search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.69k stars 1.55k forks source link

ZAP Scan import: xml parse error #4360

Closed DanilaKazakevich closed 3 years ago

DanilaKazakevich commented 3 years ago

Bug description It happens only when I use ictu/zap2docker-weekly image for scanning DVWA (https://github.com/ICTU/zap-baseline). It helps me with authenticated packaged scan. docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -t http://172.17.0.2/ -x dvwa_baseline_dojo.xml --hook=/zap/auth_hook.py -z "auth.loginurl=http://172.17.0.2/login.php auth.username='admin' auth.password='password' auth.auto=1"

If I use official image - scan importing works properly docker run --rm -v $(pwd):/zap/wrk/:rw -u zap -p 8080:8080 -p 8090:8080 -i owasp/zap2docker-stable zap.sh -cmd -quickurl http://172.17.0.1/login.php -quickprogress -quickout wrk/zap_report.xml

Deployment method (select with an X)

ERRORS I tried to import report into Defectdojo and got errors (file attached below):

ERROR:django.request:Internal Server Error: /api/v2/import-scan/
Traceback (most recent call last):
  File "./dojo/api_v2/serializers.py", line 1097, in save
    parser_findings = parser.get_findings(data.get('file', None), test)
  File "./dojo/tools/zap/parser.py", line 40, in get_findings
    return self.get_items(tree, test)
  File "./dojo/tools/zap/parser.py", line 67, in get_items
    site = Site(node)
  File "./dojo/tools/zap/parser.py", line 145, in __init__
    self.items.append(Item(alert))
  File "./dojo/tools/zap/parser.py", line 222, in __init__
    n2 = item_node.findall('instances/instance/param')[i]
IndexError: list index out of range

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/rest_framework/viewsets.py", line 125, in view
    return self.dispatch(request, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/rest_framework/views.py", line 509, in dispatch
    response = self.handle_exception(exc)
  File "/usr/local/lib/python3.6/site-packages/rest_framework/views.py", line 469, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/usr/local/lib/python3.6/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
    raise exc
  File "/usr/local/lib/python3.6/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/rest_framework/mixins.py", line 19, in create
    self.perform_create(serializer)
  File "./dojo/api_v2/views.py", line 1325, in perform_create
    serializer.save(push_to_jira=push_to_jira)
  File "./dojo/api_v2/serializers.py", line 1101, in save
    raise Exception('Error while parsing the report, did you specify the correct scan type ?')
Exception: Error while parsing the report, did you specify the correct scan type ?
DanilaKazakevich commented 3 years ago

https://drive.google.com/file/d/1fyCDU6bHqiVX-dnFlMzpQK6Hx6vlbyau/view?usp=sharing

damiencarol commented 3 years ago

@DanilaKazakevich taking a look at it. There is some weird stuffs in this part.

At least I can reproduce it:

======================================================================
ERROR: test_parse_issue4360 (dojo.unittests.tools.test_zap_parser.TestZapParser)
Report from GitHub issue 4360
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/damien/dd/dojo/unittests/tools/test_zap_parser.py", line 58, in test_parse_issue4360
    findings = parser.get_findings(testfile, Test())
  File "/home/damien/dd/dojo/tools/zap/parser.py", line 40, in get_findings
    return self.get_items(tree, test)
  File "/home/damien/dd/dojo/tools/zap/parser.py", line 67, in get_items
    site = Site(node)
  File "/home/damien/dd/dojo/tools/zap/parser.py", line 144, in __init__
    self.items.append(Item(alert))
  File "/home/damien/dd/dojo/tools/zap/parser.py", line 221, in __init__
    n2 = item_node.findall('instances/instance/param')[i]
IndexError: list index out of range

Working on a pull request to fix that.

valentijnscholten commented 3 years ago

fixed in dev / 1.15.0