Show ZAP rule execution time in scan summary
Problem to solve
Different DAST scan rules take varying amount of time to complete depending on the target web application. If scan rule execution time is provided in the scan summary it will help to identify the long running scan rules. Users can then take action on long running scan rules like disable them if it's not important/relevant or tweak the scans parameters to make the rule complete fasters. This will ultimately help users to configure faster and effective DAST scans.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Allison (Application Ops)
User experience goal
User should be able to see execution time of each scan rule in the scan summary e.g
PASS: Cross Site Scripting (Persistent) - Prime [40016]: Took 10 minutes
PASS: Remote Code Execution - Shell Shock [10048]: Took 150 minutes
PASS: Cross Site Scripting (Persistent) - Spider [40017]: Took 20 minutes
PASS: Script Active Scan Rules [50000]: Took 7 minutes
PASS: Source Code Disclosure - Git [41]: Took 2 minutes
PASS: Source Code Disclosure - File Inclusion [43]: Took 30 minutes
Now user can identify Remote Code Execution - Shell Shock [10048]
takes 150 mins and is the major reason the scan takes longer time to complete. User can now make a call if this rule is applicable to the target application or is it worth running this rule for 150 minutes and disable or keep it running.
Proposal
Currently zap.out logs does generate logs per scan rule with the time taken for execution. Time from these logs can be collected and added up per scan rule to display it along with the scan summary.
[zap.out] 3937350 [Thread-8] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://scan-target.com | TestExternalRedirect in 2813.043s with 33151 message(s) sent and 0 alert(2020-07-28 05:08:43,565 Starting new HTTP connection (1): localhost:46374
Implementation Plan
ScanSummaryService
already possesses a list of each alert with its history record. We can use sum of the timeelapsedmillis
field from the history records for all alerts found by a given rule to get the total time the rule took to execute.
- Add
timeelapsedmillis
to the fields fetched byHttpMessagesQuery
and the properties ofHttpMessage
- In
ScanSummaryService
, sum up the time elapsed values for every alert related to a plugin, and add that number to the rule summary printed. Ex:PASS: Source Code Disclosure - File Inclusion [43]: Took 30 minutes
- Print the result as seconds if < 60 seconds, or minutes otherwise