Hudson integration about zaproxy HOT 8 CLOSED

Hi Anthon,

I'm really keen for ZAP to integrate as well as possible with other tools.
Invoking other apps from ZAP was a start, but the opposite is also very important.
For this to be possible ZAP really needs to either run as a daemon/service or to provide
a library which can be invoked. 
I think both are desirable, but a non trivial amount of work.
Do you have any views on what would be the most effective form of integration for your
set up?
I've been thinking about how ZAP could perform security regression tests for a while
- I'll raise another issue to cover this.

Many thanks,

~Psiinon

(No text was entered with this change)

Hudson already runs continuously, so in this context, either:

a) treat ZAP as an external app that is invoked via ant task with various command-line
options (e.g., output results to console or a file)

b) treat ZAP as a library; this would require an integration layer similar to existing
third-party build tools, http://wiki.hudson-ci.org/display/HUDSON/Plugins#Plugins-Buildtools;
then makes the results available through the Hudson dashboard

The first option is the simpler of the two.  The second option gives ZAP more exposure
as it would be listed in the Hudson plugins directory (on the web and via Hudson's
dashboard).

I must admit I prefer the idea of invoking it via the command line - it makes it easier
for integration with other technologies as well.
Wrappers can then be written to enable better integration with tools like Hudson if
that helps.

Thanks,

Psiinon

Upgraded to high, as this is something I'd really like to see in the next release.

Psiinon

ZAP can now be run in the background without the UI using the -daemon option.
It also now provides an API for invoking operations like spidering and scanning sites
and returning info in xml or JSON format.
Needs to be fully documented, but examples include:

View hosts http://zap/xml/core/view/hosts http://zap/json/core/view/hosts
View sites http://zap/xml/core/view/sites http://zap/json/core/view/sites
View urls http://zap/xml/core/view/urls http://zap/json/core/view/urls
View alerts http://zap/xml/core/view/alerts http://zap/json/core/view/alerts
View ascan status http://zap/xml/ascan/view/status http://zap/json/ascan/view/status
View spider status http://zap/xml/spider/view/status http://zap/json/spider/view/status
Action shutdown http://zap/xml/core/action/shutdown http://zap/json/core/action/shutdown
Action save session http://zap/xml/core/action/savesession/?name=apitest http://zap/json/core/action/savesession/?name=apitest
Action load session http://zap/xml/core/action/loadsession/?name=apitest http://zap/json/core/action/loadsession/?name=apitest
Action new session http://zap/xml/core/action/newsession/?name=apinew http://zap/json/core/action/newsession/?name=apinew
Action spider http://zap/xml/spider/action/scan/?url=http://localhost:8080/zap-wave/
http://zap/json/spider/action/scan/?url=http://localhost:8080/zap-wave/
Action ascan http://zap/xml/ascan/action/scan/?url=http://localhost:8080/ http://zap/json/ascan/action/scan/?url=http://localhost:8080

Note that the API is disabled by default - it must be enabled via the Options first.
At the moment all API opertations are via GET requests.

This is the first phase of the API work - requests for the next phase gratefully received.

Psiinon

Fixed in release 1.3.0