ZAP reports i/o error no such file on openshift

[dhartford]

Hi Team, Really excited to get this working in openshift pipeline as part of our process, but I'm really stuck (like week long stuck) on how to get the reports to get generated (where the intent is to then 'stash' the report and pass it to a maven node downstream in the pipeline for sonarqube).

the following works fine /zap/zap-baseline.py -d -m 5 -t <targeturl>

But adding a report (-x) causes i/o file problems and never gets generated /zap/zap-baseline.py -d -m 5 -x /var/lib/jenkins/.ZAP/zaproxy-report.xml -t <targeturl>

Jenkins Console when doing -x report (no i/o or file issues without -x):

2019-01-14 14:25:48,308 Spider complete 2019-01-14 14:25:48,314 Records to scan... 2019-01-14 14:25:48,323 Passive scanning complete 2019-01-14 14:25:48,336 Total number of alerts: 0 2019-01-14 14:25:48,345 I/O error(2): No such file or directory Total of 4 URLs PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Password Autocomplete in Browser [10012] PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] PASS: Web Browser XSS Protection Not Enabled [10016] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: X-Frame-Options Header Scanner [10020] PASS: X-Content-Type-Options Header Missing [10021] PASS: Secure Pages Include Mixed Content [10040] PASS: Private IP Disclosure [2] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Application Error Disclosure [90022] ERROR No such file or directory

Secondarily, having a lot of problems trying to do diagnostics in-openshift:

• /zap/zap.log always empty
• log4j.properties in /zap/, ~, ~/.ZAP/ none change the output
• changing report output to /zap/, ~, ~/.ZAP/ all have same problem

openshift 3.10, zap proxy as of 'current' from this github location. Made a modification to zap_baseline.py to remove add-on updates related to reduced internet access.

[InfoSec812]

@dhartford Yeah, the permissions issues with ZAP in OpenShift are continual and frustrating... Additionally, running just the baseline scan is of limited value. On my most recent outing with ZAP, we ended up using Selenium Grid to run automated tests through ZAP as a proxy, then using the API call to retrieve the report from ZAP via a Jenkins pipeline job. You can see examples here:

• Updated ZAP Container
• Jenkinsfile

Since the baseline scan is of limited value (It just spiders the site and doesn't work with single-page apps) I really have no intention of continuing to try to make it work. If you're interested in trying to make it work, I am willing to review a pull-request.

Cheers,

Deven

[dhartford]

UPDATE: probably need to update the README.md, but here is how to get the report to work (if still wanted to use it in the current state, such as server-side rendered vs SPA related to the concerned @InfoSec812 rightfully mentioned).

Change your -x to be just the filename, avoid hyphens or any special characters. Do not put a directory location.

/zap/zap-baseline.py -d -m 5 -x zaprpt.xml -t <targeturl>

stash/copy/pull the file from: /zap/wrk/zaprpt.xml

[dhartford]

https://github.com/rht-labs/owasp-zap-openshift/pull/8

[InfoSec812]

Thank you!