Update ZAP command in circleci (#3321)

* Only fail baseline tests when FAILs are found
mozilla-services · Oct 16, 2017 · 8032330 · 8032330
1 parent 8874729
commit 8032330
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/.zap-baseline.conf b/.zap-baseline.conf
@@ -0,0 +1,37 @@
+# zap-baseline rule configuration file
+# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
+# only the rule identifiers are used - the names are just for info
+2	IGNORE	(Private IP Disclosure)
+10010	FAIL	(Cookie No HttpOnly Flag)
+10011	FAIL	(Cookie Without Secure Flag)
+10012	IGNORE	(Password Autocomplete in browser)
+10016	FAIL	(Web Browser XSS Protection Not Enabled)
+# Warn on 10017 for now, need to decide how to handle SRI's better
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	FAIL	(Content-Type Header Missing)
+10020	FAIL	(X-Frame-Options Header Not Set)
+10021	FAIL	(X-Content-Type-Options Header Missing)
+10023   IGNORE  (Information Disclosure - Debug Error Messages)
+10026	IGNORE	(HTTP Parameter Override)
+10027	IGNORE	(Information Disclosure - Suspicious Comments)
+10031	IGNORE	(User Controllable HTML Element Attribute - Potential XSS)
+10034	FAIL	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	FAIL	(Strict-Transport-Security Header Not Set)
+10036	IGNORE	(Server Leaks Version Information via "Server" HTTP Response Header Field)
+10037	IGNORE	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
+10038	FAIL	(Content Security Policy (CSP) Header Not Set)
+10039	IGNORE	(X-Backend-Server Header Information Leak)
+10040	FAIL	(Secure Pages Include Mixed Content)
+10049	IGNORE	(Storable and Cacheable Content)
+10050	IGNORE	(Retrieved from Cache)
+10052	FAIL	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10055   WARN    (CSP Scanner: style-src unsafe-inline)
+10094	IGNORE	(Base64 Disclosure)
+10096	IGNORE	(Timestamp Disclosure) 
+10097	IGNORE	(Hash Disclosure) 
+10098	FAIL	(Cross-Domain Misconfiguration)
+10099	IGNORE	(Source Code Disclosure - SQL) 
+10202	FAIL	(Absence of Anti-CSRF Tokens)
+# Previous ID, still in released version
+40014	FAIL	(Absence of Anti-CSRF Tokens)
+
diff --git a/circle.yml b/circle.yml
@@ -35,9 +35,17 @@ test:
     - ./bin/load_test_exercise.py http://localhost:10080
     - npm run test:server
     # run zap baseline against the server
+    # Only fail on error code 1, which indicates at least one FAIL was found.
+    # error codes 2 & 3 indicate WARN or other, and should not break the run
     - docker pull owasp/zap2docker-weekly
-    # || true to temporarily disable this from making the tests fail:
-    - docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://localhost:10080 || true
+    - >
+        (
+        ip="$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1)" &&
+        docker run -t owasp/zap2docker-weekly zap-baseline.py \
+            -t http://${ip}:10080 \
+            -u https://raw.githubusercontent.com/mozilla-services/screenshots/zap-baseline-2/.zap-baseline.conf;
+        if [ $? -ne 1 ]; then exit 0; else exit 1; fi;
+        )
 
   post:
     - bash <(curl -s https://codecov.io/bash)