chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard
verified publisher icon chainloop-dev

feat: add support for ZAP material type

Open migmartri opened this issue 1 year ago • 1 comments

We could look into supporting accepting the default zip file and look inside the json for @programname to identify the material type.

It must support both simple and full scans (not sure if there is a difference in format). And we should consider making this two material types, i.e ZAP_DAST_FULL and ZAP_DAST_SIMPLE if we see fit.

Example of full scan zap_scan.zip

migmartri avatar Oct 06 '24 08:10 migmartri

just researched a little bit if there is a good way of differentiating between scan times and there doesn't seem to be one. Some output from our friend

In the JSON report generated by OWASP ZAP, there isn't a specific field labeled directly as "Full Scan" or "Simple Scan." However, you can infer the type of scan based on several fields in the report that reflect the depth, scope, and configuration of the scan.

Here are a few key elements you can check in the JSON report to help determine whether the scan was a Full Scan or a Simple Scan:

  1. "sites" Field Full Scan: If the "sites" field contains multiple entries (representing different URLs, endpoints, and pages within the application), this suggests that ZAP crawled extensively across the entire site. Simple Scan: If this field only contains one or a few entries (typically the homepage or a small number of resources), this is indicative of a Simple Scan.

migmartri avatar Oct 06 '24 08:10 migmartri

are we uploading the whole zip file or just the json? We should do the former.

migmartri avatar Oct 07 '24 11:10 migmartri

are we uploading the whole zip file or just the json? We should do the former.

Only the json file.

javirln avatar Oct 07 '24 11:10 javirln

And we should consider making this two material types, i.e ZAP_DAST_FULL and ZAP_DAST_SIMPLE if we see fit.

did you look at if there is a difference between the two scans?

Only the json file.

we should do the zip

migmartri avatar Oct 07 '24 11:10 migmartri

There is no difference between the full and baseline scan more than the number of objects analyzed, for the rest, it's identical.

Also, by default the tool does not export to .zip instead, it lets you specified the name of the files that by default are the ones matching the implementation, in this case, report_json.json. My take is that zip file was taken from the GitHub action: https://github.com/zaproxy/action-full-scan

javirln avatar Oct 07 '24 12:10 javirln

Thanks @javirln for looking into this

migmartri avatar Oct 07 '24 14:10 migmartri