rht-labs / owasp-zap-openshift Goto Github PK

View Code? Open in Web Editor NEW

26.0 7.0 37.0 2.21 MB

A Docker build for OWASP Zed Attack Proxy to be used in CI/CD pipelines

JavaScript 8.20% Python 84.09% Shell 5.34% Dockerfile 2.38%

owasp-zap-openshift's Introduction

This repository is DEPRECATED

Use the ZAP implementation found HERE

OWASP ZAP Image For OpenShift

Overview

The public docker registry version of OWASP's Zed Attack Proxy (ZAP) is not compatible with OpenShift without using privleged containers. This Docker image resolves that issue.

Running

The semantics of running this are identical to the public OWASP ZAP docker image, so look at the Wiki page HERE.

Deploying In OpenShift

oc new-build -l 'role=jenkins-slave' https://github.com/rht-labs/owasp-zap-openshift.git

Configuring In OpenShift Jenkins

Log in to Jenkins with an account which has permissions to manage the Jenkins instance
Install the following plugins:
1. HTML Publisher Plugin
Restart Jenkins
Log back in to Jenkins and navigate to Manage Jenkins -> Configure System
Scroll down to the Kubernetes cloud configuration
Add a new "Pod Template" as shown below:

Using it in your Jenkinsfile

stage('Get a ZAP Pod') {
    node('zap') {
        stage('Scan Web Application') {
            dir('/zap') {
                def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t http://<some-web-site>'
                publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
                echo "Return value is: ${retVal}"
            }
        }
    }
}

Use it in Jenkinsfile for usage with Sonarqube ZAP plugin (specifically -x report, no directory, no special chars in name)

stage('Get a ZAP Pod') {
    node('zap') {
        stage('Scan Web Application') {
          sh "/zap/zap-baseline.py -d -m 5 -x zaprpt.xml -t http://<some-web-site>"
//no mvn, so stash it and unstash later in pipeline on a maven node instead of ZAP node... 
//sh "mvn sonar:sonar -Dsonar.zaproxy.reportPath=/zap/wrk/zaprpt.xml"
          stash name: "zaproxyreport", includes: "/zap/wrk/zaprpt.xml"
        }
    }
}

stash/copy/pull the file from: /zap/wrk/zaprpt.xml

owasp-zap-openshift's People

Contributors

Stargazers

Watchers

owasp-zap-openshift's Issues

owasp-zap-scan failing

Hi ,

I am getting below error while running owasp-zap-scan . I am using the Dockerfile from your repo to create image.

Error :

2020-07-29 07:32:12,919 Passive scanning complete
2020-07-29 07:32:12,919 Unexpected error: <type 'exceptions.TypeError'>
Traceback (most recent call last):
File "/zap/zap-full-scan.py", line 337, in main
num_urls = len(zap.core.urls)
TypeError: object of type 'instancemethod' has no len()
2020-07-29 07:32:12,920 Failed to find zap_log /zap/zap.out
ERROR <type 'exceptions.TypeError'>

Command run :

stage('Scan Web Application') {
def owasp_config_dir = "configFiles/owasp-zap-scan/"
sh """
cd ${owasp_config_dir}
cp baseline-scan.conf /zap/wrk/
/zap/zap-full-scan.py -d -m 5 -r baseline.html -c baseline-scan.conf -t <server_url>
"""
publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk/', reportFiles: 'baseline.html', reportName: 'Zaproxy_Report', reportTitles: ''])
}

Is nss_wrapper yum install duplicated in Dockerfile (just a comment)

Lines 14 and 15. Probably harmless, I just mention

Move This Image to The CoP Repos

See redhat-cop/containers-quickstarts#78. The slaves in https://github.com/rht-labs/labs-ci-cd will be moved shortly.

owasp-zap-image question

Hi,

Do you have a dockerfile that runs zap baseline in OpenShift without the Jenkins integration?

Thanks

ImportError: No module named zapv2

Hi ,

I am getting below error when trying to run the scan. Please check.

Error :

Traceback (most recent call last):
File "/zap/zap-baseline.py", line 54, in
from zapv2 import ZAPv2
ImportError: No module named zapv2

Command ran :

/zap/zap-baseline.py -d -m 5 -r zaprpt.html -c baseline-scan.conf -t http://service-dev:8080

exceptions.UnicodeDecodeError when running

Hello

When I run this, I get the following error.

