Octokit problem - Githubissues

njox commented 4 years ago

Hi, when I trigger module I got this:

FAIL-NEW: 0 FAIL-INPROG: 0  WARN-NEW: 8 WARN-INPROG: 0  INFO: 0 IGNORE: 0   PASS: 43
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2
Alerts present in the current report: true
Process completed successfully and a new issue #2 has been created for the ZAP Scan.

It seems that the importing library @octokit/rest is wrong.

thc202 commented 4 years ago

The warning is caused by a dependency (@actions/github) not this action, we'll have to update it.

njox commented 4 years ago

Thanks for your fast response. When will come a new update?

kingthorin commented 4 years ago

It seems to be behaving as expected. It exited code 2 because you have new warnings.

What's the issue you're trying to report?

thc202 commented 4 years ago

When will come a new update?

There's no ETA for the update/release.

What's the issue you're trying to report?

I think the warning, despite everything working as expected better to update.

njox commented 4 years ago

I can't share repository and log because it's private and has copyright. But the workflow is:

Create a deployment package for AWS EBS
Upload package to AWS S3 Budget
Trigger application update from AWS S3 Bucket
Perform ZAP scan (basic configuration - using the only target in with property)

On 4. step I got a warning/issue which forces action to fail but it will create a report file.

Thanks

thc202 commented 4 years ago

The Octokit warning is not the cause why the build fails but the warnings/alerts ZAP found WARN-NEW: 8.

richAtreides commented 4 years ago

To be clear why would it fail if there is a warning. Is this just a hacky way of giving alerts? How do you change the verbosity so that it fails on actual issues only?

thc202 commented 4 years ago

If with "it" you are referring to the action itself, that's #31.

richAtreides commented 4 years ago

If with "it" you are referring to the action itself, that's #31.

@thc202 that issue perfectly covers my concern. Is there a way to stop this just failing if it finds any warnings but instead configure it? Or is that to be built?

psiinon commented 4 years ago

You can just specify a rules file with the relevant rules to IGNORE instead of WARN.

njox commented 4 years ago

Hi guys,

Just tried the new release v0.3.0 and got:

Basic configuration - The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2 .After that, I saw there is a new parameter fail_action.
Tried in with parameter the fail_action with the value true or false which will produce an error Unexpected input(s) 'fail_action', valid inputs are ['token', 'target', 'rules_file_name', 'docker_name', 'cmd_options', 'issue_title']

By default ZAP Docker container will fail that is alright, but can we add and set fail_action to false if we want to ignore warnings which will produce action to pass?

Thanks

kingthorin commented 4 years ago

@njox the fail_action handling hasn't been released yet. You'd have to use the action based on commit id or wait for v0.4.0

masonator commented 4 years ago

Having the same problem and tried the various workarounds but didn't have any luck. Is there an ETA for v0.4.0 currently? Would love to start using the action in production, but at the moment it fails our builds.

thc202 commented 4 years ago

For the record, the new version is now available.

njox commented 4 years ago

Currently, I can't check the new version, but someone can test it, and if everything seems to be ok then the issue can be closed.

Thanks

richAtreides commented 4 years ago

Currently, I can't check the new version, but someone can test it, and if everything seems to be ok then the issue can be closed.

Thanks

I'll be online in about an hour and can test it to close the issue.

thc202 commented 4 years ago

The issue should be kept open as the deprecation was not yet addressed.

SamRobinsonDev commented 4 years ago

Issue still seems to be reproducing on v0.4.0, albeit with an exit code 3 instead of 2.

Error: failed to scan the target: Error: The process '/usr/bin/docker' failed with exit code 3

kingthorin commented 4 years ago

@samrobinson123 please provide a link to your config/use.

SamRobinsonDev commented 4 years ago

@kingthorin Workflow is part of a private repository and so i'll put it here.

Please note, i've removed the target website in this example.

on: [push]

jobs:
      zap_scan:
           runs-on: ubuntu-latest
           name: Scan the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        with:
         target: ‘My target'

kingthorin commented 4 years ago

Thanks.

You mentioned your use exited with code 3, that's not related to Alerts, you seem to have some other failure. Ref: https://github.com/zaproxy/zaproxy/blob/efb404d38280dc9ecf8f88c9b0c658385861bdcf/docker/zap-baseline.py#L31-L35

kingthorin commented 4 years ago

The issue should be kept open as the deprecation was not yet addressed.

@sshniro is addressing the deprecation warning as simple as updating our dependencies?

thc202 commented 4 years ago

The update would address the warning (https://github.com/actions/toolkit/issues/333), not sure if it's as simple as, it's a major update (from 1.x to 2.x).