Merge pull request #1320 from secureCodeBox/feature/zap-report-enhancements

malexmave · web-flow · commit fe16876fe5d1 · 2022-08-31T15:38:44.000+02:00
ZAP Advanced: Add support for additional report types
diff --git a/parser-sdk/nodejs/parser-wrapper.js b/parser-sdk/nodejs/parser-wrapper.js
@@ -27,6 +27,7 @@ async function uploadResultToFileStorageService(
   return axios
     .put(resultUploadUrl, findingsWithIdsAndDates, {
       headers: { "content-type": "" },
+      maxBodyLength: Infinity,
     })
     .catch(function (error) {
       if (error.response) {
diff --git a/scanners/zap-advanced/.helm-docs.gotmpl b/scanners/zap-advanced/.helm-docs.gotmpl
@@ -40,7 +40,7 @@ Listed below are the arguments supported by the `zap-advanced-scan` script.
 The command line interface can be used to easily run server scans: `-t www.example.com`
 
 ```bash
-usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,JSON,HTML,MD}]
+usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}]
 
 OWASP secureCodeBox OWASP ZAP Client  (can be used to automate OWASP ZAP instances based on YAML configuration files.)
 
@@ -56,7 +56,7 @@ optional arguments:
                         The target to scan with OWASP ZAP.
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
-  -r {XML,JSON,HTML,MD}, --report-type {XML,JSON,HTML,MD}
+  -r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}, --report-type {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}
                         The OWASP ZAP Report Type.
 ```
 {{- end }}
diff --git a/scanners/zap-advanced/README.md b/scanners/zap-advanced/README.md
@@ -56,7 +56,7 @@ Listed below are the arguments supported by the `zap-advanced-scan` script.
 The command line interface can be used to easily run server scans: `-t www.example.com`
 
 ```bash
-usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,JSON,HTML,MD}]
+usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}]
 
 OWASP secureCodeBox OWASP ZAP Client  (can be used to automate OWASP ZAP instances based on YAML configuration files.)
 
@@ -72,7 +72,7 @@ optional arguments:
                         The target to scan with OWASP ZAP.
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
-  -r {XML,JSON,HTML,MD}, --report-type {XML,JSON,HTML,MD}
+  -r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}, --report-type {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}
                         The OWASP ZAP Report Type.
 ```
 
diff --git a/scanners/zap-advanced/docs/README.ArtifactHub.md b/scanners/zap-advanced/docs/README.ArtifactHub.md
@@ -61,7 +61,7 @@ Listed below are the arguments supported by the `zap-advanced-scan` script.
 The command line interface can be used to easily run server scans: `-t www.example.com`
 
 ```bash
-usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,JSON,HTML,MD}]
+usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}]
 
 OWASP secureCodeBox OWASP ZAP Client  (can be used to automate OWASP ZAP instances based on YAML configuration files.)
 
@@ -77,7 +77,7 @@ optional arguments:
                         The target to scan with OWASP ZAP.
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
-  -r {XML,JSON,HTML,MD}, --report-type {XML,JSON,HTML,MD}
+  -r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}, --report-type {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}
                         The OWASP ZAP Report Type.
 ```
 
diff --git a/scanners/zap-advanced/docs/README.DockerHub-Scanner.md b/scanners/zap-advanced/docs/README.DockerHub-Scanner.md
@@ -64,7 +64,7 @@ Listed below are the arguments supported by the `zap-advanced-scan` script.
 The command line interface can be used to easily run server scans: `-t www.example.com`
 
 ```bash
-usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,JSON,HTML,MD}]
+usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}]
 
 OWASP secureCodeBox OWASP ZAP Client  (can be used to automate OWASP ZAP instances based on YAML configuration files.)
 
@@ -80,7 +80,7 @@ optional arguments:
                         The target to scan with OWASP ZAP.
   -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER
                         The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.
-  -r {XML,JSON,HTML,MD}, --report-type {XML,JSON,HTML,MD}
+  -r {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}, --report-type {XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD}
                         The OWASP ZAP Report Type.
 ```
 
diff --git a/scanners/zap-advanced/scanner/zapclient/__main__.py b/scanners/zap-advanced/scanner/zapclient/__main__.py
@@ -116,7 +116,7 @@ def get_parser_args(args=None):
     parser.add_argument("-r",
                         "--report-type",
                         help='The OWASP ZAP Report Type.',
-                        choices=['XML', 'JSON', 'HTML', 'MD'],
+                        choices=['XML', 'XML-plus', 'JSON', 'JSON-plus', 'HTML', 'HTML-plus', 'MD'],
                         default=None,
                         required=False)
     return parser.parse_args(args)
diff --git a/scanners/zap-advanced/scanner/zapclient/zap_automation.py b/scanners/zap-advanced/scanner/zapclient/zap_automation.py
@@ -146,15 +146,21 @@ def __start_scanner(self, target: str):
     def get_report_template_for_file_type(self, file_type: str):
         if file_type == "XML":
             return "traditional-xml"
+        elif file_type == "XML-plus":
+            return "traditional-xml-plus"
         elif file_type == "JSON":
             return "traditional-json"
+        elif file_type == "JSON-plus":
+            return "traditional-json-plus"
         elif file_type == "HTML":
             return "traditional-html"
+        elif file_type == "HTML-plus":
+            return "traditional-html-plus"
         elif file_type == "MD":
             return "traditional-md"
         else:
             raise RuntimeError(
-                "Report file type: '" + file_type + "' hasn't been implemented. Available: XML, JSON, HTML or MD")
+                "Report file type: '" + file_type + "' hasn't been implemented. Available: XML, XML-plus, JSON, JSON-plus, HTML, HTML-plus, or MD")
 
     def generate_report_file(self, file_path: str, report_type: str):
         # To retrieve ZAP report in XML or HTML format
@@ -163,7 +169,9 @@ def generate_report_file(self, file_path: str, report_type: str):
         if report_type is None:
             report_type = "XML"
 
-        report_file = "zap-results." + report_type.lower()
+        # Remove any trailing "-plus" from the file ending, as this is an artifact of the
+        # XML-plus / JSON-plus / HTML-plus report format selector.
+        report_file = "zap-results." + report_type.lower().replace('-plus', '')
         self.__zap.reports.generate(
             title="ZAP Report",
             template=self.get_report_template_for_file_type(report_type),
