microsoft
Unable to use custom context file for OWASP Zap Scanner
I am unable to use a custom context file for the OWASP Zap Scanner. I've been able to successfully run the scan, but was hoping to use a custom context for authentication. I created the context file locally and have tried using the file checked into a repo or downloaded using the Download secure file task and none of these methods pulls in and uses the context file.
Here is the YAML from the OWASP Zap Scanner task:
steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
displayName: 'ZAP Scanner'
inputs:
threshold: 1000
scantype: targetedScan
url: 'https://my.publicsite.com/dev/'
provideCustomContext: true
contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
port: 443
Not sure if I am using the custom context file incorrectly or there is some setting I need to turn on to have it be pulled in, but let me know if you need anything else from me.
Hi @doymturner ,
I got the same issue. The scanner task didn't use custom context file. After checked, it seems the input name is incorrect.
In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext.
let customContextProvided = tl.getBoolInput("providedCustomContext", false);
Thanks, Navaroj C.
@whulbert
You can try to update the input name of the task. So the YAML will be. FYI, it works for me.
steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
displayName: 'ZAP Scanner'
inputs:
threshold: 1000
scantype: targetedScan
url: 'https://my.publicsite.com/dev/'
providedCustomContext: true
contextPath: '$(Build.SourcesDirectory)/my-custom-context.context'
port: 443
Thanks @navarojc for looking into this! I am unfortunately still using the classic pipeline editor in Azure DevOps so I don't think I can manually change the input name at this time. Will have to spend some time converting over to YAML.
Hi @navarojc
I changed my task to "CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1" but I still can't see my context being passed in the docker run. Anyone can help?
2021-03-01T22:30:06.5890183Z ##[section]Starting: ZAP Scanner 2021-03-01T22:30:06.5895823Z ============================================================================== 2021-03-01T22:30:06.5896095Z Task : OWASP Zap Scanner 2021-03-01T22:30:06.5896344Z Description : Utilize the OWASP/ZAP scanner within Azure DevOps 2021-03-01T22:30:06.5896556Z Version : 1.0.1 2021-03-01T22:30:06.5896753Z Author : Doyle Turner, Anthony Turner 2021-03-01T22:30:06.5896952Z Help : 2021-03-01T22:30:06.5897179Z ============================================================================== 2021-03-01T22:30:06.9813387Z [command]/usr/bin/chmod 777 /home/vsts/work/1/s/owaspzap 2021-03-01T22:30:06.9870422Z [command]/usr/bin/id -u root 2021-03-01T22:30:06.9901673Z 0 2021-03-01T22:30:06.9919502Z [command]/usr/bin/docker run -u 0 -v /home/vsts/work/1/s/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t { redacted } -J report.json -r report.html 2021-03-01T22:30:07.7607530Z Unable to find image 'owasp/zap2docker-stable:latest' locally 2021-03-01T22:30:11.3719563Z latest: Pulling from owasp/zap2docker-stable 2021-03-01T22:30:11.3723473Z 83ee3a23efb7: Pulling fs layer 2021-03-01T22:30:11.3724696Z db98fc6f11f0: Pulling fs layer
In task.json, it is provideCustomContext, but in the scanner read from providedCustomContext.
let customContextProvided = tl.getBoolInput("providedCustomContext", false);
@navarojc : thank you for identifying both the bug and the work-around.
I can confirm that the plugin code has a bug in it. The officially documented option provideCustomContext: true gets ignored and you have to use the typo version **provided**CustomContext: true.
Ideally we would create a fix ourselves and submit it through a pull request. I hope that the project team still pay attention to our activity.
EDIT: Oh, great. The actual code isn't part of this repository. This is only the documentation. 👎
@BSamodien can your team help on resolving this bug in the plugin?
Along similar lines I've noticed that you can point at the correct file location all you want, ZAP isn't going to find it because the file is not copied into the correct ZAP working directory. There's all kinds of wonkiness going on with this plugin.
@tsluyter @DariuszPorowski Did you ever manage to make this work? It seems like the contextPath is completely ignored. Generally, the Zap folder wasn't updated for an year, is it to be considered dead and should not be used productively?
