DAST report fails with JSON schemas

GitLab CI/CD
1

errors in the JSON report

Describe your question in as much detail as possible:

  • What are you seeing, and how does that differ from what you expect to see?

There’s no analysis import of the JSON reports, cause there’s errors in the JSON file.
With SAST, code quality, and in others tests, there’s no problems, DAST if fails… 0 vulnerabilities or JSON schema errors, but in the JSON file there’s some warnings…

  • Consider including screenshots, error messages, and/or other helpful visuals

Error parsing security reports
The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant JSON schema.
dast
[Schema] Report version not provided, dast report type supports versions: 15.0.0, 15.0.1, 15.0.2, 15.0.4, 15.0.6. GitLab will attempt to validate this report against the earliest supported versions of this report type, to show all the errors but will not ingest the report
[Schema] root is missing required keys: scan, version, vulnerabilities

  • What version are you on? Are you using self-managed or GitLab.com?

    • GitLab (Hint: /help):self managed ultimate 16.0.1
    • *Runner (Hint: /admin/runners): runners docker or shell *

  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)

V3 :

stages:

  • roast

dast:
stage: roast
tags: [shell_code_do]
variables:
DAST_AUTH_COOKIES: “sessionID,refreshToken”
DAST_AUTH_REPORT: “true”
DAST_AUTH_URL: “$DAST_WEBSITE/login”
DAST_AUTH_VERIFICATION_URL: “$DAST_WEBSITE/login”
DAST_BAS_DISABLED: “false”
DAST_BROWSER_CRAWL_GRAPH: “true”
DAST_BROWSER_FILE_LOG: “loglevel:debug,cache:warn”
DAST_BROWSER_FILE_LOG_PATH: “$CI_PROJECT_DIR/dast-scan.log”
DAST_BROWSER_LOG: “auth:debug”
DAST_BROWSER_MAX_DEPTH: “4”
DAST_BROWSER_SCAN: “false”
DAST_EXCLUDE_URLS: “$DAST_WEBSITE/logout”
DAST_FULL_SCAN_ENABLED: “true”
DAST_PASSWORD: “jkhgkjhgkjhgjkhgjkhgkjgkjh”
DAST_PASSWORD_FIELD: “css:[name=password]”
DAST_SKIP_TARGET_CHECK: “true”
DAST_SUBMIT_FIELD: “css:button[type=submit]”
DAST_USERNAME_FIELD: “css:[name=username]”
DAST_USERNAME: “testestestest”
DAST_WEBSITE: “https://domain.tld
#DAST_VERSION: “3.0.46”
REPORT_FORMAT: “html”
before_script:
- docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable bash -c “/zap/zap.sh -cmd -autorun wrk/contextJSON.yaml -quickout wrk/gl-dast-report.json”
script:
- gitlab-runner artifacts-uploader --url $CI_SERVER_URL --token $CI_JOB_TOKEN --id $CI_JOB_ID --path ‘$CI_PROJECT_DIR/’ --exclude .git --exclude '.git/**/’ --name ‘$CI_JOB_ID’ --expire-in ‘1 week’ --artifact-format zip --artifact-type archive
artifacts:
expire_in: 1 week
when: always

V2:

stages:

  • dast

include:

