[WIP] Add sarif report option to zap-baseline

[DanBradbury]

Part of the required work to officially support Code Scanning integration with action-baseline

Original Issue: zaproxy/action-baseline#63

Will require a change to the action-baseline as well to touch the right files (see PR here for that change)

NOTE: hacked together to just get it to work so there are issues with .json being added to the report name, etc. This PR is just to demonstrate where the changes should be made to add sarif support

[kingthorin]

I'm not sure this is the right way to go about this. We intend to replace the packaged scans with Automation Framework functionality.

---

To address the DCO requirement you'll need to sign-off the commit(s):

• https://github.com/zaproxy/zaproxy/blob/main/CONTRIBUTING.md#developer-certificate-of-origin
• https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---signoff

[DanBradbury]

I'm not sure this is the right way to go about this. We intend to replace the packaged scans with Automation Framework functionality.

Would the move be into the new af action? Wondering if there was a known timeline / if we should be rolling our own dictions in the meantime to just leverage zap.sh running with AF configuration

[thc202]

Ref #7659

[DanBradbury]

@thc202 If the plan has been to move to AF then where is the path forward? I dont see any movement on the af-action repo and just want some improvement for the zap-baseline scans that some of us are using.

If there is a desire to move away from the packaged scans can there be some official language added to the support docs to say that this is going to be deprecated and the maintainers have no interest in making updates to fix issues?

[psiinon]

We have been a bit busy recently 😁
We are now looking at our future plans and yes, the plans for the actions and packaged scans will be part of this process.

[DanBradbury]

@psiinon Are there any open issues that members of the community can assist with? I'd personally like to see this project continue to improve and would love to accelerate any of the dev thats keeping you guys bogged down.

[semsuddin]

What's the plan? Why can't we merge this it's not a big change and add the capability to generate sarif?

[psiinon]

Because its probably not the direction we want to go in.
The packaged scans already have too many arguments and have become difficult to maintain.
The automation framework is a better option, and that now does have a GitHub action: https://github.com/marketplace/actions/zap-automation-framework-scan

[semsuddin]

Because its probably not the direction we want to go in. The packages scans already have too many arguments and have become difficult to maintain. The automation framework is a better option, and that now does have a GitHub action: https://github.com/marketplace/actions/zap-automation-framework-scan

I'm really having issues understanding the documentation. On one side SARIF is already there and we should be able to export in that format while on the other end it doesn't work. Right now I'm using the zap docker container and want to generate the SARIF json report via zap API, is there a way?

[thc202]

Yes, there is but https://groups.google.com/g/zaproxy-users is a more appropriate place for usage questions.

[kingthorin]

on the other end it doesn't work

In what way?

As for report generation via the API check:

• https://www.zaproxy.org/docs/api/#reports
• https://www.zaproxy.org/docs/desktop/addons/report-generation/api/

[psiinon]

You will find the AF much easier to use than the API. For more help ask on the ZAP User Group.
https://groups.google.com/g/zaproxy-users

[psiinon]

Closing because we do not want to kee adding more and more options to the packaged scans.
The automation framework is the way to go, it already supports all of the reports, not just the sarif one.
It can also be run from the command line as well as in docker.