Octokit problem

[njox]

Hi, when I trigger module I got this:

FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 8	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 43
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2
Alerts present in the current report: true
Process completed successfully and a new issue #2 has been created for the ZAP Scan.

It seems that the importing library @octokit/rest is wrong.

[thc202]

The warning is caused by a dependency (@actions/github) not this action, we'll have to update it.

[njox]

Thanks for your fast response. When will come a new update?

[kingthorin]

It seems to be behaving as expected. It exited code 2 because you have new warnings.

What's the issue you're trying to report?

[thc202]

When will come a new update?

There's no ETA for the update/release.

What's the issue you're trying to report?

I think the warning, despite everything working as expected better to update.

[njox]

I can't share repository and log because it's private and has copyright. But the workflow is:

1. Create a deployment package for AWS EBS
2. Upload package to AWS S3 Budget
3. Trigger application update from AWS S3 Bucket
4. Perform ZAP scan (basic configuration - using the only target in with property)

On 4. step I got a warning/issue which forces action to fail but it will create a report file.

Thanks

[thc202]

The Octokit warning is not the cause why the build fails but the warnings/alerts ZAP found WARN-NEW: 8.

[richAtreides]

To be clear why would it fail if there is a warning. Is this just a hacky way of giving alerts? How do you change the verbosity so that it fails on actual issues only?

[thc202]

If with "it" you are referring to the action itself, that's #31.

[richAtreides]

If with "it" you are referring to the action itself, that's #31.

@thc202 that issue perfectly covers my concern. Is there a way to stop this just failing if it finds any warnings but instead configure it? Or is that to be built?

[psiinon]

You can just specify a rules file with the relevant rules to IGNORE instead of WARN.

[njox]

Hi guys,

Just tried the new release v0.3.0 and got:

1. Basic configuration - The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2 .After that, I saw there is a new parameter fail_action.
2. Tried in with parameter the fail_action with the value true or false which will produce an error Unexpected input(s) 'fail_action', valid inputs are ['token', 'target', 'rules_file_name', 'docker_name', 'cmd_options', 'issue_title']

By default ZAP Docker container will fail that is alright, but can we add and set fail_action to false if we want to ignore warnings which will produce action to pass?

Thanks

[kingthorin]

@njox the fail_action handling hasn't been released yet. You'd have to use the action based on commit id or wait for v0.4.0

[masonator]

Having the same problem and tried the various workarounds but didn't have any luck. Is there an ETA for v0.4.0 currently? Would love to start using the action in production, but at the moment it fails our builds.

[thc202]

For the record, the new version is now available.

[njox]

Currently, I can't check the new version, but someone can test it, and if everything seems to be ok then the issue can be closed.

Thanks

[richAtreides]

Currently, I can't check the new version, but someone can test it, and if everything seems to be ok then the issue can be closed.

Thanks

I'll be online in about an hour and can test it to close the issue.

[thc202]

The issue should be kept open as the deprecation was not yet addressed.

[SamRobinsonDev]

Issue still seems to be reproducing on v0.4.0, albeit with an exit code 3 instead of 2.

Error: failed to scan the target: Error: The process '/usr/bin/docker' failed with exit code 3

[kingthorin]

@SamRobinson123 please provide a link to your config/use.

[SamRobinsonDev]

@kingthorin Workflow is part of a private repository and so i'll put it here.

Please note, i've removed the target website in this example.

on: [push]

jobs:
      zap_scan:
           runs-on: ubuntu-latest
           name: Scan the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
         target: ‘My target'

[kingthorin]

Thanks.

You mentioned your use exited with code 3, that's not related to Alerts, you seem to have some other failure.
Ref: https://github.com/zaproxy/zaproxy/blob/efb404d38280dc9ecf8f88c9b0c658385861bdcf/docker/zap-baseline.py#L31-L35

[kingthorin]

The issue should be kept open as the deprecation was not yet addressed.

@sshniro is addressing the deprecation warning as simple as updating our dependencies?

[thc202]

The update would address the warning (actions/toolkit#333), not sure if it's as simple as, it's a major update (from 1.x to 2.x).

[sshniro]

Hi @kingthorin , I will test this scenario in the coming weekend and will send a PR.

[jasikpark]

I am getting a similar error: https://github.com/jasikpark/jasik-xyz/runs/1521221382?check_suite_focus=true

[rubaljain]

Was this issue resolved? Do we have configurable fail_action to pass the workflow even if we observe the findings?

[thc202]

The issue #31 was resolved and released in the latest version.

[rxerium]

Hey, did anyone find a fix for the Otokit dependancy issue? I'm running zaproxy/[email protected]. Thanks

[thc202]

This no longer happens with the latest version (v0.8.0).