add owasp zap configurations and a report output

Dockerfile

@@ -1,4 +1,6 @@
 # Use an official OpenJDK runtime as a parent image
+# FROM openjdk:17-jdk-alpine
+
 FROM openjdk
 
 # Set the working directory inside the container

automation.sh

@@ -4,20 +4,40 @@
 echo "####################################################"
 echo "Stop and remove all running containers..."
 echo "docker stop $(docker ps -a -q)"
-echo "docker system prune -af"
-
 docker stop $(docker ps -a -q)
 
 # remove the stopped docker containers
+echo "docker system prune -af"
 docker rm -v -f $(docker ps -qa)
 
 # uncomment this to remove the images too
-# docker system prune -af
+#docker system prune -af
+
+echo "####################################################"
+echo "Create a network..."
+echo "docker network create --driver bridge petclinic-net"
+docker network create --driver bridge petclinic-net
 
 echo "####################################################"
 echo "Build and run container..."
 echo "build . -t spring_image"
 echo "docker run -itd -p:8080:8080 --name spring-petclinic spring_image"
 docker build . -t spring_image
-docker run -itd -p:8080:8080 --name spring-petclinic spring_image
+docker run -itd -p 8080:8080 --network petclinic-net --name spring-petclinic spring_image
 
+
+
+echo "####################################################"
+echo "Running OWASP ZAP"
+
+# Pull the latest stable OWASP ZAP image
+docker pull ghcr.io/zaproxy/zaproxy:stable
+
+echo "Running OWASP ZAP scan..."
+docker run --rm -t --network petclinic-net \
+  -v $(pwd)/zap-report:/zap/wrk:rw \
+  ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
+  -t http://localhost:8080 -g gen.conf -r zap-report.html
+
+
+echo "Scan complete. Report saved as zap-report.html"

zap-report/gen.conf

@@ -0,0 +1,69 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Re-examine Cache-control Directives)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(Anti-clickjacking Header)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Open Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header)
+10036	WARN	(HTTP Server Response Header)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie without SameSite Attribute)
+10055	WARN	(CSP)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Permissions Policy Header Not Set)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10111	WARN	(Authentication Request Identified)
+10112	WARN	(Session Management Response Identified)
+10113	WARN	(Verification Request Identified)
+10115	WARN	(Script Served From Malicious Domain (polyfill))
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90004	WARN	(Insufficient Site Isolation Against Spectre Vulnerability)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Detection)
+90033	WARN	(Loosely Scoped Cookie)