Merge pull request #7 from sshniro/exhancements

psiinon · web-flow · commit ef71c5b20d22 · 2020-04-09T12:21:57.000+01:00
Adding html report, support for cmd options
diff --git a/README.md b/README.md
@@ -32,13 +32,17 @@ the rules file inside the relevant repository. The following shows a sample rule
 10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
 ``` 
 
+### `cmd_options`
+
+**Optional** Additional command lines options for the baseline script
+
 ## Example usage
 
 ** Basic **
 ```
 steps:
   - name: ZAP Scan
-    uses: zaproxy/action-baseline
+    uses: zaproxy/action-baseline@v0.2.0
     with:
       token: ${{ secrets.GIT_TOKEN }}
       target: 'https://www.zaproxy.org/'
@@ -59,12 +63,13 @@ jobs:
         with:
           ref: master
       - name: ZAP Scan
-        uses: zaproxy/action-baseline
+        uses: zaproxy/action-baseline@v0.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'owasp/zap2docker-stable'
           target: 'https://www.example.com'
           rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
 ```
 
 ## Additional Information
diff --git a/action-helper.js b/action-helper.js
@@ -52,14 +52,24 @@ let actionHelper = {
         const TAB = "\t";
         const BULLET = "-";
         let msg = '';
+        let instanceCount = 5;
 
         sites.forEach((site => {
-            msg = msg + `${BULLET} Site[${site["@name"]}] ${NXT_LINE}`;
+            msg = msg + `${BULLET} Site: [${site["@name"]}](${site["@name"]}) ${NXT_LINE}`;
             if (site.hasOwnProperty('alerts')) {
                 if (site.alerts.length !== 0) {
                     msg = `${msg} ${TAB} **New Alerts** ${NXT_LINE}`;
                     site.alerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
+
+                        for (let i = 0; i < alert['instances'].length; i++) {
+                            if (i >= instanceCount) {
+                                msg = msg + TAB + TAB + `${BULLET} .. ${NXT_LINE}`;
+                                break
+                            }
+                            let instance = alert['instances'][i];
+                            msg = msg + TAB + TAB + `${BULLET} [${instance.uri}](${instance.uri}) ${NXT_LINE}`;
+                        }
                     });
                     msg = msg + NXT_LINE
                 }
@@ -69,7 +79,7 @@ let actionHelper = {
                 if (site.removedAlerts.length !== 0) {
                     msg = `${msg} ${TAB} **Resolved Alerts** ${NXT_LINE}`;
                     site.removedAlerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
                     });
                     msg = msg + NXT_LINE
                 }
@@ -79,7 +89,7 @@ let actionHelper = {
                 if (site.ignoredAlerts.length !== 0) {
                     msg = `${msg} ${TAB} **Ignored Alerts** ${NXT_LINE}`;
                     site.ignoredAlerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
                     });
                     msg = msg + NXT_LINE
                 }
@@ -222,12 +232,13 @@ let actionHelper = {
         return previousReport;
     }),
 
-    uploadArtifacts: (async (rootDir, mdReport, jsonReport) => {
-        const artifactClient = artifact.create()
+    uploadArtifacts: (async (rootDir, mdReport, jsonReport, htmlReport) => {
+        const artifactClient = artifact.create();
         const artifactName = 'zap_scan';
         const files = [
             `${rootDir}/${mdReport}`,
             `${rootDir}/${jsonReport}`,
+            `${rootDir}/${htmlReport}`,
         ];
         const rootDirectory = rootDir;
         const options = {
diff --git a/action.yml b/action.yml
@@ -17,6 +17,9 @@ inputs:
     description: 'The Docker file to be executed'
     required: true
     default: 'owasp/zap2docker-stable'
+  cmd_options:
+    description: 'Additional command line options'
+    required: false
 runs:
   using: 'node12'
   main: 'dist/index.js'
diff --git a/dist/index.js b/dist/index.js
@@ -3744,6 +3744,7 @@ let repo;
 // Default file names
 let jsonReportName = 'report_json.json';
 let mdReportName = 'report_md.md';
+let htmlReportName = 'report_html.html';
 
 async function run() {
 
@@ -3755,6 +3756,7 @@ async function run() {
         let docker_name = core.getInput('docker_name');
         let target = core.getInput('target');
         let rulesFileLocation = core.getInput('rules_file_name');
+        let cmdOptions = core.getInput('cmd_options');
 
         console.log('starting the program');
         console.log('github run id :' + currentRunnerID);
@@ -3772,7 +3774,7 @@ async function run() {
         }
 
         let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
-            `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName}`);
+            `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {
             command = command + ` -c ${rulesFileLocation}`
@@ -3946,7 +3948,7 @@ async function processReport(token, workSpace, plugins, currentRunnerID) {
         }
     }
 
-    actionHelper.uploadArtifacts(workSpace, `${mdReportName}`, `${jsonReportName}`);
+    actionHelper.uploadArtifacts(workSpace, mdReportName, jsonReportName, htmlReportName);
 }
 
 
@@ -48985,14 +48987,24 @@ let actionHelper = {
         const TAB = "\t";
         const BULLET = "-";
