188597 (1) [Avatar] Offline
#1
I am working through the book, and I have been stuck on section 3.1 for the last couple of days. I got the deployment pipeline working in chapter 2, but when I updated the circle.yml to run ZAP, it isn't giving me the output I am expecting. The book shows a summary of vulnerabilities, but I don't see that at all. It looks to me like the docker container that is hosting the app is not running properly - kind of like it isn't listening on port 8080. When I look through the ZAP output (which there is a LOT - mostly things like "org.parosproxy.paros.extension.ExtensionLoader - Initializing <something>"), I do see this: "ERROR Failed to connect

2017-02-14 04:06:15,151 I/O error(5): Failed to connect".

I have tried forking the chapter 3 code, and I get the same result.
I have also tried running the build with ssh turned on and tried connecting to 172.17.0.2:8080, and it won't let me in.

Do you have any thoughts or suggestions? For now, I am going to skip the ZAP testing and move along in the book.
Julien Vehent (15) [Avatar] Offline
#2
Sorry for the late reply. Did you ever find the solution to this issue? It is running fine in the main CircleCI integration of the invoicer, as you can see here: https://circleci.com/gh/Securing-DevOps/invoicer/161
mdeinum (20) [Avatar] Offline
#3
I actually have the same problem.

Comparing the code from the book

docker pull owasp/zap2docker-weekly

docker run -t owasp/zap2docker-weekly
        zap-baseline.py                        
        -t http://172.17.0.2:8080


And looking at the build you pointed to

docker pull owasp/zap2docker-weekly

ip="$(docker inspect $(docker ps | tail -1 | awk '{print $1}') | jq -r '.[0].NetworkSettings.IPAddress')"

timeout 300 docker run -t owasp/zap2docker-weekly zap-baseline.py \
    -u https://raw.githubusercontent.com/Securing-DevOps/invoicer/master/zap-baseline.conf \
    -t http://${ip}:8080/ \
    -m 3 -i
code=$?

if [ $code -ne 0 ]; then
    cat ~/.ZAP_D/zap.log
    exit $code
fi


You seem to be running quite a different command. The one,currently, in the book has a hardcoded IP address whereas yours retrieves it from the docker configuration.
Julien Vehent (15) [Avatar] Offline
#4
This is a good point. I'll make sure to update the code snippet in the book. Thanks!