Hudson integration

[zapbot]

We currently use Hudson for continuous integration of our webapp (written in php). 
We also use Canoo WebTest to simulate a browser and run through test scripts (eg unit
tests, installing our app, upgrading from a previous version, etc).

Recently, we released a new version of our app that addressed multiple XSS issues.

So:
- What we'd like to do is test for regressions (using previously known attack vectors)
- scan for new vulnerabilities, perhaps aided by a sitemap (we can generate this using
reflection) and a list of parameters to fuzz
- report results back to the Hudson dashboard.

Original issue reported on code.google.com by anthon.pang on 2011-01-12 23:01:40

[zapbot]

Hi Anthon,

I'm really keen for ZAP to integrate as well as possible with other tools.
Invoking other apps from ZAP was a start, but the opposite is also very important.
For this to be possible ZAP really needs to either run as a daemon/service or to provide
a library which can be invoked. 
I think both are desirable, but a non trivial amount of work.
Do you have any views on what would be the most effective form of integration for your
set up?
I've been thinking about how ZAP could perform security regression tests for a while
- I'll raise another issue to cover this.

Many thanks,

~Psiinon

Original issue reported on code.google.com by psiinon on 2011-01-13 09:23:48

[zapbot]

(No text was entered with this change)

Original issue reported on code.google.com by psiinon on 2011-01-13 09:24:10

• Labels added: Type-Enhancement
• Labels removed: Type-Defect

[zapbot]

Hudson already runs continuously, so in this context, either:

a) treat ZAP as an external app that is invoked via ant task with various command-line
options (e.g., output results to console or a file)

b) treat ZAP as a library; this would require an integration layer similar to existing
third-party build tools, http://wiki.hudson-ci.org/display/HUDSON/Plugins#Plugins-Buildtools;
then makes the results available through the Hudson dashboard

The first option is the simpler of the two.  The second option gives ZAP more exposure
as it would be listed in the Hudson plugins directory (on the web and via Hudson's
dashboard).

Original issue reported on code.google.com by anthon.pang on 2011-01-13 14:23:48

[zapbot]

I must admit I prefer the idea of invoking it via the command line - it makes it easier
for integration with other technologies as well.
Wrappers can then be written to enable better integration with tools like Hudson if
that helps.

Thanks,

Psiinon

Original issue reported on code.google.com by psiinon on 2011-01-13 14:52:37

[zapbot]

Upgraded to high, as this is something I'd really like to see in the next release.

Psiinon

Original issue reported on code.google.com by psiinon on 2011-02-25 16:17:50

• Labels added: Priority-High
• Labels removed: Priority-Medium

[zapbot]

ZAP can now be run in the background without the UI using the -daemon option.
It also now provides an API for invoking operations like spidering and scanning sites
and returning info in xml or JSON format.
Needs to be fully documented, but examples include:

View hosts http://zap/xml/core/view/hosts http://zap/json/core/view/hosts
View sites http://zap/xml/core/view/sites http://zap/json/core/view/sites
View urls http://zap/xml/core/view/urls http://zap/json/core/view/urls
View alerts http://zap/xml/core/view/alerts http://zap/json/core/view/alerts
View ascan status http://zap/xml/ascan/view/status http://zap/json/ascan/view/status
View spider status http://zap/xml/spider/view/status http://zap/json/spider/view/status
Action shutdown http://zap/xml/core/action/shutdown http://zap/json/core/action/shutdown
Action save session http://zap/xml/core/action/savesession/?name=apitest http://zap/json/core/action/savesession/?name=apitest
Action load session http://zap/xml/core/action/loadsession/?name=apitest http://zap/json/core/action/loadsession/?name=apitest
Action new session http://zap/xml/core/action/newsession/?name=apinew http://zap/json/core/action/newsession/?name=apinew
Action spider http://zap/xml/spider/action/scan/?url=http://localhost:8080/zap-wave/
http://zap/json/spider/action/scan/?url=http://localhost:8080/zap-wave/
Action ascan http://zap/xml/ascan/action/scan/?url=http://localhost:8080/ http://zap/json/ascan/action/scan/?url=http://localhost:8080

Note that the API is disabled by default - it must be enabled via the Options first.
At the moment all API opertations are via GET requests.

This is the first phase of the API work - requests for the next phase gratefully received.

Psiinon

Original issue reported on code.google.com by psiinon on 2011-05-09 20:01:35

[zapbot]

Fixed in release 1.3.0

Original issue reported on code.google.com by psiinon on 2011-06-07 05:19:16

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.