Owasp Zap Wrapper CLI for PDS
The wrapper connection to the zaproxy can be configured by using the command line parameters below. Additionally it is possible to use environment variables like that: All configurations in a way that the command line parameters always overwrite the environment variables.
ZAP_HOST=127.0.0.1 ZAP_PORT=8090 ZAP_API_KEY=change-me
To Specify an additional proxy you can set the following environment variables or use the corresponding command line options.
PROXY_HOST=127.0.0.1 PROXY_PORT=1234
To use the wrapper see the help below:
Usage: OwaspZapWrapper [options]
Options:
--activeScan
Set this option to enable Owasp Zap active scan.
Default: false
--ajaxSpider
Set this option to enable Owasp Zap ajaxSpider.
Default: false
--connectionCheck
Set this option to enable an initial connection check performed by this
wrapper application.
Default: false
--deactivateRules
Specify references of rules you want to deactivate during the scan
inside the Owasp Zap. If you specifiy multiple rules use comma separated
values like: rule1,rule,rule3
* --fullRulesetfile
Specify a file with all rules installed for the Owasp Zap.
--help
Shows help and provides information on how to use the wrapper.
--jobUUID
The Job-UUID, which will be used as internal identifier for the Owasp
Zap scan context.
--maxNumberOfConnectionRetries
Maximum number of times the wrapper tries to reach each URL. Including
each URL constructed from the sechub includes.
Default: 3
--proxyHost
Specify a proxy host. You can also set the environment variable
PROXY_HOST, instead of using this parameter.
--proxyPort
Specify a proxy port. You can also set the environment variable
PROXY_PORT, instead of using this parameter.
Default: 0
* --report
The output file, where the report will be written to.
--retryWaittimeInMilliseconds
Specify the time to wait between connection retries in milliseconds. The
value cannot be less than 1000 milliseconds.
Default: 1000
--rulesDeactivationfile
Specify a file with rules to deactivate during the scan inside the Owasp
Zap.
--sechubConfigfile
The SecHub config file, containing additonal configurations for the
scan.
* --targetURL
Specifies the target url to be scanned.
--verbose
Set this option to provide additional output while scanning.
Default: false
--zapApiKey
Specifies the Owasp Zap host api key. You can also set the environment
variable ZAP_API_KEY, instead of using this parameter.
--zapHost
Specifies the Owasp Zap host address. You can also set the environment
variable ZAP_HOST, instead of using this parameter.
--zapPort
Specifies the Owasp Zap host port. You can also set the environment
variable ZAP_PORT, instead of using this parameter.
Default: 0
To deactivate scan rules you need to specify 2 files using 2 command line arguments.
The first file specified using --fullRulesetfile,
represents the full ruleset of all installed rules inside the Owasp Zap.
The default file contains all rules of all release status (alpha, beta, release).
The following snippet is an example of the file structure:
{
"timestamp" : "2022-05-13 14:44:00.635104",
"origin" : "https://www.zaproxy.org/docs/alerts/",
"rules" : {
"Directory-Browsing-0" : {
"id" : "0",
"name" : "Directory Browsing",
"type" : "active",
"link" : "https://www.zaproxy.org/docs/alerts/0"
},
"Private-IP-Disclosure-2" : {
"id" : "2",
"name" : "Private IP Disclosure",
"type" : "passive",
"link" : "https://www.zaproxy.org/docs/alerts/2"
}
}
}The file above can be generated using the helper Python script owaspzap_ruleset_helper.py. Before using this script make sure to install the dependencies using requirements.txt.
If you do not wish to install this on your system, you can use a Python virtual environment.
Please refer to the official documentation.
Depending on your default Python installation you might need to use pip3:
-
pip install -r requirements.txt
The owaspzap_ruleset_helper.py has the following command line options:
-h, --help show this help message and exit
--output-file OUTPUT_FILE
--rule-release-status [{release,beta,alpha} ...]
Specify values separated by spaces like: release beta alpha
The parameter --output-file is required. Make sure the directory exists, since only the file is created if it does not exist.
With --rule-release-status you can specify which rules you want to include in the result.
If you do not specify any restrictions, rules of all release status are included.
This means alpha, beta and release. Please specify this values separated by spaces as shown above.
Additionally you need to specify a file with --rulesDeactivationfile,
which represents the rule by using the ref part of the file above.
For this feature to work, make sure all of the specified rules are installed on your ZAP installation
and set a file with --fullRulesetfile which contains all installed rules.
The following snippet is an example of the file structure:
{
"deactivatedRuleReferences" : [{
"ref" : "Directory-Browsing-0",
"info" : "Rule was deactivated because of ..."
}, {
"ref" : "Private-IP-Disclosure-2",
"info" : "Rule was deactivated for testing reasons."
}]
}Additionally the rules to deactivate can be specified via command line using --deactivateRules. Please use comma separated values like:
$ java -jar sechub-pds-wrapperowaspzap-0.30.0.jar --deactivateRules Directory-Browsing-0,Private-IP-Disclosure-2
Another possibility to deactivate certain rules is the environment variable ZAP_DEACTIVATED_RULE_REFERENCES.
ZAP_DEACTIVATED_RULE_REFERENCES=Directory-Browsing-0,Private-IP-Disclosure-2
But if the command line parameter --deactivateRules is set, the wrapper ignores this environment variable.
The rules to deactivate specified via --rulesDeactivationfile, will always be added to the list of deactivated rules.
To set the env variable you can use zap.deactivation.rule.references=Directory-Browsing-0,Private-IP-Disclosure-2,
inside the executor config.