Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when using zap-api-scan.py in docker #5581

Closed
tpang-ameame opened this issue Sep 17, 2019 · 7 comments · Fixed by #5927
Closed

Error when using zap-api-scan.py in docker #5581

tpang-ameame opened this issue Sep 17, 2019 · 7 comments · Fixed by #5927
Assignees
@thc202
Labels
Docker Usability

Comments

@tpang-ameame
Copy link

Hi,
When I use zap-api-scan.py in docker owasp/zap2docker-weekly to scan api with command:

docker run -u root -v /tmp/zap:/zap/wrk:rw  -ti owasp/zap2docker-weekly zap-api-scan.py -t api
_mini_1309.json -f openapi -r report.html -z "-configfile /zap/wrk/options.prop" -d

I met this error, and docker log shows:


2019-09-17 02:37:55,944 http://localhost:49579 "GET http://zap/JSON/ascan/view/status/?scanId=Does+Not+Exist HTTP/1.1" 400 52
ERROR <type 'exceptions.ValueError'>
2019-09-17 02:37:55,945 Unexpected error: <type 'exceptions.ValueError'>
Traceback (most recent call last):
  File "/zap/zap-api-scan.py", line 425, in main
    zap_active_scan(zap, target, scan_policy)
  File "/zap/zap_common.py", line 84, in _wrap
    return_data = func(*args_list, **kwargs)
  File "/zap/zap_common.py", line 398, in zap_active_scan
    while(int(zap.ascan.status(ascan_scan_id)) < 100):
ValueError: invalid literal for int() with base 10: 'Does Not Exist'

And url imported from swagger file is not null: Number of Imported URLs: 14
I notice this: http://localhost:49579 "GET http://zap/JSON/ascan/view/status/?scanId=Does+Not+Exist HTTP/1.1" 400 52
Seems that it passed wrong parameter to zap, please tell how to fix this?

Errors from the zap.log file

13041 [ZAP-ProxyThread-8] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:
Does Not Exist (does_not_exist) : scanPolicyName
        at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:357)
        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:508)
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
        at java.lang.Thread.run(Thread.java:748)
18058 [ZAP-ProxyThread-9] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/JSON/ascan/view/status/] from [127.0.0.1]:
Does Not Exist (does_not_exist) : scanId
        at org.zaproxy.zap.extension.ascan.ActiveScanAPI.getActiveScan(ActiveScanAPI.java:768)
        at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiView(ActiveScanAPI.java:958)
        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:527)
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
        at java.lang.Thread.run(Thread.java:748)
2019-09-17 02:37:55,952 Trigger hook: pre_exit, args: 3
@kingthorin
Copy link
Member

It seems you're passing a string value where the API is expecting a number. (Which is exactly what the error messages are telling you.)
ValueError: invalid literal for int() with base 10: 'Does Not Exist'

Or specifying a scan policy name that doesn't exist.

@kingthorin
Copy link
Member

Please don't ask questions as issues - the ZAP User Group https://groups.google.com/group/zaproxy-users is a much better place for questions.

@kingthorin kingthorin added question and removed bug labels Sep 17, 2019
@kingthorin
Copy link
Member

We discussed this further. The problem you're encountering is that the policy didn't exist, however, the script should not continue if the scan didn't start.

If you have further questions please take them to the ZAP User Group: https://groups.google.com/group/zaproxy-users

This ticket will be left open (for now) to track the script changes.

@kingthorin kingthorin reopened this Sep 17, 2019
@kingthorin kingthorin added good first issue An issue ideal for new contributors. HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean IdealFirstBug An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons. Usability labels Oct 9, 2019
@adrianer
Copy link

For those who run into the issue here and find it as first result in Google (like me): the problem is running inside the Docker Container as root (so the part "-u root" of the docker run command), as it then looks for the policies and scripts in /root/.ZAP(_D) instead of /home/zap/.ZAP(_D) and it does not find them there.
This comes from this line and line below: https://github.com/zaproxy/zaproxy/blob/develop/docker/Dockerfile-weekly#L69 . To cover the root-case, those dirs should be copied into /root/ too.

@kingthorin kingthorin removed the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Nov 4, 2019
@gnirlos
Copy link
Contributor

gnirlos commented Apr 3, 2020

Any update on this issue?

@kingthorin
Copy link
Member

Just what was stated last Oct. Either don't run as root or copy the directories to the appropriate location.

@thc202 thc202 removed IdealFirstBug An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons. good first issue An issue ideal for new contributors. labels Apr 6, 2020
@thc202 thc202 self-assigned this Apr 6, 2020
thc202 added a commit to thc202/zaproxy that referenced this issue Apr 6, 2020
@thc202
Copy scan policies for root in Docker scans
49e7452 
Copy the scan policies for the root user to ensure they are available
when starting the active scan.
Also, verify that the scan really started to provide early/accurate
error message.

Fix zaproxy#5581 - Error when using zap-api-scan.py in docker

Signed-off-by: thc202 <thc202@gmail.com>
@thc202 thc202 mentioned this issue Apr 6, 2020
Merged
gnirlos pushed a commit to gnirlos/zaproxy that referenced this issue Apr 8, 2020
@thc202
Copy scan policies for root in Docker scans
0abd9d0 
Copy the scan policies for the root user to ensure they are available
when starting the active scan.
Also, verify that the scan really started to provide early/accurate
error message.

Fix zaproxy#5581 - Error when using zap-api-scan.py in docker

Signed-off-by: thc202 <thc202@gmail.com>
Signed-off-by: Dalley, Karl R <karl.r.dalley@accenture.com>
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@thc202 thc202

Labels
Docker Usability
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Copy scan policies for root in Docker scans thc202/zaproxy
5 participants
@adrianer @thc202 @kingthorin @tpang-ameame @gnirlos