Docker ZAP integrated with OWASP Glue

[plech]

Hi Omer, I've done all the steps from https://github.com/OWASP/glue/blob/master/docs/dynamic_task.md#zaproxy.

I have a report in txt format, but I have a question on how to remove false-positives from this report ? Can I create a glue.json file with false-positives ?

My idea is ts to do something like this :

1. modify ZAP Docker image (adding bash script with curl command - request for ZAP API, response with report in json format, save report on local disk)
2. step by step : https://github.com/OWASP/glue/blob/master/docs/dynamic_task.md#zaproxy.
3. create glue.json file with false-positives
4. run command : ruby /bin/glue --finding-file-path <path_glue.json>

What do you think about this solution ?

output.txt

[omerlh]

Yep, using the glue json you can either ignore or postpone findings.

[plech]

OK, the solution works, but how to generate a report in json / text / csv format after filtering false-positves from the glue.json file?
Now, the output is on the console, and I would like a report in json format.
Is it possible ?

[omerlh]

There is a JSON reporter, but it will print all the finding to the console - currently, there is no reporter that generates a file with the finding. Maybe open a PR and add a decorator reporter that wrap any existing reporter and put the output in a file?
The reporter will report the finding after filtering - so it will ignore all the finding that are marked as false-positive.

[plech]

I am trying to use the owasp/glue docker image and analyze the .json report (filter out false-positives).
I'm using the command

docker run -it owasp/glue sh ruby​/bin/glue -t Dynamic -T output.json --mapping-file zaproxy --finding-file-path glue.json

but I get output

/home/glue/glue/lib/glue/options.rb:41:in `block (2 levels) in get_options': undefined local variable or method `path' for Glue::Options:Module (NameError)
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1571:in `block in parse_in_order'
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1527:in `catch'
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1527:in `parse_in_order'
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1521:in `order!'
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1613:in `permute!'
	from /home/glue/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/optparse.rb:1635:in `parse!'
	from /home/glue/glue/lib/glue/options.rb:356:in `get_options'
	from /home/glue/glue/lib/glue/options.rb:16:in `parse!'
	from /home/glue/glue/bin/glue:11:in `<top (required)>'
	from /home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in `load'
	from /home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in `<main>'
	from /home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in `eval'
	from /home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in `<main>'

What is wrong ?

[omerlh]

Yep, try the raw-latest tag - currently, the regular latest tag is not pushed automatically and is outdated. This should solve it.

[ghost]

Hi Omer, thank you very much for the tips.
I'm trying to execute the jq statement on a json report, but I get an error
jq: error (at data.json:0): Cannot index array with string "@name"
What is wrong ? Is the statement incorrect? Has the ZAP report changed?
ZAP report in json format is attached.

zap_report.json.txt

[omerlh]

Sorry, there was a bug in the pattern - just fixed it in #153 :)
Test the new pattern, please?

[ghost]

It's OK, I would suggest updating the documentation.
https://github.com/OWASP/glue/blob/master/docs/dynamic_task.md

Thank you very much.

[omerlh]

I did - take a look at the PR :)

[ghost]

I would like to report results to JIRA.
JIRA works locally (localhost:8080).
How should be the value of the --jira-api-url parameter ?

[omerlh]

Actually - I'm not sure. Try just localhost:8080?

[ghost]

When trying to connect to the JIRA server (https) - I get an error

SSL_connect returned = 1 errno = 0 state = error: certificate verify failed
Results are in JIRA

How to fix it ?

[omerlh]

Look like a TLS issue, does your Jira server has a valid TLS certificate?

[ghost]

The certificate is good.
I made the test using openssl

Verify return code: 0 (ok)

[omerlh]

That's weird because the error:

SSL_connect returned = 1 errno = 0 state = error: certificate verify failed

Look like a TLS issue... Do you run glue inside docker?

[ghost]

Yes.
I have no idea what is wrong, I tried this https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html
but it doesn't work.
Is there any other active integration? Maybe Slack or something else?

[omerlh]

Can you try that outside the docker container? And can you test your website using tools like SSLLabs?

[ghost]

OK, it works.
Tasks are created in the JIRA system, but the filter that eliminates duplication does not work. Duplicates are created because the jql query is incorrect and incorrectly verified by the "fingerprint". I think so :-)

I found a working solution.
https://community.atlassian.com/t5/Jira-questions/CONTAINS-does-not-seem-to-work-when-searching-description/qaq-p/408602

I tested this solution on local machine and it's working.

[omerlh]

Sounds like a PR?

[ghost]

I would like :-)
but I'm not a developer, especially in Ruby.

[omerlh]

So file an issue please?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.