Der Zed Attack Proxy-Scan über ein Python-Skript unter Windows mit Podman, der eine JSON-Datei ausgibt, führt zu einem J ⇐ Python

[Anonymous]

Ich erstelle ein Python-Skript, das einen Zed Attack Proxy Baseline-Scan durchführen soll.
Mein Setup ist:

• Windows 11
• Podman CLI

Mein Skript funktioniert einwandfrei, aber es erstellt keinen JSON-Bericht:

Jobbericht konnte keinen Bericht erstellen: NoSuchFileException
/zap/wrk/zap/wrk/zap_report.json

cmd_baseline.py

Code: Select all

import logging
import subprocess
from pathlib import Path

def cmd_baseline(target_url: str, json_file_name: str, work_dir: Path) -> None:
"""
Run a ZAP baseline scan against the target URL.

Args:
target_url: The URL to scan.
json_file_name: The filename of the JSON report to generate.
work_dir: The host directory to mount into the container (report will be written here).
"""
log_prefix = "cmd_baseline()"
logging.info(f"{log_prefix} Init")

# Ensure host folder exists
work_dir.mkdir(parents=True, exist_ok=True)

try:
# Host path to match ZAP's internal expectation
nested_work_dir = work_dir / "zap" / "wrk"
nested_work_dir.mkdir(parents=True, exist_ok=True)

cmd = [
"podman", "run", "--rm",
"--network=host",
"-v", f"{nested_work_dir}:/zap/wrk:Z",  # map nested folder
"ghcr.io/zaproxy/zaproxy:stable",
"zap-baseline.py",
"-I",
"-t", target_url,
"-J", "/zap/wrk/zap_report.json",  # write report inside container
]

logging.info(f"{log_prefix} Running command: {' '.join(cmd)}")
result = subprocess.run(cmd, capture_output=True, text=True, check=False)  # nosec B603

logging.info(f"{log_prefix} Scan completed. Output:\n{result.stdout}")

# Optional: print stderr if any
if result.stderr:
logging.warning(f"{log_prefix} STDERR:\n{result.stderr}")

# Verify report exists
report_path = work_dir / json_file_name
if report_path.exists():
logging.info(f"{log_prefix} Report successfully written to: {report_path}")
else:
logging.error(f"{log_prefix} Report not found: {report_path}")

except Exception as e:
logging.error(f"{log_prefix} Exception occurred: {e}")

# ------------------ Main entry point ------------------
if __name__ == "__main__":
logging.basicConfig(level=logging.INFO)

# Host folder to store the report
work_dir = Path.cwd() / "zap_output"
json_file_name = "zap_report.json"

cmd_baseline(
target_url="https://juice-shop.herokuapp.com",
json_file_name=json_file_name,
work_dir=work_dir,
)

Es funktioniert einwandfrei, aber ich kann den Bericht nicht erstellen:

Code: Select all

INFO:root:cmd_baseline() Init
INFO:root:cmd_baseline() Running command: podman run --rm --network=host -v C:\Users\admin\python\baseline_scan\zap_output\zap\wrk:/zap/wrk:Z ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -I -t https://juice-shop.herokuapp.com -J /zap/wrk/zap_report.json
INFO:root:cmd_baseline() Scan completed. Output:
Using the Automation Framework
Total of 96 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
...
https://juice-shop.herokuapp.com/ftp (200 OK)
https://juice-shop.herokuapp.com/sitemap.xml (200 OK)
FAIL-NEW: 0 FAIL-INPROG: 0  WARN-NEW: 12    WARN-INPROG: 0  INFO: 0 IGNORE: 0   PASS: 55
Automation plan failures:
Job report failed to generate report: NoSuchFileException /zap/wrk/zap/wrk/zap_report.json

ERROR:root:cmd_baseline() Report not found: C:\Users\admin\python\baseline_scan\zap_output\zap_report.json