I'm currently interacting with ZAP using the REST-API (using Groovy as a language).
What I want to achieve is to start a scan and retrieve the results once the scan has finished.
I'm currently looking on the scan status and I've assumed, that I can retrieve the result once the scan status is 100, indicating that the scan has finished. This does not work however, I have to query /JSON/core/view/alerts/ continuously until the actual results are retrieved.
This is basically my code:
String zapUrl = ${zap.getContainerIpAddress()}:8090"
def scanResponse = slurper.parse(new URL("$zapUrl/JSON/spider/action/scan/?url=http://featuretron:8080"))
String scanId = scanResponse.scan
def scanStatus = slurper.parse(new URL("$zapUrl/JSON/spider/view/status/?scanId=$scanId"))
while (scanStatus.status != "100") {
sleep(500)
scanStatus = slurper.parse(new URL("$zapUrl/JSON/spider/view/status/?scanId=$scanId"))
}
def alerts = slurper.parse(new URL("$zapUrl/JSON/core/view/alerts/"))
while (alerts.alerts.isEmpty()) {
sleep(500)
alerts = slurper.parse(new URL("$zapUrl/JSON/core/view/alerts/"))
}
My question is, if there exists a more stable way which indicates if the results have been generated. It also seems, as if the official examples of the Java-API wait as well:
You are running the spider and waiting for it to finish correctly. However ZAP performs passive scanning in a background thread, and this is what you need to wait for.
There are API calls for this as well, this is a good example: https://github.com/zaproxy/zap-api-python/blob/master/src/examples/basic-spider-scan.py - its using the python API, but the underlying API is the same no matter what client you use. That java example needs to be updated ;)
BTW in your code you're just going to perform passive scanning not active scanning (where ZAP actually attacks your app). Is this what you want?