Friday, May 14, 2021

OWASP test in Release Pipeline

 In this page we are going to add some tasks in Azure Release pipeline to do the tests.

Prerequisites

There is already a docker image containing  Zap2 files and a Python file called zap-baseline.py to run the process. The image is called owasp/zap2docker-stable requires a shared folder to put the report in it. To mount a file share I use a storage account in azure containing the shared location called security. I generate the Key to access the shared location and start the process.

When process has been completed you need to have a file called OWASPToNUnit3.xslt to convert the report into an NUnit file that can be published as a test result.

OWASP Stage Tasks

 There are 3 tasks in this stage:

  1. OWASP in Azure CLI 
    which stes up a Container Instance that runs the tests

  2.  Transforming PowerShell Script
    which uses a PowerShell script to transform the result into NUnit

  3. Publish Test Results
    which makes the result visible in the pipeline as Test Results

Stage Tasks Yaml

steps: - task: AzureCLI@2 displayName: 'OWASP in Azure CLI ' inputs: azureSubscription: 'Owasp_grp_sp' scriptType: ps scriptLocation: inlineScript inlineScript: | $key='"the-Key-to-Storage-Account-shared-location=="' $ZAP_COMMAND="/zap/zap-baseline.py -t """"https://the-url-to-test.something"""" -x OWASP-ZAP-Report.xml" az container create `
--resource-group owasp_grp `
--name owasp ` --image owasp/zap2docker-stable ` --ip-address public `
--ports 8080 `
--azure-file-volume-account-name owaspstore1000 `
--azure-file-volume-account-key $key `
--azure-file-volume-share-name security `
--azure-file-volume-mount-path /zap/wrk/ `
--command-line $ZAP_COMMAND az storage file download `
--account-name owaspstore1000 `
--account-key $key `
-s security `
-p OWASP-ZAP-Report.xml `
--dest %SYSTEM_DEFAULTWORKINGDIRECTORY%\OWASP-ZAP-Report.xml
- powershell: | ## The powershell task for converting the test report $XslPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\_Managed-Security/OWASPToNUnit3.xslt" $XmlInputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\OWASP-ZAP-Report.xml" $XmlOutputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\Converted-OWASP-ZAP-Report.xml" $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform $XslTransform.Load($XslPath) $XslTransform.Transform($XmlInputPath, $XmlOutputPath) displayName: 'Transforming PowerShell Script'

- task: PublishTestResults@2 displayName: 'Publish Test Results Converted-OWASP-ZAP-Report.xml' inputs: testResultsFormat: NUnit testResultsFiles: 'Converted-OWASP-ZAP-Report.xml'

Posted by
Labels: ,