Total of 11 URLs
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Weak Authentication Method [10105]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 1 
	http://myurl/api-docs/index.html
WARN-NEW: X-Frame-Options Header Not Set [10020] x 1 
	http://myurl/api-docs/index.html
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 5 
	http://myurl/api-docs/index.html
	http://myurl/api-docs/favicon-32x32.png
	http://myurl/api-docs/swagger-ui.css
	http://myurl/api-docs/favicon-16x16.png
	http://myurl/api-docs/swagger-ui-standalone-preset.js
ERROR <type 'exceptions.UnicodeDecodeError'>

Zap pipleline error help

Hi There,

I have built the owasp-zap-openshift and integrated to my jenkins. I am getting this error in my jenkins logs...

/zap/zap-baseline.py -r index.html -t http://dev-app.mydomain.com
2020-11-21 22:05:53,264 Failed to run docker - is it on your path?
2020-11-21 22:05:53,264 Failed to start ZAP in docker :(
[Pipeline] publishHTML

My Jenkins pipeline looks like this:

def owaspPodLabel = "jenkins-agent-zap"
podTemplate(
    label: owaspPodLabel, 
    name: owaspPodLabel, 
    serviceAccount: 'jenkins', 
    cloud: 'openshift', 
    containers: [ containerTemplate(
        name: 'jenkins-agent-zap',
        image: 'image-registry.openshift-image-registry.svc:5000/5c0dde-tools/jenkins-agent-zap:latest',
        resourceRequestCpu: '500m',
        resourceLimitCpu: '1000m',
        resourceRequestMemory: '3Gi',
        resourceLimitMemory: '4Gi',
        workingDir: '/home/jenkins',
        command: '',
        args: '${computer.jnlpmac} ${computer.name}'
    )]
) {
    node(owaspPodLabel) {
        stage('ZAP Security Scan') {          
            def retVal = sh (
                returnStatus: true, 
                script: "/zap/zap-baseline.py -r index.html -t http://dev-app.mydomain.com"
            )
            publishHTML([
                allowMissing: false, 
                alwaysLinkToLastBuild: false, 
                keepAll: true, 
                reportDir: '/zap/wrk', 
                reportFiles: 'index.html', 
                reportName: 'OWASP Zed Attack Proxy', 
            ])
            echo "Return value is: ${retVal}"

            script {
                if (retVal != 0) {
                    echo "MARKING BUILD AS UNSTABLE"
                    currentBuild.result = 'UNSTABLE'
                }
            }
        }
    }
  }

Any help would be appreciated :)

ZAP reports i/o error no such file on openshift

Hi Team,
Really excited to get this working in openshift pipeline as part of our process, but I'm really stuck (like week long stuck) on how to get the reports to get generated (where the intent is to then 'stash' the report and pass it to a maven node downstream in the pipeline for sonarqube).

the following works fine
/zap/zap-baseline.py -d -m 5 -t <targeturl>

But adding a report (-x) causes i/o file problems and never gets generated
/zap/zap-baseline.py -d -m 5 -x /var/lib/jenkins/.ZAP/zaproxy-report.xml -t <targeturl>

Jenkins Console when doing -x report (no i/o or file issues without -x):

2019-01-14 14:25:48,308 Spider complete
2019-01-14 14:25:48,314 Records to scan...
2019-01-14 14:25:48,323 Passive scanning complete
2019-01-14 14:25:48,336 Total number of alerts: 0
2019-01-14 14:25:48,345 I/O error(2): No such file or directory
Total of 4 URLs
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Password Autocomplete in Browser [10012]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Web Browser XSS Protection Not Enabled [10016]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: X-Frame-Options Header Scanner [10020]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Application Error Disclosure [90022]
ERROR No such file or directory

Secondarily, having a lot of problems trying to do diagnostics in-openshift:

/zap/zap.log always empty
log4j.properties in /zap/, ~, ~/.ZAP/ none change the output
changing report output to /zap/, ~, ~/.ZAP/ all have same problem

openshift 3.10, zap proxy as of 'current' from this github location. Made a modification to zap_baseline.py to remove add-on updates related to reduced internet access.

It reports an error from jenkins

Hi,
I met an error as I using your source in openshift.
The error message as followings:

"Jenkins doesn’t have label zap"

but I set the zap label in kubernetes template pod already.
Would you have any way to resolve it?

Thanks.