Merge pull request #242 from DFE-Digital/add-owasp-scanning

Adds OWASP ZAP scanning functionality

.gitignore

@@ -391,7 +391,9 @@ backend.vars
 # Stackify
 Stackify.json
 
-# Cypress
+# OWASP ZAP
+ZAP-Report.html
 
+# Cypress
 */cypress/screenshots
-*/cypress/videos
+*/cypress/videos

CypressTests/Dockerfile

@@ -0,0 +1,9 @@
+FROM cypress/base:16.17.0
+
+COPY ./cypress ./cypress
+COPY cypress.config.js .
+COPY package-lock.json package-lock.json
+COPY package.json package.json
+
+RUN npm install
+ENTRYPOINT ["npm", "run", "cy:run"]

CypressTests/cypress.config.js

@@ -1,9 +1,21 @@
-const { defineConfig } = require("cypress");
+const { defineConfig } = require('cypress')
+const { generateZapReport } = require('./cypress/plugins/generateZapReport')
 
 module.exports = defineConfig({
+  video: false,
   e2e: {
     setupNodeEvents(on, config) {
-      // implement node event listeners here
+
+      on('before:run', () => {
+        // Map cypress env vars to process env vars for usage outside of Cypress run
+        process.env = config.env
+      })
+
+      on('after:run', async () => {
+        if(process.env.zapReport) {
+          await generateZapReport()
+        }
+      })
     },
   },
 });

CypressTests/cypress/plugins/generateZapReport.js

@@ -0,0 +1,28 @@
+const ZapClient = require('zaproxy')
+const fs = require('fs')
+
+module.exports = {
+    generateZapReport: async () => {
+      const zapOptions = {
+        apiKey: process.env.zapApiKey || '',
+        proxy: process.env.zapUrl || 'http://localhost:8080'
+      }
+      const zaproxy = new ZapClient(zapOptions)
+      try {
+        await zaproxy.core.htmlreport()
+        .then(
+          resp => {
+            if(!fs.existsSync('./reports')) {
+              fs.mkdirSync('./reports')
+            }
+            fs.writeFileSync('./reports/ZAP-Report.html', resp)
+          },
+          err => {
+            console.log(`Error during report generation: ${err}`)
+          }
+        )
+      } catch (err) {
+        console.log(`Error contacting the ZAP API: ${err}`)
+      }
+    }
+  }

CypressTests/cypress/plugins/index.js

@@ -0,0 +1,22 @@
+/// <reference types="cypress" />
+// ***********************************************************
+// This example plugins/index.js can be used to load plugins
+//
+// You can change the location of this file or turn off loading
+// the plugins file with the 'pluginsFile' configuration option.
+//
+// You can read more here:
+// https://on.cypress.io/plugins-guide
+// ***********************************************************
+
+// This function is called when a project is opened or re-opened (e.g. due to
+// the project's config changing)
+
+/**
+ * @type {Cypress.PluginConfig}
+ */
+// eslint-disable-next-line no-unused-vars
+module.exports = (on, config) => {
+    // `on` is used to hook into various events Cypress emits
+    // `config` is the resolved Cypress config
+}

CypressTests/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.8"
+services:
+  zap:
+    container_name: zap
+    image: owasp/zap2docker-stable
+    command: "zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.key=${ZAP_API_KEY} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config network.localServers.mainProxy.alpn.enabled=false -config network.localServers.mainProxy.address=0.0.0.0"
+    user: zap
+  cypress:
+    build:
+      context: ./
+      dockerfile: Dockerfile
+    command: -- --env url="${url}",apiKey=${API_KEY},zapReport=true,zapApiKey=${ZAP_API_KEY},zapUrl="${HTTP_PROXY}"
+    depends_on:
+      zap:
+        condition: service_healthy
+    environment:
+      - HTTP_PROXY=${HTTP_PROXY}
+      - NO_PROXY=${NO_PROXY}
+    volumes:
+      - ./:/reports:rw