Is the api scan included in the full scan for the OWASP ZAP Action Full Scan for Github Actions? I need to know if I need to include a separate scan for APIs, or if its already covered by the full scan.
The API scan allows you to import a specified API definition. The full scan does not have that option. If ZAP finds an API definition as part of the spidering then it will import it.
Related
I started, with an automatic scan of my site under test.
Then I have explored it manually to test actions, not found by the automatic scan.
These Actions are visible in the History Tab.
I stored the session.
How can I re-run those manually added actions? I didn't find them as executed, when running an active scan again.
You can explore your app in a variety of ways using ZAP:
Manual exploring - very effective but no good for automation
Traditional Spider - fast but doesnt handle modernapp which use JS
Ajax Spider - slower but handles modern apps
Proxying unit tests - good it you have them
Importing definitions such as OpenAPI, SOAP, GraphQL
Proxying a program/script which makes those requests for you
For more details see the vidoes taged 'explore' on https://www.zaproxy.org/videos-list/
I am new to vulnerability testing at my new job at an EC site development (we also get them up and continue to run them on AWS EC2).
I am wondering if there is a way to configure Spider so that I can get ouput of the the "URL chain" to serve all the requests that are listed when I run php artisan route:list
Currently, my colleague who joined the company a few months before me is manually inputting this info into a spreadsheet.
Ex. "Home->Register user info->Confirm registered user info->main shopping page->item category page->item description page->confirm adding product to cart page->etc."
I find this to be extremely tedious, he does as well, and because he only speaks Japanese, I don't think he is able to post questions here.
I have started looking through the Zap documentation but have not seen anything relevant yet. Any advice is appreciated.
You can Active Scan specific orders of operations by leveraging the Sequence addon: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsSequenceSequence. You can get it via the ZAP Marketplace:
There's also the Call Graph addon which might be of benefit to you, though I don't know the export options it provides off the top of my head.
Another alternative that might work for you would be writing a Standalone script that goes through the Sites Tree or History table looking at URLs and Referer headers:
https://github.com/zaproxy/community-scripts/blob/master/standalone/Traverse%20sites%20tree.js
https://github.com/zaproxy/community-scripts/blob/master/standalone/Loop%20through%20history%20table.js
Is there any way to create index through API? I could not find any documentation about index creation using S&P API.
I do not want to let S&P to crawl my site to create index rather I would prefer to use APIs to do it.
No, there is no API for S&P that can be leveraged for the indexing purposes because S&P is basically a crawling engine.
For the sake of simplicity, think of it as a private search engine crawler where you can configure several aspects of crawling like content type, frequency, paths etc. using an interface.
You can, however, use the scripted index features to allow incremental indexing of your site or provide more finer control on crawling. This will not eliminate crawling as the S&P needs to crawl the site in order to extract and index the information. More details about this feature can be found here:
https://marketing.adobe.com/resources/help/en_US/snp/c_about_scripted_index.html
Please note that this is more of a configuration and set of commands rather than an API.
I have native queries in java files and i want to scan that queries for using sonarQube server.
Is there any way to do that?
There are a few rules implemented in SonarJava that check the proper use of SQL-related Java objects, specifically
S2695 - "PreparedStatement" and "ResultSet" methods should be called with valid indicies
S2232 - "ResultSet.isLast()" should not be used
S2077 - SQL binding mechanisms should be used
But there are no rules that check the correctness of SQL statements themselves, and I'm not aware of any other plugins that offer such rules for Java.
If you really need this, then you'll have to go down the custom rule implementation route. There's a tutorial to get you started, and if you have specific development questions you can ask them in the SonarQube Google Group, or here, obviously.
Update
The Google Group has been replaced with https://community.sonarsource.com.
I am trying to update the test results in QC using REST APIs. First of all, is this possible?
Now I do believe that this is possible and should be a fairly straight forward thing. But I am not able to find the right way to do this. Here is what I am doing:
Run tests through Jenkins using my own automation tool. This tool gives me the results which I need to populate back in QC/ALM.
Now after the entire run, I want to populate the pass/fail status in QC. Lets say I have just one test case for simplicity. How should I go about this?
it is indeed possible to use REST API to manipulate HP ALM entities. For example we're using it to update execution status of test campaign run in SoapUI automatically into ALM.
Did you have a look at official HP ALM REST API documentation? You should be able to access it from inside HP ALM GUI (Help menu/Documentation library/HP ALM REST API Reference). It describes the API in detail.
You can also have a look at HP ALM forums where this issue have been asked several times already: