secureCodeBox · J12934 · Jun 26, 2024 · Mar 18, 2024 · Mar 18, 2024 · Mar 18, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -489,6 +489,7 @@ jobs:
           - wpscan
           - zap
           - zap-advanced
+          - zap-automation-framework
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
@@ -346,6 +346,7 @@ jobs:
           - whatweb
           - wpscan
           - zap
+          - zap-automation-framework
 
     steps:
       - name: Checkout

diff --git a/...ence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java b/...ence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java
@@ -13,6 +13,7 @@ public enum ScanNameMapping {
   ZAP_FULL_SCAN("zap-full-scan", ScanType.ZAP_SCAN),
   ZAP_ADVANCED_SCAN("zap-advanced-scan", ScanType.ZAP_SCAN),
   ZAP_AUTOMATION_SCAN("zap-automation-scan", ScanType.ZAP_SCAN),
+  ZAP_AUTOMATION_FRAMEWORK("zap-automation-framework", ScanType.ZAP_SCAN),
   SSLYZE("sslyze", ScanType.SSLYZE_SCAN),
   TRIVY_IMAGE("trivy-image", ScanType.TRIVY_SCAN),
   TRIVY_IMAGE_AUTODISCOVERY("trivy-image-autodiscovery", ScanType.TRIVY_SCAN),

diff --git a/operator/internal/telemetry/telemetry.go b/operator/internal/telemetry/telemetry.go
@@ -24,35 +24,36 @@ var telemetryInterval = 24 * time.Hour
 // officialScanTypes contains the list of official secureCodeBox Scan Types.
 // Unofficial Scan Types should be reported as "other" to avoid leakage of confidential data via the scan-types name
 var officialScanTypes map[string]bool = map[string]bool{
-	"amass":               true,
-	"cmseek":              true,
-	"doggo":               true,
-	"ffuf":                true,
-	"git-repo-scanner":    true,
-	"gitleaks":            true,
-	"kube-hunter":         true,
-	"kubeaudit":           true,
-	"ncrack":              true,
-	"nikto":               true,
-	"nmap":                true,
-	"nuclei":              true,
-	"screenshooter":       true,
-	"semgrep":             true,
-	"ssh-audit":           true,
-	"ssh-scan":            true,
-	"sslyze":              true,
-	"trivy-image":         true,
-	"trivy-filesystem":    true,
-	"trivy-repo":          true,
-	"trivy-sbom-image":    true,
-	"typo3scan":           true,
-	"whatweb":             true,
-	"wpscan":              true,
-	"zap-baseline-scan":   true,
-	"zap-api-scan":        true,
-	"zap-full-scan":       true,
-	"zap-automation-scan": true,
-	"zap-advanced-scan":   true,
+	"amass":                    true,
+	"cmseek":                   true,
+	"doggo":                    true,
+	"ffuf":                     true,
+	"git-repo-scanner":         true,
+	"gitleaks":                 true,
+	"kube-hunter":              true,
+	"kubeaudit":                true,
+	"ncrack":                   true,
+	"nikto":                    true,
+	"nmap":                     true,
+	"nuclei":                   true,
+	"screenshooter":            true,
+	"semgrep":                  true,
+	"ssh-audit":                true,
+	"ssh-scan":                 true,
+	"sslyze":                   true,
+	"trivy-image":              true,
+	"trivy-filesystem":         true,
+	"trivy-repo":               true,
+	"trivy-sbom-image":         true,
+	"typo3scan":                true,
+	"whatweb":                  true,
+	"wpscan":                   true,
+	"zap-baseline-scan":        true,
+	"zap-api-scan":             true,
+	"zap-full-scan":            true,
+	"zap-automation-scan":      true,
+	"zap-automation-framework": true,
+	"zap-advanced-scan":        true,
 }
 
 // telemetryData submitted by operator

diff --git a/scanners/zap-advanced/.helm-docs.gotmpl b/scanners/zap-advanced/.helm-docs.gotmpl
@@ -26,6 +26,9 @@ usecase: "WebApp & OpenAPI Vulnerability Scanner extend with authentication feat
 
 {{- define "extra.chartAboutSection" -}}
 ## What is ZAP?
+:::caution Deprecation Notice
+The `zap-advanced` and `zap` ScanType are being deprecated in favor of the `zap-automation-framework`, which encompasses all functionalities of the previous ScanTypes. We recommend transitioning to the "zap-automation-framework" as soon as possible. `zap-advanced` and `zap` ScanTypes will be removed in the upcoming v5 release. For guidance on migrating to "zap-automation-framework," please refer to [migration to zap-automation framework](/docs/scanners/zap-automation-framework#migration-to-zap-automation-framework).
+:::
 
 The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
 
@@ -57,7 +60,7 @@ optional arguments:
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
   -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD
-                        The  ZAP Report Type.
+                        The ZAP Report Type.
 ```
 {{- end }}
 
@@ -88,7 +91,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c
 │This CM contains ZAP session          │        │                  ▼                │       │A YAML configuration for ZAP that       │
 │scripts that are already included     │        │     │  ┌───────────────────┐  │   │       │relates to a single scan execution.     │
 │within the zap-advanced scanner.      │        │        │                   │      │       │- can by used for selected scans        │
-│Feel free to add your own.            │────────┼─────┼─▶│   ZAP Proxy  │  │   │       │- not created by default                │
+│Feel free to add your own.            │────────┼─────┼─▶│  ZAP Proxy       │   │       │- not created by default                │
 │                                      │        │        │                   │      └───────│- add your scan target specific config  │
 │ConfigMap: zap-scripts-session        │        │     │  └───────────────────┘  │           │- needs to be referenced in Scan        │
 └──────────────────────────────────────┘        │                                           │- please use SecretMap for credentials! │

diff --git a/scanners/zap-advanced/README.md b/scanners/zap-advanced/README.md
@@ -36,6 +36,9 @@ Otherwise your changes will be reverted/overwritten automatically due to the bui
 </p>
 
 ## What is ZAP?
+:::caution Deprecation Notice
+The `zap-advanced` and `zap` ScanType are being deprecated in favor of the `zap-automation-framework`, which encompasses all functionalities of the previous ScanTypes. We recommend transitioning to the "zap-automation-framework" as soon as possible. `zap-advanced` and `zap` ScanTypes will be removed in the upcoming v5 release. For guidance on migrating to "zap-automation-framework," please refer to [migration to zap-automation framework](/docs/scanners/zap-automation-framework#migration-to-zap-automation-framework).
+:::
 
 The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
 
@@ -73,7 +76,7 @@ optional arguments:
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
   -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD
-                        The  ZAP Report Type.
+                        The ZAP Report Type.
 ```
 
 ## Requirements
@@ -106,7 +109,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c
 │This CM contains ZAP session          │        │                  ▼                │       │A YAML configuration for ZAP that       │
 │scripts that are already included     │        │     │  ┌───────────────────┐  │   │       │relates to a single scan execution.     │
 │within the zap-advanced scanner.      │        │        │                   │      │       │- can by used for selected scans        │
-│Feel free to add your own.            │────────┼─────┼─▶│   ZAP Proxy  │  │   │       │- not created by default                │
+│Feel free to add your own.            │────────┼─────┼─▶│  ZAP Proxy       │   │       │- not created by default                │
 │                                      │        │        │                   │      └───────│- add your scan target specific config  │
 │ConfigMap: zap-scripts-session        │        │     │  └───────────────────┘  │           │- needs to be referenced in Scan        │
 └──────────────────────────────────────┘        │                                           │- please use SecretMap for credentials! │

diff --git a/scanners/zap-advanced/docs/README.ArtifactHub.md b/scanners/zap-advanced/docs/README.ArtifactHub.md
@@ -41,6 +41,9 @@ The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To
 You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it.
 
 ## What is ZAP?
+:::caution Deprecation Notice
+The `zap-advanced` and `zap` ScanType are being deprecated in favor of the `zap-automation-framework`, which encompasses all functionalities of the previous ScanTypes. We recommend transitioning to the "zap-automation-framework" as soon as possible. `zap-advanced` and `zap` ScanTypes will be removed in the upcoming v5 release. For guidance on migrating to "zap-automation-framework," please refer to [migration to zap-automation framework](/docs/scanners/zap-automation-framework#migration-to-zap-automation-framework).
+:::
 
 The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
 
@@ -78,7 +81,7 @@ optional arguments:
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
   -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD
-                        The  ZAP Report Type.
+                        The ZAP Report Type.
 ```
 
 ## Requirements
@@ -111,7 +114,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c
 │This CM contains ZAP session          │        │                  ▼                │       │A YAML configuration for ZAP that       │
 │scripts that are already included     │        │     │  ┌───────────────────┐  │   │       │relates to a single scan execution.     │
 │within the zap-advanced scanner.      │        │        │                   │      │       │- can by used for selected scans        │
-│Feel free to add your own.            │────────┼─────┼─▶│   ZAP Proxy  │  │   │       │- not created by default                │
+│Feel free to add your own.            │────────┼─────┼─▶│  ZAP Proxy       │   │       │- not created by default                │
 │                                      │        │        │                   │      └───────│- add your scan target specific config  │
 │ConfigMap: zap-scripts-session        │        │     │  └───────────────────┘  │           │- needs to be referenced in Scan        │
 └──────────────────────────────────────┘        │                                           │- please use SecretMap for credentials! │

diff --git a/scanners/zap-advanced/docs/README.DockerHub-Scanner.md b/scanners/zap-advanced/docs/README.DockerHub-Scanner.md
@@ -52,6 +52,9 @@ docker pull securecodebox/scanner-zap-advanced
 ```
 
 ## What is ZAP?
+:::caution Deprecation Notice
+The `zap-advanced` and `zap` ScanType are being deprecated in favor of the `zap-automation-framework`, which encompasses all functionalities of the previous ScanTypes. We recommend transitioning to the "zap-automation-framework" as soon as possible. `zap-advanced` and `zap` ScanTypes will be removed in the upcoming v5 release. For guidance on migrating to "zap-automation-framework," please refer to [migration to zap-automation framework](/docs/scanners/zap-automation-framework#migration-to-zap-automation-framework).
+:::
 
 The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
 
@@ -81,7 +84,7 @@ optional arguments:
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
   -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD
-                        The  ZAP Report Type.
+                        The ZAP Report Type.
 ```
 
 ## Community

diff --git a/scanners/zap-automation-framework/.gitignore b/scanners/zap-automation-framework/.gitignore
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+*.tar
-Original file line number
+Diff line change
@@ Expand Up / @@ -346,6 +346,7 @@ jobs: @@
               - whatweb
               - wpscan
               - zap
+              - zap-automation-framework
         steps:
           - name: Checkout
@@ Expand Down @@