search

microsoft / CSEDevOps

Azure DevOps extensions from CSE DevOps team
MIT License
26 stars 11 forks source link

Unable to use custom context file for OWASP Zap Scanner #8

Open whulbert opened 4 years ago

whulbert commented 4 years ago

I am unable to use a custom context file for the OWASP Zap Scanner. I've been able to successfully run the scan, but was hoping to use a custom context for authentication. I created the context file locally and have tried using the file checked into a repo or downloaded using the Download secure file task and none of these methods pulls in and uses the context file.

Here is the YAML from the OWASP Zap Scanner task:

steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    threshold: 1000
    scantype: targetedScan
    url: 'https://my.publicsite.com/dev/'
    provideCustomContext: true
    contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
    port: 443

Not sure if I am using the custom context file incorrectly or there is some setting I need to turn on to have it be pulled in, but let me know if you need anything else from me.

navarojc commented 4 years ago

Hi @doymturner ,

I got the same issue. The scanner task didn't use custom context file. After checked, it seems the input name is incorrect.

In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext.

let customContextProvided = tl.getBoolInput("providedCustomContext", false);

Thanks, Navaroj C.

navarojc commented 4 years ago

@whulbert

You can try to update the input name of the task. So the YAML will be. FYI, it works for me. 

steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    threshold: 1000
    scantype: targetedScan
    url: 'https://my.publicsite.com/dev/'
    providedCustomContext: true
    contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
    port: 443
whulbert commented 4 years ago

Thanks @navarojc for looking into this! I am unfortunately still using the classic pipeline editor in Azure DevOps so I don't think I can manually change the input name at this time. Will have to spend some time converting over to YAML.

rsuela commented 3 years ago

Hi @navarojc

I changed my task to "CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1" but I still can't see my context being passed in the docker run. Anyone can help?

2021-03-01T22:30:06.5890183Z ##[section]Starting: ZAP Scanner 2021-03-01T22:30:06.5895823Z ============================================================================== 2021-03-01T22:30:06.5896095Z Task : OWASP Zap Scanner 2021-03-01T22:30:06.5896344Z Description : Utilize the OWASP/ZAP scanner within Azure DevOps 2021-03-01T22:30:06.5896556Z Version : 1.0.1 2021-03-01T22:30:06.5896753Z Author : Doyle Turner, Anthony Turner 2021-03-01T22:30:06.5896952Z Help : 2021-03-01T22:30:06.5897179Z ============================================================================== 2021-03-01T22:30:06.9813387Z [command]/usr/bin/chmod 777 /home/vsts/work/1/s/owaspzap 2021-03-01T22:30:06.9870422Z [command]/usr/bin/id -u root 2021-03-01T22:30:06.9901673Z 0 2021-03-01T22:30:06.9919502Z [command]/usr/bin/docker run -u 0 -v /home/vsts/work/1/s/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t { redacted } -J report.json -r report.html 2021-03-01T22:30:07.7607530Z Unable to find image 'owasp/zap2docker-stable:latest' locally 2021-03-01T22:30:11.3719563Z latest: Pulling from owasp/zap2docker-stable 2021-03-01T22:30:11.3723473Z 83ee3a23efb7: Pulling fs layer 2021-03-01T22:30:11.3724696Z db98fc6f11f0: Pulling fs layer

tsluyter commented 3 years ago

In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext. let customContextProvided = tl.getBoolInput("providedCustomContext", false);

@navarojc : thank you for identifying both the bug and the work-around.

I can confirm that the plugin code has a bug in it. The officially documented option provideCustomContext: true gets ignored and you have to use the typo version **provided**CustomContext: true.

Ideally we would create a fix ourselves and submit it through a pull request. I hope that the project team still pay attention to our activity.

EDIT: Oh, great. The actual code isn't part of this repository. This is only the documentation. 👎

@BSamodien can your team help on resolving this bug in the plugin?

tsluyter commented 3 years ago

Along similar lines I've noticed that you can point at the correct file location all you want, ZAP isn't going to find it because the file is not copied into the correct ZAP working directory. There's all kinds of wonkiness going on with this plugin.

DrMueller commented 1 year ago

@tsluyter @DariuszPorowski Did you ever manage to make this work? It seems like the contextPath is completely ignored. Generally, the Zap folder wasn't updated for an year, is it to be considered dead and should not be used productively?