         let msg = '';
+        let instanceCount = 5;
 
         sites.forEach((site => {
-            msg = msg + `${BULLET} Site[${site["@name"]}] ${NXT_LINE}`;
+            msg = msg + `${BULLET} Site: [${site["@name"]}](${site["@name"]}) ${NXT_LINE}`;
             if (site.hasOwnProperty('alerts')) {
                 if (site.alerts.length !== 0) {
                     msg = `${msg} ${TAB} **New Alerts** ${NXT_LINE}`;
                     site.alerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
+
+                        for (let i = 0; i < alert['instances'].length; i++) {
+                            if (i >= instanceCount) {
+                                msg = msg + TAB + TAB + `${BULLET} .. ${NXT_LINE}`;
+                                break
+                            }
+                            let instance = alert['instances'][i];
+                            msg = msg + TAB + TAB + `${BULLET} [${instance.uri}](${instance.uri}) ${NXT_LINE}`;
+                        }
                     });
                     msg = msg + NXT_LINE
                 }
@@ -49002,7 +49014,7 @@ let actionHelper = {
                 if (site.removedAlerts.length !== 0) {
                     msg = `${msg} ${TAB} **Resolved Alerts** ${NXT_LINE}`;
                     site.removedAlerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
                     });
                     msg = msg + NXT_LINE
                 }
@@ -49012,7 +49024,7 @@ let actionHelper = {
                 if (site.ignoredAlerts.length !== 0) {
                     msg = `${msg} ${TAB} **Ignored Alerts** ${NXT_LINE}`;
                     site.ignoredAlerts.forEach((alert) => {
-                        msg = msg + TAB + `${BULLET} Alert[${alert.pluginid}] count(${alert.instances.length}): ${alert.name} ${NXT_LINE}`
+                        msg = msg + TAB + `${BULLET} **${alert.name}** [${alert.pluginid}] total: ${alert.instances.length}:  ${NXT_LINE}`
                     });
                     msg = msg + NXT_LINE
                 }
@@ -49155,12 +49167,13 @@ let actionHelper = {
         return previousReport;
     }),
 
-    uploadArtifacts: (async (rootDir, mdReport, jsonReport) => {
-        const artifactClient = artifact.create()
+    uploadArtifacts: (async (rootDir, mdReport, jsonReport, htmlReport) => {
+        const artifactClient = artifact.create();
         const artifactName = 'zap_scan';
         const files = [
             `${rootDir}/${mdReport}`,
             `${rootDir}/${jsonReport}`,
+            `${rootDir}/${htmlReport}`,
         ];
         const rootDirectory = rootDir;
         const options = {
diff --git a/index.js b/index.js
@@ -15,6 +15,7 @@ let repo;
 // Default file names
 let jsonReportName = 'report_json.json';
 let mdReportName = 'report_md.md';
+let htmlReportName = 'report_html.html';
 
 async function run() {
 
@@ -26,6 +27,7 @@ async function run() {
         let docker_name = core.getInput('docker_name');
         let target = core.getInput('target');
         let rulesFileLocation = core.getInput('rules_file_name');
+        let cmdOptions = core.getInput('cmd_options');
 
         console.log('starting the program');
         console.log('github run id :' + currentRunnerID);
@@ -43,7 +45,7 @@ async function run() {
         }
 
         let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
-            `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName}`);
+            `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {
             command = command + ` -c ${rulesFileLocation}`
@@ -217,5 +219,5 @@ async function processReport(token, workSpace, plugins, currentRunnerID) {
         }
     }
 
-    actionHelper.uploadArtifacts(workSpace, `${mdReportName}`, `${jsonReportName}`);
+    actionHelper.uploadArtifacts(workSpace, mdReportName, jsonReportName, htmlReportName);
 }

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ let repo;`
`15`	`15`	`// Default file names`
`16`	`16`	`let jsonReportName = 'report_json.json';`
`17`	`17`	`let mdReportName = 'report_md.md';`
	`18`	`+let htmlReportName = 'report_html.html';`
`18`	`19`
`19`	`20`	`async function run() {`
`20`	`21`
`@@ -26,6 +27,7 @@ async function run() {`
`26`	`27`	`let docker_name = core.getInput('docker_name');`
`27`	`28`	`let target = core.getInput('target');`
`28`	`29`	`let rulesFileLocation = core.getInput('rules_file_name');`
	`30`	`+ let cmdOptions = core.getInput('cmd_options');`
`29`	`31`
`30`	`32`	`console.log('starting the program');`
`31`	`33`	`console.log('github run id :' + currentRunnerID);`
`@@ -43,7 +45,7 @@ async function run() {`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
`46`		- `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName}`);
	`48`	+ `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName} -r ${htmlReportName} ${cmdOptions}`);
`47`	`49`
`48`	`50`	`if (plugins.length !== 0) {`
`49`	`51`	command = command + ` -c ${rulesFileLocation}`
`@@ -217,5 +219,5 @@ async function processReport(token, workSpace, plugins, currentRunnerID) {`
`217`	`219`	`}`
`218`	`220`	`}`
`219`	`221`
`220`		- actionHelper.uploadArtifacts(workSpace, `${mdReportName}`, `${jsonReportName}`);
	`222`	`+ actionHelper.uploadArtifacts(workSpace, mdReportName, jsonReportName, htmlReportName);`
`221`	`223`	`}`