class Glue::Zap

Public Class Methods

new(trigger,tracker) click to toggle source
Calls superclass method Glue::BaseTask::new
# File lib/glue/tasks/zap.rb, line 12
def initialize(trigger,tracker)
  super(trigger,tracker)
  @name = "ZAP"
  @description = "App Scanning"
  @stage = :live
  @labels << "live"
end

Public Instance Methods

analyze() click to toggle source
# File lib/glue/tasks/zap.rb, line 66
def analyze
  begin
    json = JSON.parse @result
    alerts = json["alerts"]
    count = 0
    alerts.each do |alert|
      count = count + 1
      description = alert["description"]
      detail = "Url: #{alert["url"]} Param: #{alert["param"]} \nReference: #{alert["reference"]}\n"+
               "Solution: #{alert["solution"]}\nCWE: #{alert["cweid"]}\tWASCID: #{alert["wascid"]}"
      source = @name + alert["url"]
      sev = severity alert["risk"]
      fingerprint = @name + alert["url"] + alert["alert"] + alert["param"]
      report description, detail, source, sev, fingerprint
    end
    Glue.debug "ZAP Identified #{count} issues."
  rescue Exception => e
    Glue.warn e.message
    Glue.notify "Problem running ZAP."
  end
end
get_scan_id(response) click to toggle source
# File lib/glue/tasks/zap.rb, line 50
def get_scan_id(response)
  json = JSON.parse response.body_str
  return json["scan"]
end
poll_until_100(url) click to toggle source
# File lib/glue/tasks/zap.rb, line 55
def poll_until_100(url)
  count = 0
  loop do
    sleep 5
    status = JSON.parse(Curl.get(url).body_str)
    count = count + 1
    Glue.notify "Count ... #{count}"
    break if status["status"] == "100" or count > 100
  end
end
run() click to toggle source
# File lib/glue/tasks/zap.rb, line 20
def run
  rootpath = @trigger.path
  base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
  apikey = "#{@tracker.options[:zap_api_token]}"
  context = SecureRandom.uuid

  Glue.debug "Running ZAP on: #{rootpath} from #{base} with #{context}"

  # Create a new session so that the findings will be new.
  Curl.get("#{base}/JSON/core/action/newSession/?zapapiformat=JSON&apikey=#{apikey}&name=&overwrite=")

  # Set up Context
  Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}")
  Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}&regex=#{rootpath}.*")

  # Spider
  spider = get_scan_id( Curl.get("#{base}/JSON/spider/action/scan/?apikey=#{apikey}&url=#{rootpath}&context=#{context}") )
  poll_until_100("#{base}/JSON/spider/view/status/?scanId=#{spider}")

  # Active Scan
  scan = get_scan_id ( Curl.get("#{base}/JSON/ascan/action/scan/?apikey=#{apikey}&recurse=true&inScopeOnly=true&url=#{rootpath}") )
  poll_until_100("#{base}/JSON/ascan/view/status/?scanId=#{scan}")

  # Result
  @result = Curl.get("#{base}/JSON/core/view/alerts/?baseurl=#{rootpath}").body_str

  # Remove Context
  Curl.get("#{base}/JSON/context/action/removeContext/?&apikey=#{apikey}&contextName=#{context}")
end
supported?() click to toggle source
# File lib/glue/tasks/zap.rb, line 88
def supported?
  base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
  supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str)
  if supported["version"] =~ /2.(4|5).\d+/
    return true
  else
    Glue.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct.  Supported versions = 2.4.0 and up - got #{supported['version']}"
    return false
  end
end