[security] create basic Jenkins job for ZAP test

RESOLVED INVALID

Status

Cloud Services
QA: Test Automation
RESOLVED INVALID
2 years ago
8 months ago

People

(Reporter: rpapa, Assigned: sphilp)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

We need a Jenkins build job to run a ZAP security test and produce a discrete PASS/FAIL output.

STEPS
1. set http_proxies
2. start zap daemon with -session arg
3. clone unit test for AUT
4. run unit tests
5. generate HTML report of tests
6. have jenkins parse HTML for alerts "High" (and possibly "Medium") = JOB FAILURE??
7. would we want to create some kind of flake8-like exclusion mechanism?
PLATFORM INSTALLATION
- Ubuntu server only
- No slave-refresh
- Add to puppet script: pin down version to 2.4.3

STEPS - ADDITIONAL
1. export GIT_SSL_NO_VERIFY=1
2. before cloning test repo?
3. do not set https_proxy
4. run unit tests
NOTE: session files are in ~/.ZAP/session/untitled.session.data
5. generate HTML
Simon, is it possible to generate any kind of test output from the CLI?

We ran thru an exercise where we tried to run a headless ZAP session thru http_proxy and it worked well, but the untitled.session.data file seems to be only available in a binary format.

Also, based on some threads we were wondering if it's currently even possible to generate: HTML, XML or PDF from the CLI (not just from the GUI)?
https://groups.google.com/forum/m/#!msg/zaproxy-users/Nv_g8k1Dw9E/H_mEg0GhH7sJ

1. this option works - name sessions from CLI:
   ./zap -newsession session-name-here
2. this doesn't seem to work -generate XML data: 
   ./zap.sh -quickout my_output.xml
   at the very least, it doesn't output a file as it supposedly should
Flags: needinfo?(sbennetts)
You _can_ generate reports from the CLI, but I suspect thats not the best option for this situation.
I think you'll be proxying your unit tests via the ZAP daemon and the using the active scanner controlled via the ZAP API.
If thats still the plan then the best option is to generate the reports using the ZAP API.
The api calls are like: zap.core.htmlreport() and zap.core.xmlreport().
You can also page through all of the alerts via the API - this script does that: https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/wavsep-score.py#L249
Let me know if you need any help with this :)
Flags: needinfo?(sbennetts)
tracking this work in:
https://github.com/stephendonner/docker-zap
https://blog.mozilla.org/webqa/2016/05/11/docker-owasp-zap-part-one/
https://blog.mozilla.org/webqa/2016/06/28/dockerized-owasp-zap-security-scanning-in-jenkins-part-two/
https://blog.mozilla.org/webqa/2016/07/07/tough-lessons-learned-from-integrating-docker-zap-cli-and-jenkins/
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.