrMueller
Copy link

@tsluyter @DariuszPorowski Did you ever manage to make this work? It seems like the contextPath is completely ignored. Generally, the Zap folder wasn't updated for an year, is it to be considered dead and should not be used productively?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OwaspZap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@DariuszPorowski @whulbert @tsluyter @navarojc @DrMueller @rsuela