This covers Zap self-signed certs and self-signed certs that SUTs may present.

Currently all self-signed certs presented to the webdriver are accepted. Ideally where we want to get to is to not trust any insecure certificates, that is passing false in the following calls in webDriverFactory.js in the app-scanner:

chromeOptions.setAcceptInsecureCerts(true)
firefoxOptions.setAcceptInsecureCerts(true)

In order to do this the following two items need to be done.

Zap

Each Zap instance uses it's own root certificate.

Currently if we have:

chromeOptions.setAcceptInsecureCerts(false)
firefoxOptions.setAcceptInsecureCerts(false)

With the Zap self-signed cert, this will block the selenium browser currently. So what we need to do is:

1. Get the dynamicaly created Root CA from each Zap instance. The Zap API method coreOtherRootcert should do the trick
2. create our own browser profile (chrome and firefox) with the zaproxy cert added
3. Tell selenium to launch the browser based on that profile

These steps should be performed within the routines addressed by the following calls in the Cucumber world:

async initialiseBrowser() {
  await this.sut.initialiseBrowser(this.zap.getPropertiesForBrowser(), this.selenium);
}

SUT

Step 2 and 3 of the above will be similar, but we will need to work out where the best place to source the self-signed customer SUT certificate from. A couple of thoughts:

• Passed in the Build User config (Job). This seems a bit smelly
• Provided as an environment variable. This would work for both local and cloud