Skip to content

Allow warnings in the ZAP Automation Framework #2221

New issue
New issue
Closed
#2627
Closed
Allow warnings in the ZAP Automation Framework#2221
#2627
Assignees
J12934
Labels
bugBugs
@moxli

Description

@moxli
moxli
opened on Jan 24, 2024

➹ New Feature implementation request

Is your feature request related to a problem?

I have issues scanning endpoints which return a 403 error code with the ZAP Automation framework.

The ZAP Automation framework container exits with code 2 in case there is a warning as described here: https://www.zaproxy.org/docs/desktop/addons/automation-framework/

A 403 is a warning in this case:

Job report started
Job report generated report /home/securecodebox/zap-results.html
Job report finished, time taken: 00:00:00
Automation plan warnings:
        Job spider error accessing URL https://REDACTED/ status code returned : 403 expected 200

With the other ZAP scan types we allow errors/warnings to happen: https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/zap/templates/zap-scan-type.yaml#L42

During my tests I could successfully scan an url which returns a 403 error code with zap scan type zap-full-scan.
Using the automation framework results in the zap container exiting with exit code 2

    State:          Terminated
      Reason:       Error
      Exit Code:    2

Afterwards the scan pod is restarted and it does not go through.

scan-zap-modern-example-f7mds-2c5tm                               0/2     Error       0              5m6s
scan-zap-modern-example-f7mds-6wscx                               0/2     Error       0              12m
scan-zap-modern-example-f7mds-d2kww                               0/2     Error       0              86s
scan-zap-modern-example-f7mds-mvtrt                               0/2     Error       0              10m
scan-zap-modern-example-f7mds-pv8bl                               0/2     Error       0              9m5s
scan-zap-modern-example-f7mds-wrr7g                               0/2     Error       0              7m26s
scan-zap-modern-example-f7mds-zgqbv                               0/2     Error       0              11m

With the current setup it seems like the results file is not written, at least the lurker fails:

2024/01/24 14:28:16 Starting lurker
2024/01/24 14:28:16 Waiting for main container 'zap-automation-scan' to complete
2024/01/24 14:28:16 After scan is completed file '/home/securecodebox/zap-results.xml' will be uploaded to 'REDACTED'
2024/01/24 14:28:16 Waiting for maincontainer to exit.
2024/01/24 14:29:11 Main Container exited. Lurker will end as well.
2024/01/24 14:29:11 Uploading result files.
2024/01/24 14:29:11 Uploading /home/securecodebox/zap-results.xml
2024/01/24 14:29:11 File has a size of 0 bytes
2024/01/24 14:29:11 Failed to read file
2024/01/24 14:29:11 open /home/securecodebox/zap-results.xml: no such file or directory

Changing the parameters failOnError and failOnWarning did not seem to change anything for me.

      parameters:
        failOnError: true                  # If set exit on an error
        failOnWarning: false               # If set exit on a warning
        progressToStdout: true             # If set will write job progress to stdout

Describe the solution you'd like

I would like to be able to accept these warnings and have securecodebox continue without failing.

Describe alternatives you've considered

An alternative would be to push on the ZAP end to allow other behavior for the automation framework.

Additional context

I previously discussed this briefly with the ZAP maintainer here: https://groups.google.com/g/zaproxy-users/c/Mnw9uFyV5yg/m/Lw-62P8mBQAJ

I am using the automation framework to get support for the excludePaths parameter, which is as far as I can tell not supported with the other ZAP scan types.

Metadata

Metadata

Assignees

Labels

bugBugs

Type

No type

Projects

secureCodeBox

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions