188597 (1) [Avatar] Offline
I am working through the book, and I have been stuck on section 3.1 for the last couple of days. I got the deployment pipeline working in chapter 2, but when I updated the circle.yml to run ZAP, it isn't giving me the output I am expecting. The book shows a summary of vulnerabilities, but I don't see that at all. It looks to me like the docker container that is hosting the app is not running properly - kind of like it isn't listening on port 8080. When I look through the ZAP output (which there is a LOT - mostly things like "org.parosproxy.paros.extension.ExtensionLoader - Initializing <something>"), I do see this: "ERROR Failed to connect

2017-02-14 04:06:15,151 I/O error(5): Failed to connect".

I have tried forking the chapter 3 code, and I get the same result.
I have also tried running the build with ssh turned on and tried connecting to, and it won't let me in.

Do you have any thoughts or suggestions? For now, I am going to skip the ZAP testing and move along in the book.
Julien Vehent (15) [Avatar] Offline
Sorry for the late reply. Did you ever find the solution to this issue? It is running fine in the main CircleCI integration of the invoicer, as you can see here: https://circleci.com/gh/Securing-DevOps/invoicer/161
mdeinum (20) [Avatar] Offline
I actually have the same problem.

Comparing the code from the book

docker pull owasp/zap2docker-weekly

docker run -t owasp/zap2docker-weekly

And looking at the build you pointed to

docker pull owasp/zap2docker-weekly

ip="$(docker inspect $(docker ps | tail -1 | awk '{print $1}') | jq -r '.[0].NetworkSettings.IPAddress')"

timeout 300 docker run -t owasp/zap2docker-weekly zap-baseline.py \
    -u https://raw.githubusercontent.com/Securing-DevOps/invoicer/master/zap-baseline.conf \
    -t http://${ip}:8080/ \
    -m 3 -i

if [ $code -ne 0 ]; then
    cat ~/.ZAP_D/zap.log
    exit $code

You seem to be running quite a different command. The one,currently, in the book has a hardcoded IP address whereas yours retrieves it from the docker configuration.
Julien Vehent (15) [Avatar] Offline
This is a good point. I'll make sure to update the code snippet in the book. Thanks!