Closed dhartford closed 5 years ago
@dhartford Yeah, the permissions issues with ZAP in OpenShift are continual and frustrating... Additionally, running just the baseline scan is of limited value. On my most recent outing with ZAP, we ended up using Selenium Grid to run automated tests through ZAP as a proxy, then using the API call to retrieve the report from ZAP via a Jenkins pipeline job. You can see examples here:
Since the baseline scan is of limited value (It just spiders the site and doesn't work with single-page apps) I really have no intention of continuing to try to make it work. If you're interested in trying to make it work, I am willing to review a pull-request.
Cheers,
Deven
UPDATE: probably need to update the README.md, but here is how to get the report to work (if still wanted to use it in the current state, such as server-side rendered vs SPA related to the concerned @InfoSec812 rightfully mentioned).
Change your -x to be just the filename, avoid hyphens or any special characters. Do not put a directory location.
/zap/zap-baseline.py -d -m 5 -x zaprpt.xml -t <targeturl>
stash/copy/pull the file from:
/zap/wrk/zaprpt.xml
Thank you!
Hi Team, Really excited to get this working in openshift pipeline as part of our process, but I'm really stuck (like week long stuck) on how to get the reports to get generated (where the intent is to then 'stash' the report and pass it to a maven node downstream in the pipeline for sonarqube).
the following works fine
/zap/zap-baseline.py -d -m 5 -t <targeturl>
But adding a report (-x) causes i/o file problems and never gets generated
/zap/zap-baseline.py -d -m 5 -x /var/lib/jenkins/.ZAP/zaproxy-report.xml -t <targeturl>
Jenkins Console when doing -x report (no i/o or file issues without -x):
Secondarily, having a lot of problems trying to do diagnostics in-openshift:
openshift 3.10, zap proxy as of 'current' from this github location. Made a modification to zap_baseline.py to remove add-on updates related to reduced internet access.