2

I'm currently interacting with ZAP using the REST-API (using Groovy as a language).

What I want to achieve is to start a scan and retrieve the results once the scan has finished.

I'm currently looking on the scan status and I've assumed, that I can retrieve the result once the scan status is 100, indicating that the scan has finished. This does not work however, I have to query /JSON/core/view/alerts/ continuously until the actual results are retrieved.

This is basically my code:

String zapUrl = ${zap.getContainerIpAddress()}:8090"

def scanResponse = slurper.parse(new URL("$zapUrl/JSON/spider/action/scan/?url=http://featuretron:8080"))
String scanId = scanResponse.scan

def scanStatus = slurper.parse(new URL("$zapUrl/JSON/spider/view/status/?scanId=$scanId"))

while (scanStatus.status != "100") {
    sleep(500)
    scanStatus = slurper.parse(new URL("$zapUrl/JSON/spider/view/status/?scanId=$scanId"))
}

def alerts = slurper.parse(new URL("$zapUrl/JSON/core/view/alerts/"))
while (alerts.alerts.isEmpty()) {
    sleep(500)
    alerts = slurper.parse(new URL("$zapUrl/JSON/core/view/alerts/"))
}

My question is, if there exists a more stable way which indicates if the results have been generated. It also seems, as if the official examples of the Java-API wait as well:

https://github.com/zaproxy/zap-api-java/blob/develop/subprojects/zap-clientapi/src/examples/java/org/zaproxy/clientapi/examples/SimpleExample.java#L65

Kevin Wittek
  • 1,369
  • 9
  • 26

1 Answers1

2

You are running the spider and waiting for it to finish correctly. However ZAP performs passive scanning in a background thread, and this is what you need to wait for.

There are API calls for this as well, this is a good example: https://github.com/zaproxy/zap-api-python/blob/master/src/examples/basic-spider-scan.py - its using the python API, but the underlying API is the same no matter what client you use. That java example needs to be updated ;)

BTW in your code you're just going to perform passive scanning not active scanning (where ZAP actually attacks your app). Is this what you want?

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • 1
    The passive scan was just for trying out. The Python example is very helpful and waiting for `records_to_scan` work perfectly, thx! – Kevin Wittek Aug 01 '17 at 14:22