  • template: Security/DAST.gitlab-ci.yml

dast:
image: owasp/zap2docker-stable
stage: dast
tags: [proj_sast_do]
#extends: .dast_with_bas
variables:
REPORT_FORMAT: html
CI_DEBUG_TRACE: “false”
DAST_AUTH_REPORT: “true”
DAST_AUTH_COOKIES: “sessionID,refreshToken”
DAST_BAS_DISABLED: “true”
DAST_BROWSER_SCAN: “true”
DAST_BROWSER_LOG: “auth:debug” # console log defaults to INFO level, logs AUTH module at DEBUG
DAST_BROWSER_FILE_LOG: “loglevel:debug,cache:warn” # file log defaults to DEBUG level, logs CACHE module at WARN
DAST_BROWSER_FILE_LOG_PATH: “$CI_PROJECT_DIR/dast-scan.log” # Save the file log in the project directory so it can be recognized as an artifact
DAST_BROWSER_CRAWL_GRAPH: “true”
DAST_BROWSER_MAX_DEPTH: 4
DAST_FULL_SCAN_ENABLED: “true”
DAST_USERNAME: $TESTDASTUSER
DAST_USERNAME_FIELD: “css:[name=username]”
DAST_PASSWORD: $TESTDASTPASSWD
DAST_PASSWORD_FIELD: “css:[name=password]”
DAST_SUBMIT_FIELD: “css:button[type=submit]”
DAST_SKIP_TARGET_CHECK: “true”
#DAST_AUTH_VERIFICATION_LOGIN_FORM: “true”
#DAST_BROWSER_SCAN: “true”
script:
- zap-baseline.py -t $DAST_AUTH_URL -J gl-dast-report.json -r report.html -a -j -l PASS -U $DAST_USERNAME -n /zap/wrk/context.xml
rules:
- if: $CI_COMMIT_BRANCH == “infra-test” && $CI_PIPELINE_SOURCE != “schedule”
variables:
DAST_WEBSITE: “https://domain.tld
DAST_AUTH_URL: “$DAST_WEBSITE/login”
#DAST_EXCLUDE_URLS: “$DAST_WEBSITE/logout”
DAST_AUTH_VERIFICATION_URL: “$DAST_WEBSITE”
- if: $CI_COMMIT_BRANCH == “prod” && $CI_PIPELINE_SOURCE != “schedule”
when: never
artifacts:
expire_in: 1 week
when: always

V1:

stages:

  • dast

include:

  • template: Security/DAST.gitlab-ci.yml

dast:
#image: registry.gitlab.com/gitlab-org/security-products/zaproxy
image: registry.gitlab.com/security-products/dast:4
stage: dast
tags: [proj_sast_do]
extends: .dast_with_bas
variables:
REPORT_FORMAT: html
CI_DEBUG_TRACE: “false”
DAST_AUTH_REPORT: “true”
DAST_AUTH_COOKIES: “sessionID,refreshToken”
DAST_BAS_DISABLED: “true”
DAST_BROWSER_SCAN: “true”
DAST_BROWSER_LOG: “auth:debug” # console log defaults to INFO level, logs AUTH module at DEBUG
DAST_BROWSER_FILE_LOG: “loglevel:debug,cache:warn” # file log defaults to DEBUG level, logs CACHE module at WARN
DAST_BROWSER_FILE_LOG_PATH: “$CI_PROJECT_DIR/dast-scan.log” # Save the file log in the project directory so it can be recognized as an artifact
DAST_BROWSER_CRAWL_GRAPH: “true”
DAST_BROWSER_MAX_DEPTH: 6
DAST_FULL_SCAN_ENABLED: “true”
DAST_USERNAME: $TESTDASTUSER
DAST_USERNAME_FIELD: “css:[id=username]”
DAST_PASSWORD: $TESTDASTPASSWD
DAST_PASSWORD_FIELD: “css:[id=password]”
DAST_SUBMIT_FIELD: “css:button[id=loginbtn]”
DAST_SKIP_TARGET_CHECK: “true”
#DAST_AUTH_VERIFICATION_LOGIN_FORM: “true”
#DAST_BROWSER_SCAN: “true”
rules:
- if: $CI_COMMIT_BRANCH == “infra-test” && $CI_PIPELINE_SOURCE != “schedule”
variables:
DAST_WEBSITE: “https://domain.tld
DAST_AUTH_URL: “$DAST_WEBSITE/login”
#DAST_EXCLUDE_URLS: “$DAST_WEBSITE/logout”
DAST_AUTH_VERIFICATION_URL: “$DAST_WEBSITE”
- if: $CI_COMMIT_BRANCH == “prod” && $CI_PIPELINE_SOURCE != “schedule”
when: never
artifacts:
expire_in: 1 week
when: always

  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

I tested differents means (V1, V2, V3, etc…) for the DAST part, and always it fails :

  • the DAST configuration with gitlab mean fails, there’s JSON errors or 0 vulnerabilites (but there’s ones in the JSON file).
  • the DAST configuration with dockers means fails, there’s JSON errors or 0 vulnerabilites (but there’s ones in the JSON file).