Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClassNotFound error when trying to do graphql scan #8370

Open
1 task
markphilpot opened this issue Feb 29, 2024 · 0 comments
Open
1 task

ClassNotFound error when trying to do graphql scan #8370

markphilpot opened this issue Feb 29, 2024 · 0 comments
Labels
bug

Comments

@markphilpot
Copy link

Describe the bug

Using the owasp/zap2docker-stable docker image, I'm trying to use zap-api-scan.py to scan a graphql API endpoint. The scan fails to load the graphql plugin with the following ClassNotFound exception:

14841 [ZAP-IO-Server-1-1] ERROR org.zaproxy.addon.network.internal.server.http.MainServerHandler - An error occurred while notifying a handler:
java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/ObjectMapper
	at org.zaproxy.addon.graphql.GraphQlParser.introspect(GraphQlParser.java:105) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlParser.introspect(GraphQlParser.java:94) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlApi.importUrl(GraphQlApi.java:109) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlApi.handleApiAction(GraphQlApi.java:74) ~[?:?]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:538) ~[zap-2.14.0.jar:2.14.0]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleApiRequest(ZapApiHandler.java:111) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleRequest(ZapApiHandler.java:85) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleMessage(ZapApiHandler.java:70) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.14.0.zap:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.lang.ClassNotFoundException
	at org.zaproxy.zap.control.AddOnClassLoader.findClass(AddOnClassLoader.java:330) ~[zap-2.14.0.jar:2.14.0]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:594) ~[?:?]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:527) ~[?:?]
	... 17 more

Earlier in the logs, it looks like it's loading the updated plugin:

13954 [ZAP-DownloadInstaller] INFO  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon graphql v0.23.0
13963 [ZAP-DownloadInstaller] INFO  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon graphql v0.23.0

Steps to reproduce the behavior

  1. Run the graphql API scan via the command line
docker run -p 8080:8080 -v $(shell pwd):/zap/wrk/:rw --env ZAP_AUTH_HEADER_VALUE="Bearer xyz" \
		-t owasp/zap2docker-stable zap-api-scan.py \
		-t https://myserver.com/graphql -f graphql -P 8080 \
		-c zap-casa-api-config.conf \
		-x results-api-full.xml

Expected behavior

The scan to complete after loading the graphql plugin.

Software versions

Using latest version of the docker image (which at the time is 2.14.0)

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

  • Yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@markphilpot