Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Container image scanner started failing today with ScanNotStartedException

See original GitHub issue

Describe the bug

We use the Docker image and zap-api-scan.py shipped inside it.

But our automated Zap scanner fails with this Exception:

11:21:02  115699 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scan rule Cookie without SameSite Attribute as it has raised more than 10 alerts.
11:21:02  116397 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scan rule HTTP Server Response Header as it has raised more than 10 alerts.
11:21:02  116699 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scan rule Content Security Policy (CSP) Header Not Set as it has raised more than 10 alerts.
11:21:02  116703 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scan rule Information Disclosure - Sensitive Information in URL as it has raised more than 10 alerts.
11:21:02  116897 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scan rule Strict-Transport-Security Header as it has raised more than 10 alerts.
11:00:02  94902 [ZAP-IO-EventExecutor-3-1] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scan/] from [0:0:0:0:0:0:0:1]:
11:00:02  org.zaproxy.zap.extension.api.ApiException: does_not_exist
11:00:02  	at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:358) ~[zap-D-2022-04-21.jar:D-2022-04-21]
11:00:02  	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:516) ~[zap-D-2022-04-21.jar:D-2022-04-21]

Changing to weekly image zap-D-2022-04-11.jar:D-2022-04-11 as mentioned in https://github.com/zaproxy/zaproxy/issues/7218 deos not help.

The traceback is

11:21:01  Traceback (most recent call last):
11:21:01    File "/zap/zap-api-scan.py", line 484, in main
11:21:01      zap_active_scan(zap, target, scan_policy)
11:21:01    File "/zap/zap_common.py", line 104, in _wrap
11:21:01      return_data = func(*args_list, **kwargs)
11:21:01    File "/zap/zap_common.py", line 458, in zap_active_scan
11:21:01      raise_scan_not_started()
11:21:01    File "/zap/zap_common.py", line 407, in raise_scan_not_started
11:21:01      raise ScanNotStartedException('Failed to start the scan, check the log/output for more details.')
11:21:01  zap_common.ScanNotStartedException: Failed to start the scan, check the log/output for more details.

To my mind the OpenAPI-json is read and fully parsed:

11:20:22  2022-04-21 09:20:22,875 Import OpenAPI URL https://rahmenseite-dev.test-dmz.internal_customer.com/epui/int-application/v3/api-docs
11:20:22  2022-04-21 09:20:22,879 Starting new HTTP connection (1): localhost:37611
11:21:01  2022-04-21 09:20:57,874 http://localhost:37611 "GET http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Frahmenseite-dev.test-dmz.internal_customer.com%2Fepui%2Fint-application%2Fv3%2Fapi-docs&apikey=&hostOverride= HTTP/1.1" 200 16
11:21:01  2022-04-21 09:20:57,974 Starting new HTTP connection (1): localhost:37611
11:21:01  2022-04-21 09:20:58,170 http://localhost:37611 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 2364
11:21:01  2022-04-21 09:20:58,171 Number of Imported URLs: 28
11:21:01  2022-04-21 09:20:58,171 Import warnings: []

Sadly our cloud does not have access to ZAP update page and we see three times

11:21:02  80701 [ZAP-cfu] ERROR org.zaproxy.addon.callhome.ExtensionCallHome - Connection refused (Connection refused)
[...]
11:21:02  	at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.getRemoteConfiguration(ExtensionAutoUpdate.java:966) ~[zap-D-2022-04-11.jar:D-2022-04-11]
11:21:02  	at org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate.access$600(ExtensionAutoUpdate.java:86) ~[zap-D-2022-04-11.jar:D-2022-04-11]

Is that a big issue? The image should have updated plugins shipped inside or? We see successful initializing

11:21:02  67907 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 
11:21:02  68000 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing OpenAPI Automation Framework Integration

Steps to reproduce the behavior

Start scan with zap-api-scan.py -d -t https://rahmenseite-dev.test-dmz.internal_customer.com/epui/int-application/v3/api-docs -f openapi -r ../../var/lib/jenkins/jobs/PKP/epui/feature_openshift_v4/54/zap-dast-epui_20220421.1118.49_54_c0f9702.html

Expected behavior

Continuous scans and result files.

Software versions

owasp/zap2docker-live:latest owasp/zap2docker-weekly:w2022-04-11

Errors from the zap.log file

Included relevant snippets above. Let me know if you need more logs, I can redact ours as needed.

Issue Analytics

State:
Created a year ago
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

mark-sennecommented, Apr 21, 2022

For everybody who cannot run zap-image with user ‘zap’:

From the sourcecode https://github.com/zaproxy/zaproxy/blob/152e60b5fe2711d6e589fe973c0bcadbbb74e93e/zap/src/main/java/org/parosproxy/paros/Constant.java#L412 zap uses the active directory as the fallback to missing property ‘user.home’.

A symlink to /home/zap/.ZAP_D was not enough but an easy cp -R /home/zap/.ZAP_D . solved my problem.

Wish you a happy spider-attack!

1reaction

mark-sennecommented, Apr 21, 2022

Oh, we got

15:24:22 + whoami 15:24:22 whoami: cannot find name for user ID 1002930000

I think this is not ok, or? $USER is also empty.

The policies are here:

16:15:18  + ls -la /home/zap/.ZAP_D/policies/
16:15:18  total 56
16:15:18  drwxr-xr-x. 2 zap zap 4096 Apr 21 00:46 .
16:15:18  drwxr-xr-x. 4 zap zap   37 Apr 21 00:46 ..
16:15:18  -rw-r--r--. 1 zap zap 3790 Apr 21 00:23 API-Minimal.policy
16:15:18  -rw-r--r--. 1 zap zap  198 Apr 21 00:23 Default Policy.policy
16:15:18  -rw-r--r--. 1 zap zap  195 Apr 21 00:23 St-High-Th-High.policy
16:15:18  -rw-r--r--. 1 zap zap  193 Apr 21 00:23 St-High-Th-Low.policy
16:15:18  -rw-r--r--. 1 zap zap  196 Apr 21 00:23 St-High-Th-Med.policy
16:15:18  -rw-r--r--. 1 zap zap  196 Apr 21 00:23 St-Ins-Th-High.policy
16:15:18  -rw-r--r--. 1 zap zap  194 Apr 21 00:23 St-Ins-Th-Low.policy
16:15:18  -rw-r--r--. 1 zap zap  197 Apr 21 00:23 St-Ins-Th-Med.policy
16:15:18  -rw-r--r--. 1 zap zap  192 Apr 21 00:23 St-Low-Th-High.policy
16:15:18  -rw-r--r--. 1 zap zap  191 Apr 21 00:23 St-Low-Th-Low.policy
16:15:18  -rw-r--r--. 1 zap zap  194 Apr 21 00:23 St-Low-Th-Med.policy
16:15:18  -rw-r--r--. 1 zap zap  196 Apr 21 00:23 St-Med-Th-High.policy
16:15:18  -rw-r--r--. 1 zap zap  194 Apr 21 00:23 St-Med-Th-Low.policy

Turns out our company jenkins slaves do not allow to run on privileged users and i do not run as zap.

I will try to solve the problem with symlinks. You can decide if you want to keep this issue to improve logs.