[5946] add job in circleci, quick scan script fix

freedomofpress · Oct 19, 2022 · cf67970 · cf67970
1 parent 6bf8bad
commit cf67970
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 22 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -261,6 +261,66 @@ jobs:
             fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
             DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade semgrep && make -C .. semgrep"
 
+  zap-vulnerability-scan:
+    machine:
+      image: ubuntu-2004:202010-01
+      enabled: true
+    environment:
+      DOCKER_API_VERSION: 1.23
+      BASE_OS: focal
+    parallelism: 3
+    steps:
+      - checkout
+      - *rebaseontarget
+      - *createcachedir
+      - *restorecache
+      - *loadimagelayers
+      - *dockerimagebuild
+      - *saveimagelayers
+      - *savecache
+
+      - run:
+          name: Install dependencies
+          command: |
+            sudo systemctl stop apt-daily.service
+            sudo systemctl kill --kill-who=all apt-daily.service
+            while ! (systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)') do sleep 1; done
+            ( sudo apt-get update || sudo apt-get update )
+            sudo apt-get install -y openjdk-17-jre-headless wget firefox
+            export GECKODRIVER_VER=v0.30.0
+            wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VER}/geckodriver-${GECKODRIVER_VER}-linux64.tar.gz -O /tmp/geckodriver.tar.gz
+            cd /tmp
+            tar -xvzf geckodriver.tar.gz
+            sudo install geckodriver /usr/local/bin
+            wget https://github.com/zaproxy/zaproxy/releases/download/v2.11.1/ZAP_2_11_1_unix.sh -O /tmp/zap_installer.sh
+            chmod u+x /tmp/zap_installer.sh
+            sudo /tmp/zap_installer.sh -q
+            zap.sh -cmd -addoninstall jython
+            cd ~/project; ls
+            pip3 install -r scans/requirements.txt
+      
+      - run:
+          name: Run dev instance
+          command: |
+            fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" make dev-detatched
+          background: true
+
+      - run:
+          name: Run zap daemon
+          command: zap.sh -daemon -port 8090 -config api.disablekey=true -config hud.enabled=false -config hud.enabledForDesktop=false
+          background: true
+
+      - run:
+          name: Run zap
+          command: python3 ~/project/scans/zapscan.py
+
+      - store_test_results:
+          path: ~/project/jrn_report.html
+
+      - store_artifacts:
+          path: ~/project/src_report.html
+
   staging-test-with-rebase:
     machine:
       image: ubuntu-2004:202010-01
@@ -367,6 +427,14 @@ workflows:
                 - /update-builder-.*/
           requires:
             - lint
+      - zap-vulnerability-scan:
+          requires:
+            - lint
+          filters:
+            branches:
+              ignore:
+                - /i18n-.*/
+                - /update-builder-.*/
 
   nightly:
     triggers:

diff --git a/Makefile b/Makefile
@@ -237,6 +237,12 @@ dev:  ## Run the development server in a Docker container.
 	@echo "███ Starting development server..."
 	@OFFSET_PORTS='false' DOCKER_BUILD_VERBOSE='true' $(DEVSHELL) $(SDBIN)/run
 	@echo
+
+.PHONY: dev-detatched
+dev-detatched:  ## Run the development server in a Docker container without attatching tty.
+	@echo "███ Starting development server..."
+	@OFFSET_PORTS='false' DETATCHED='true' DOCKER_BUILD_VERBOSE='true' $(DEVSHELL) $(SDBIN)/run
+	@echo
 
 .PHONY: dev-tor
 dev-tor:  ## Run the development server with onion services in a Docker container.

diff --git a/scans/zapscan.py b/scans/zapscan.py
@@ -1,6 +1,6 @@
 from time import sleep
 import pyotp
-from subprocess import run
+from subprocess import run, CalledProcessError
 from enum import Enum
 
 from selenium.webdriver import Firefox, FirefoxOptions
@@ -82,18 +82,20 @@ def export_report(outfile="zap_report.html", filetype=ReportType.HTML):
         cmd_ftype = "md"
     else: raise ValueError("filetype is not one of: ReportType.HTML, ReportType.XML, ReportType.MARKDOWN")
     cmdstr = REPORT_CMD_FMT.format(cmd_ftype=cmd_ftype, filename=outfile)
-    res = run(cmdstr, shell=True, check=True)
-    return res.returncode
+    try:
+        res = run(cmdstr, shell=True, check=True)
+    except CalledProcessError as e:
+        print("Failed to write report to file: {}".format(outfile))
+        raise
 
 
-def run_zap_scan(base_url: str, outfile="report.html") -> bool:
+def run_zap_scan(base_url: str, outfile="report.html"):
     cmdstr = SCAN_CMD_FMT.format(url=base_url)
-    res = run(cmdstr, shell=True)
-    if res.returncode != 0:
-        return False
-    if export_report(outfile=outfile) != 0:
-        return False
-    return True
+    try:
+        res = run(cmdstr, shell=True, check=True)
+        export_report(outfile=outfile)
+    except Exception as e:
+        print("Zap scan failed for {}, with reporting in file {}".format(base_url, outfile))
 
 
 def scan(base_url: str, login_fn=None, report_file="report.html"):
@@ -102,7 +104,10 @@ def scan(base_url: str, login_fn=None, report_file="report.html"):
     sleep(2)
     if login_fn:
         login_fn(base_url, driver)
-    run_zap_scan(base_url, outfile=report_file)
+    try:
+        run_zap_scan(base_url, outfile=report_file)
+    except Exception as e:
+        raise
     driver.quit()
 
 
@@ -155,21 +160,24 @@ def wait_for_services():
 def main():
     wait_for_services()
     print("Starting scan of journalist interface")
-    jrn_res = scan(JOURNALIST_URL, login_fn=prepare_journalist_iface, report_file="jrn_report.html")
-    if jrn_res:
+    jrn_failed, src_failed = False, False
+    try:
+        scan(JOURNALIST_URL, login_fn=prepare_journalist_iface, report_file="jrn_report.html")
         print("Journalist interface scan complete")
         print("Starting scan of source interface")
-    else:
-        print("Journalist interface scan encountered an error; proceeding to source interface scan")
-    src_res = scan(SOURCE_URL, login_fn=prepare_source_iface, report_file="src_report.html")
-    if jrn_res:
+    except Exception as e:
+        jrn_failed = True
+        print("Scan failed for journalist interface, trying source interface...")
+        print(e)
+    try:
+        scan(SOURCE_URL, login_fn=prepare_source_iface, report_file="src_report.html")
         print("Source interface scan complete")
-    else:
+    except Exception as e:
+        src_failed = True
         print("Source interface scan encountered an error")
-    if not src_res or not jrn_res:
-        if not jrn_res: print("Journalist interface failed to complete")
-        if not src_res: print("Source interface failed to complete")
-        exit(1)
+        print(e)
+    if jrn_failed: print("Journalist interface failed to complete")
+    if src_failed: print("Source interface failed to complete")
 
 
 if __name__ == "__main__":