class Pipeline::Zap
Public Class Methods
new(trigger,tracker)
click to toggle source
Calls superclass method
Pipeline::BaseTask::new
# File lib/pipeline/tasks/zap.rb, line 12 def initialize(trigger,tracker) super(trigger,tracker) @name = "ZAP" @description = "App Scanning" @stage = :live @labels << "live" end
Public Instance Methods
analyze()
click to toggle source
# File lib/pipeline/tasks/zap.rb, line 66 def analyze begin json = JSON.parse @result alerts = json["alerts"] count = 0 alerts.each do |alert| count = count + 1 description = alert["description"] detail = "Url: #{alert["url"]} Param: #{alert["param"]} \nReference: #{alert["reference"]}\n"+ "Solution: #{alert["solution"]}\nCWE: #{alert["cweid"]}\tWASCID: #{alert["wascid"]}" source = @name + alert["url"] sev = severity alert["risk"] fingerprint = @name + alert["url"] + alert["alert"] + alert["param"] report description, detail, source, sev, fingerprint end Pipeline.debug "ZAP Identified #{count} issues." rescue Exception => e Pipeline.warn e.message Pipeline.notify "Problem running ZAP." end end
get_scan_id(response)
click to toggle source
# File lib/pipeline/tasks/zap.rb, line 50 def get_scan_id(response) json = JSON.parse response.body_str return json["scan"] end
poll_until_100(url)
click to toggle source
# File lib/pipeline/tasks/zap.rb, line 55 def poll_until_100(url) count = 0 loop do sleep 5 status = JSON.parse(Curl.get(url).body_str) count = count + 1 Pipeline.notify "Count ... #{count}" break if status["status"] == "100" or count > 100 end end
run()
click to toggle source
# File lib/pipeline/tasks/zap.rb, line 20 def run rootpath = @trigger.path base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}" apikey = "#{@tracker.options[:zap_api_token]}" context = SecureRandom.uuid Pipeline.debug "Running ZAP on: #{rootpath} from #{base} with #{context}" # Create a new session so that the findings will be new. Curl.get("#{base}/JSON/core/action/newSession/?zapapiformat=JSON&apikey=#{apikey}&name=&overwrite=") # Set up Context Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}") Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}®ex=#{rootpath}.*") # Spider spider = get_scan_id( Curl.get("#{base}/JSON/spider/action/scan/?apikey=#{apikey}&url=#{rootpath}&context=#{context}") ) poll_until_100("#{base}/JSON/spider/view/status/?scanId=#{spider}") # Active Scan scan = get_scan_id ( Curl.get("#{base}/JSON/ascan/action/scan/?apikey=#{apikey}&recurse=true&inScopeOnly=true&url=#{rootpath}") ) poll_until_100("#{base}/JSON/ascan/view/status/?scanId=#{scan}") # Result @result = Curl.get("#{base}/JSON/core/view/alerts/?baseurl=#{rootpath}").body_str # Remove Context Curl.get("#{base}/JSON/context/action/removeContext/?&apikey=#{apikey}&contextName=#{context}") end
supported?()
click to toggle source
# File lib/pipeline/tasks/zap.rb, line 88 def supported? base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}" supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str) if supported["version"] =~ /2.(4|5).\d+/ return true else Pipeline.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct. Supported versions = 2.4.0 and up - got #{supported['version']}" return false end end