Merge pull request #40 from psiinon/master

Use default user instead of root
zaproxy · May 23, 2022 · 6eade0f · 6eade0f
2 parents fc6c22e + ff129e5
commit 6eade0f
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,10 +3,13 @@ All notable changes to this GitHub action will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [Unreleased]
+## [0.4.0] - 2022-05-23
 ### Changed
 - Update dependencies.
 
+### Fixed
+- Use default zap user rather than root to allow the Ajax Spider to run.
+
 ## [0.3.0] - 2021-09-14
 ### Added
 - An input (`allow_issue_writing`) to choose if a GitHub issue should be raised or not.
@@ -26,7 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 First release to Marketplace.
 
-[Unreleased]: https://github.com/zaproxy/action-full-scan/compare/v0.3.0...HEAD
+[0.4.0]: https://github.com/zaproxy/action-full-scan/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/zaproxy/action-full-scan/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/zaproxy/action-full-scan/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/zaproxy/action-full-scan/compare/5842e3f84ec616724efb0230a6f6ab85146230c8...v0.1.0
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ if it identifies any alerts. Set this option to `true` if you want to fail the s
 ```
 steps:
   - name: ZAP Scan
-    uses: zaproxy/action-full-scan@v0.3.0
+    uses: zaproxy/action-full-scan@v0.4.0
     with:
       target: 'https://www.zaproxy.org/'
 ```
@@ -84,7 +84,7 @@ jobs:
         with:
           ref: master
       - name: ZAP Scan
-        uses: zaproxy/action-full-scan@v0.3.0
+        uses: zaproxy/action-full-scan@v0.4.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'owasp/zap2docker-stable'

diff --git a/dist/index.js b/dist/index.js
@@ -3858,8 +3858,12 @@ async function run() {
             plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
         }
 
+        // Create the files so we can change the perms and allow the docker non root user to update them
+        await exec.exec(`touch ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+        await exec.exec(`chmod a+w ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+
         await exec.exec(`docker pull ${docker_name} -q`);
-        let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
+        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" ` +
             `-t ${docker_name} zap-full-scan.py -t ${target} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {

diff --git a/index.js b/index.js
@@ -39,8 +39,12 @@ async function run() {
             plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
         }
 
+        // Create the files so we can change the perms and allow the docker non root user to update them
+        await exec.exec(`touch ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+        await exec.exec(`chmod a+w ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+
         await exec.exec(`docker pull ${docker_name} -q`);
-        let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
+        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" ` +
             `-t ${docker_name} zap-full-scan.py -t ${target} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {