OWASP ZAP Jenkins job not providing all the alert results

Question

I am new to OWASP ZAP. I have ZAP Desktop set up done, where i inject the Web Application host with port and it takes about 5-6 minutes to complete the spider scan and when i see the Alerts section i see one Medium Alert and a lot of Low alerts.

However I tried integrating ZAP with Jenkins and I see the job is completing within few seconds and the report it provides with Alerts are not matching the Data of OWASP ZAP Alerts Data. I see one medium Alert on OWASP ZAP Desktop where as i do not see any Medium Alerts on Jenkins ZAP Job report.

Also the Spider Scan shows 0% Scan Progress and it is not showing the completion of Job % status. What am i missing here? Why it is not displaying 100% and why not all alerts are captured in Jenkins.

Also got below error in log.

P.transaction_id};var l=F.CONFIG={maxQueriesToDraw:40,queryCharactersToShow:1640,lockColumnIndex:3,asy"[truncated 12477 chars]; line: 1, column: 4]
    at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1840)
    at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:722)
    at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._reportInvalidToken(ReaderBasedJsonParser.java:2868)
    at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1914)
    at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:773)
    at com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4231)
    at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2711)
    at io.swagger.parser.SwaggerCompatConverter.readResourceListing(SwaggerCompatConverter.java:210)
    at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:123)
    at io.swagger.parser.SwaggerCompatConverter.read(SwaggerCompatConverter.java:114)
    at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.convertV1ToV2(SwaggerConverter.java:216)
    at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getOpenAPI(SwaggerConverter.java:197)
    at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:170)
    at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:157)
    at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:55)
    at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:415)
    at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:267)
    at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
15578 [ZAP-SpiderThreadPool-0-thread-1] ERROR io.swagger.parser.SwaggerCompatConverter  - failed to read resource listing

Have you checked to see if your target application is accessible from your jenkins server? — Simon Bennetts, Feb 02 '21 at 09:19
Are there any errors in the zap.log file? https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file — Simon Bennetts, Feb 02 '21 at 09:34
No There are no errors in log file apart from errors like "Error snake-parsing yaml content io.swagger.parser.util.DeserializationUtils$SnakeException: Exception safe-checking yaml content (maxDepth 2000)" — Ashu123, Feb 02 '21 at 10:47
The swagger error doesnt seem to be relevant, unless you are using a swagger / OpenAPI definition. Its worth noting that the ZAP Jenkins plugin is no longer supported, and that ZAP 2.9.0 is not the latest release (and therefore also not supported). Can you use the latest ZAP docker image instead? — Simon Bennetts, Feb 03 '21 at 12:30

OWASP ZAP Jenkins job not providing all the alert results

0 Answers0