Reputation: 23
ZAP config file issue: '3rd token is missing' error in zap-baseline.py
I am running ZAP using the zap-baseline.py script in a Docker container to scan my application. I am using a configuration file (zap-config.txt) to override some rules, but I keep encountering the following error:
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 662, in <module>
main(sys.argv[1:])
File "/zap/zap-baseline.py", line 384, in main
jobs.append(get_af_output_summary(('Short', 'Long')[detailed_output], summary_file, config_dict, config_msg)) File "/zap/zap_common.py", line 673, in get_af_output_summar
rules.append({'id': int(id), 'action': action, 'customMessage': config_msg[id]}
ValueError: invalid literal for int() with base 10: 'WARN-NEW'
After some research, I suspect the issue lies in the format of my configuration file. Here is an example of the file I am using:
10015=IGNORE=False
10027=IGNORE=False
10031=IGNORE=False
10036=IGNORE=False
10054=IGNORE=False
WARN-NEW=INFO=False
WARN-INPROG=INFO=False
From what I understand, each line should follow one of these formats:
<Rule ID>=<Action>, <Rule ID>=<Action>=<Custom Message>
However, I have tested multiple formats, including adding a custom message as a third token for each rule, but I still encounter errors like "3rd token is missing."
Here are some formats I've tried:
10015=IGNORE 10015 IGNORE 10015=IGNORE=False 10015=IGNORE=Custom message
Despite these attempts, the issue persists, especially for rules like WARN-NEW and WARN-INPROG.
My Questions: What is the correct format for the ZAP configuration file used with zap-baseline.py? How can I properly configure rules like WARN-NEW and WARN-INPROG to suppress or change their behavior? Is there a way to debug or validate the configuration file before running the scan? Additional Information: Command I run:
docker run --add-host=host.docker.internal:host-gateway -u 0 -v $(pwd)/zapreports:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t https://my-app.local -c zap-config.txt -r report.html
Environment:
ZAP version: stable Running in Docker: Yes OS: Ubuntu 20.04 I have verified that the file is being read by the script, but I am unsure of the specific format required to avoid these errors.
Any help or insights would be greatly appreciated!
Upvotes: 0
Views: 34
Answers (1)
Reputation: 6216
The configuration file is tab separated, see https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file Oh, and ZAP has not been an OWASP project for over a year now :P
Upvotes: 0
Related Questions
- Facing the issue ZAP Browser launch Issue
- Owasp Zap and GitHub Action
- Zap2Docker custom scan rules
- Authentication not happening through ZAP API Scan docker image
- API Scan is not scanning the apis from swagger-ui.html in OWASP ZAP
- ZAP active scan works in desktop but fails in docker image with url_not_in_context error
- Missing parameter username error in Zap API