[英]OWASP ZAP: Active Scanner in Continuos Integration
Trying to use ZAP (2.4.3) in a continuos integration (CI) setting. 尝试在持续集成(CI)设置中使用ZAP(2.4.3)。 I can run ZAP as a daemon, run all my Selenium tests (in Java) by using ZAP as a proxy, and then being able to use the REST api calling
htmlreport
to get a final report of the Passive Scanner. 我可以将ZAP作为守护程序运行,通过使用ZAP作为代理来运行我的所有Selenium测试(在Java中),然后能够使用REST API调用
htmlreport
以获得被动扫描程序的最终报告。 This works fine, but I would like to also use the Active Scanner. 这工作正常,但我也想使用活动扫描仪。
Using the Active Scanner in CI is mentioned several times in ZAP's documentation, but haven't found any working example or tutorial about it... does any exist? ZAP的文档中多次提到在CI中使用Active Scanner,但尚未找到任何可行的示例或相关教程...是否存在?
What I would like to achieve is something like: Run Active Scanner on all the pages visited by the Selenium regression suite, once it is finished to run. 我要实现的目标是: 完成Selenium回归套件访问的所有页面上运行Active Scanner。
Trying to look at ZAP's REST api, but is mostly undocumented: 试图看一下ZAP的REST api,但是大部分没有记载:
https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index
Ideally, it would be great to have something like: 理想情况下,具有以下内容将是很棒的:
In the REST api it seems there is something related, but: 在REST API中,似乎有一些相关的内容,但是:
ascan/scan
needs an url as input. ascan/scan
需要一个URL作为输入。 Could call core/urls
to see what the Selenium tests have visited, but then how to set the right authentication (logging credential)? core/urls
来查看Selenium测试访问了什么,但是然后如何设置正确的身份验证(记录凭据)? What if the order in which the urls are visited is important? ascan/scanAsUser
, but it is unclear how contextId
and userId
can be retrieved from ZAP. ascan/scanAsUser
,但是还不清楚如何从ZAP检索contextId
和userId
。 A cumbersome workaround would be to modify the Selenium tests to write on disk the urls they visit and which logging/password credentials they are using, and then, once all tests are finished, to read from disk such info to call ZAP. OK, so theres a lot of questions here:) 好,所以这里有很多问题:)
ZAP typically scans hierarchies of URLs, eg everything under https://www.example.com/app the top level url of your application. ZAP通常会扫描URL的层次结构,例如https://www.example.com/app下的所有内容都是应用程序的顶级URL。 We kind of assume you know what that will be ;)
我们有点假设您知道那会是什么;)
Authentication is non trivial to handle, see https://github.com/zaproxy/zaproxy/wiki/FAQformauth 身份验证不容易处理,请参阅https://github.com/zaproxy/zaproxy/wiki/FAQformauth
The ascan/status call returns the completed % ascan / status调用返回已完成的%
You may find the ZAP User Group http://groups.google.com/group/zaproxy-users better for these sort of questions. 对于此类问题,您可能会发现ZAP用户组http://groups.google.com/group/zaproxy-users更好。 But yes, we do need to improve the API documentation :/
但是,是的,我们确实需要改进API文档:/
Cheers, 干杯,
Simon (ZAP Project Lead) Simon(ZAP项目负责人)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.