Comments (9)
I’m sorry that you have become frustrated using Docker. We get frustrated by it too sometimes, but its a 3rd party product that our users expect us to support.
Not all of us are experts in docker or have unlimited time & inclination to debug every possible problem, when running a simple test.
We are not Docker experts either.
We released the Docker images back in 2015 (I think) based on a contributor PR.
Quite a few issues have been reported on them and the majority have been fixed: https://github.com/zaproxy/zaproxy/issues?q=label%3ADocker+is%3Aclosed
Despite these issues the ZAP docker images are heavily used.
I don't want to use this crappy ZAP, but unfortunately I have to, because of 3rd party requirements.
We are a small underfunded team who maintain the world’s most popular web scanner.
We do not currently get any funding from Google.
Thank you for your solution, we will have a look at it and see if any parts of it can be used to make our Docker images more useful.
from zaproxy.
Please don't ask questions as issues - the ZAP User Group is a much better place for usage questions.
from zaproxy.
We look forward to you solution.
from zaproxy.
My title writes reads "ZAP has been dumped & forced on me" not "IT Sec guy, https://github.com/zaproxy co-lead, https://github.com/OWASP WSTG co-lead, https://github.com/OWASP VWAD co-lead, Hac≺3r, supporter of oxford commas, #INTJ."
from zaproxy.
Great, closing legitimate BUG. Awesome.
from zaproxy.
What's the bug? All I see are complaints and a vague description that you can't get something working. That's what the User Group is for.
Edit: You didn't even manage to provide the details quite plainly and clearly requested in the issue template.
from zaproxy.
Solution, which worked for me
-
The problem is, mounted directory $(pwd) inside docker container has user id and group id from host, and it does not match hardcoded 1000:1000 inside the container
-
More information about this docker problem can be found here: https://stackoverflow.com/questions/39397548/how-to-give-non-root-user-in-docker-container-access-to-a-volume-mounted-on-the
-
To see the problem:
a) Run docker image, without executing command for ZAP
docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable
b) Check id of running container
docker ps -a
c) Go into container & list files/dirs
docker exec -it CONTAINER_ID /bin/bash
zap@container:/zap$
ls -l
drwxr-xr-x 1 zap zap 4096 Dec 19 00:54 webswing
drwxrws--- 7 root www-data 4096 Dec 19 00:57 wrk
drwxr-xr-x 2 zap zap 4096 Jan 2 1970 xml
-
There are probably a few fixes possibile for this, but I chose to match user id & group id on host to the hardcoded 1000:1000
-
All below should be done on host. Check if you have a user/group which already uses number 1000
cat /etc/passwd | grep :1000
If there is already a user with this id, change ids to different using https://www.cyberciti.biz/faq/linux-change-user-group-uid-gid-for-all-owned-files/ -
On host, create a zap user
useradd -u 1000 -m -s /bin/bash zap
-
On host, in my case I had all files (context/config) in directory /var/zap_docker/, so:
chown 1000:1000 /var/zap_docker/ -R
-
Now go to directory & run docker
cd /var/zap_docker
docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -u 1000:1000 -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com -P 8080 -c zap-casa-config.conf -x results-full.xml -n app.context
-
Works!
from zaproxy.
@psiinon , thank your for that comment!
Unfortunately I can't agree with your statemet regarding Docker support, especially considering the statement on your website (https://www.zaproxy.org/getting-started/):
"ZAP is an ideal tool to use in automation and supports a range of options," including Docker Packaged Scans.
It appears there might be inconsistency or oversight on this page. Additionally, you have a dedicated section for Docker documentation at https://www.zaproxy.org/docs/docker/.
My frustration stems from several issues:
- Contrary to the core security principle of Least Privilege, the suggested solution for permission issues in many GitHub threads is simply "run as root."
- The use of the same error message (ApiException.Type.BAD_EXTERNAL_DATA) for different scenarios is confusing. For instance:
A)
try {
scanPolicy = new ScanPolicy(new ZapXmlConfiguration(file));
} catch (IllegalArgumentException | ConfigurationException e) {
throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, file.toString(), e);
}
B)
try {
context = Model.getSingleton().getSession().importContext(f);
} catch (IllegalContextNameException e) {
throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, e);
}
-
The use of the -n flag for zap-full-scan to load a context file doesn't update the context config if the name remains unchanged, with no clear message or information in --help.
-
There are precisely 81 issues marked with "questions as issues" on GitHub, where most are related to bugs or problems rather than genuine questions (https://github.com/search?q=repo%3Azaproxy%2Fzaproxy+%22questions+as+issues%22&type=issues).
-
Numerous closed issues lack assistance, contain additional unanswered community questions, or provide advice like creating "/zap/wrk/test.txt" without clear resolution.
-
Many IT professionals assert that if a program cannot run successfully in basic mode quickly, it is not worth the time and trouble. This sentiment applies to running ZAP in Docker and ZAP Desktop.
-
Despite the implementation of numerous edge case functionalities, fundamental features seem neglected, giving the impression that developers prioritize novelty over addressing essential issues.
-
Most online video tutorials focus on simple localhost websites, lacking real-life examples for actual web applications.
-
The ZAP Desktop's user experience and logic are described as a horror, warranting a complete rewrite.
-
Difficulty finding logging features in the Desktop UI hinders users from monitoring program activities and correcting configurations.
-
It's unclear which specific ZAP component is responsible, but there appears to be a lack of parameter checks for Docker-run instances, leading to raw errors without informative feedback.
-
The tutorial includes an impractical feature requiring users to find coded numbers, some of which may not work. Fortunately, an option to skip this was eventually discovered.
Regarding funding, while acknowledging the lack of financial support for open-source security tools, it might be worth reconsidering the possibility of offering paid plans, solutions, or services if the open-source version proves successful. The impressive statistic of 78,402,829 active scans in November shows, that at least some % of user base would be interested in helping out the project.
from zaproxy.
These are exactly the sort of things we want to discuss in the ZAP User Group, NOT in a closed issue.
from zaproxy.
Related Issues (20)
- PII Disclosure false positive in GUIDs and similar hexadecimal strings. HOT 3
- ZAP Marketplace not loading HOT 17
- Traditional spider disappeared from GUI after autoscan specific site HOT 4
- Conflicting Selenium and Chromedriver versions when using Chrome with Docker image HOT 9
- OpenAPI import from URL timeout verbose/stacktrace HOT 4
- Error while running scan on ZAP Docker HOT 4
- zap-api-scan.py allow to use a URL when overriding hostname (`-O`) HOT 3
- MIssing icons HOT 19
- Check for updates failed HOT 2
- Webpages distinguished by URL fragment (site.com/#/abc) are neither visible nor recorded by ZAP HOT 1
- A Dev Container for ZAP based on the ZAP Stable Dockerfile HOT 3
- SSE add-on should handle empty "id" field more gracefully HOT 14
- Can ZAP docker scan multiple IPs and Ports? HOT 1
- Handle lack of disk space better HOT 4
- cannot close message box "failed to start Chrome browser" (Chrome is installed) HOT 2
- owasp/zap2docker-stable:latest - No manifest file causing build error on Jenkins HOT 7
- Fail to generate pdf report dues to SAXParseException HOT 3
- When i start the zap proxy pods without doing any hit i can see that zap proxy tries hitting some random sites HOT 1
- ZAP gui hanged when opening previous session on Winwows 10 x64 HOT 1
- ZAP 2.14 is not working with Oracle JDK 17 or 21, or with microsoft-openJDK11 but it is working fine with Oracle JDK 11 HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.