@Component
public class ZAPStepDefinitions
extends java.lang.Object
Constructor and Description |
---|
ZAPStepDefinitions() |
Modifier and Type | Method and Description |
---|---|
void |
activeSession()
Creates an empty ZAP session
|
void |
checkVulnerabilities(java.lang.String risk,
java.lang.String baseUrl)
Check to see if any risks were identified during the scan
|
void |
disableAllScanners()
This configures ZAP with no scanners, neither passive nor active
|
void |
enableActiveScanner()
Enables only the active scanner.
|
void |
enableAllScanners()
This configures ZAP with all scanners, both passive and active
|
void |
enablePassiveScanner()
Enables only the passive scanner.
|
void |
enablePolicy(java.lang.String policyName)
Enabled the given active scan policy
|
void |
excludeUrlsFromScan(java.util.List<java.lang.String> excludedRegexes)
Defines a list of URL regular expressions that are excluded from the ZAP scan
|
void |
processVulnerabilities(java.lang.String risk,
java.lang.String baseUrl,
boolean reportOnly) |
void |
removeFalsePositives(java.util.List<ZAPFalsePositive> falsePositives)
Define a list of false positives to be excluded from the scan results
|
void |
reportVulnerabilities(java.lang.String risk,
java.lang.String baseUrl)
Report any risks were identified during the scan without throwing an error
|
void |
runScanner(java.lang.String appName)
Runs the ZAP active scanner
|
void |
setAlertThreshold(java.lang.String threshold)
Sets the alert threshold for all active scanners
|
void |
setAttackStrength(java.lang.String strength)
Sets the attack strength
|
void |
startSession()
Creates an empty ZAP session
|
void |
theApplicationIsSpidered(java.lang.Integer depth,
java.lang.Integer timeout)
Starts the ZAP spider.
|
void |
writeXmlReport(java.lang.String path)
This step will save the ZAP report to disk with the given filename
|
@When(value="I create an empty ZAP session") public void startSession() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@When(value="I set the active ZAP session") public void activeSession() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@When(value="the ZAP XML report is written to the file \"(.*?)\"") public void writeXmlReport(java.lang.String path) throws java.io.IOException, org.zaproxy.clientapi.core.ClientApiException
path
- The name of the report, like "zapreport.xml"java.io.IOException
- When the report file could not be writtenorg.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="a scanner with all policies enabled") public void enableAllScanners() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="a scanner with all policies disabled") public void disableAllScanners() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="the passive scanner is enabled") public void enablePassiveScanner() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="the active scanner is enabled") public void enableActiveScanner() throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="the \"(.*?)\" policy is enabled") public void enablePolicy(java.lang.String policyName) throws org.zaproxy.clientapi.core.ClientApiException
policyName
- The name of the active scan policyorg.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Given(value="the attack strength is set to \"(.*?)\"") public void setAttackStrength(java.lang.String strength)
strength
- The ZAP attack strength@Given(value="the alert threshold is set to \"(.*?)\"") public void setAlertThreshold(java.lang.String threshold) throws org.zaproxy.clientapi.core.ClientApiException
threshold
- The ZAP alert thresholdorg.zaproxy.clientapi.core.ClientApiException
- when the ZAP API threw an exception@Given(value="the following URL regular expressions are excluded from the scanner") public void excludeUrlsFromScan(java.util.List<java.lang.String> excludedRegexes) throws org.zaproxy.clientapi.core.ClientApiException
excludedRegexes
- A list of URL regular expressions to excludeorg.zaproxy.clientapi.core.ClientApiException
- when the ZAP API threw an exception@When(value="the active scanner is run(?: from \"([^\"]*)\")?") public void runScanner(java.lang.String appName) throws org.zaproxy.clientapi.core.ClientApiException
appName
- the optional name of the URL whose URL will be used to launch the scan.org.zaproxy.clientapi.core.ClientApiException
- when the ZAP API threw an exception@When(value="the following false positives are ignored") public void removeFalsePositives(java.util.List<ZAPFalsePositive> falsePositives) throws org.zaproxy.clientapi.core.ClientApiException
falsePositives
- The false positives to be removedorg.zaproxy.clientapi.core.ClientApiException
- when the ZAP API threw an exception@Then(value="^no \"(.*?)\" or higher risk vulnerabilities should be present(?: for the base url \"(.*?)\")?$") public void checkVulnerabilities(java.lang.String risk, java.lang.String baseUrl) throws org.zaproxy.clientapi.core.ClientApiException
risk
- The level of risk. Either HIGH, MEDIUM or LOWbaseUrl
- An optional regex that can be used to match the url that a risk is assoicated withorg.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception@Then(value="^I report any \"(.*?)\" or higher risk vulnerabilities (?: for the base url \"(.*?)\")?$") public void reportVulnerabilities(java.lang.String risk, java.lang.String baseUrl) throws org.zaproxy.clientapi.core.ClientApiException
risk
- The level of risk. Either HIGH, MEDIUM or LOWbaseUrl
- An optional regex that can be used to match the url that a risk is assoicated withorg.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exceptionpublic void processVulnerabilities(java.lang.String risk, java.lang.String baseUrl, boolean reportOnly) throws org.zaproxy.clientapi.core.ClientApiException
org.zaproxy.clientapi.core.ClientApiException
@And(value="^the application is spidered(?: to a depth of\"(\\d+)\")?(?: timing out after \"(\\d+)\" seconds)?$") public void theApplicationIsSpidered(java.lang.Integer depth, java.lang.Integer timeout) throws org.zaproxy.clientapi.core.ClientApiException
depth
- How far to search into the applicationtimeout
- How long to wait for a timeoutorg.zaproxy.clientapi.core.ClientApiException
- When the ZAP API threw an exception