Remove verbose log output from ZAP
This is a follow-up issue to gitlab-org/security-products/dast!42 (merged). In this MR, ZAP's log file is tailed to the job log, which makes it easier to follow ongoing DAST scans. Unfortunately, ZAP's log output is at the moment very verbose. This makes it more likely to miss important error messages.
There are many exceptions being logged due to the spider having problem parsing responses. I don't see any value in logging these messages for end users. For example:
[zap.out] 78917 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
[zap.out] 79571 [ZAP-SpiderThreadPool-0-thread-1] WARN io.swagger.parser.util.DeserializationUtils - Error snake-parsing yaml content
[zap.out] io.swagger.parser.util.DeserializationUtils$SnakeException: Exception safe-checking yaml content (maxDepth 2000)
[zap.out] at io.swagger.parser.util.DeserializationUtils$CustomSnakeYamlConstructor.getSingleData(DeserializationUtils.java:300)
[zap.out] at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:524)
[zap.out] at org.yaml.snakeyaml.Yaml.load(Yaml.java:437)
[zap.out] at io.swagger.parser.util.DeserializationUtils.readYamlTree(DeserializationUtils.java:137)
[zap.out] at io.swagger.parser.Swagger20Parser.deserializeYaml(Swagger20Parser.java:83)
[zap.out] at io.swagger.parser.Swagger20Parser.convertToSwagger(Swagger20Parser.java:125)
[zap.out] at io.swagger.parser.Swagger20Parser.parse(Swagger20Parser.java:156)
[zap.out] at io.swagger.parser.SwaggerParser.parse(SwaggerParser.java:135)
[zap.out] at io.swagger.parser.SwaggerParser.parse(SwaggerParser.java:129)
[zap.out] at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:90)
[zap.out] at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:76)
[zap.out] at org.zaproxy.zap.extension.openapi.OpenApiSpider.parseResource(OpenApiSpider.java:58)
[zap.out] at org.zaproxy.zap.spider.SpiderTask.processResource(SpiderTask.java:415)
[zap.out] at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:267)
[zap.out] at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
[zap.out] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[zap.out] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[zap.out] at java.lang.Thread.run(Thread.java:748)
[zap.out] Caused by: mapping values are not allowed here
[zap.out] in 'string', line 2, column 9:
[zap.out] * Build: http://modernizr.com/download/ ...
[zap.out] ^
[zap.out]
[zap.out] at org.yaml.snakeyaml.scanner.ScannerImpl.fetchValue(ScannerImpl.java:870)
[zap.out] at org.yaml.snakeyaml.scanner.ScannerImpl.fetchMoreTokens(ScannerImpl.java:358)
[zap.out] at org.yaml.snakeyaml.scanner.ScannerImpl.peekToken(ScannerImpl.java:250)
[zap.out] at org.yaml.snakeyaml.parser.ParserImpl$ParseDocumentEnd.produce(ParserImpl.java:253)
[zap.out] at org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:158)
[zap.out] at org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:168)
[zap.out] at org.yaml.snakeyaml.composer.Composer.getNode(Composer.java:87)
[zap.out] at org.yaml.snakeyaml.composer.Composer.getSingleNode(Composer.java:108)
[zap.out] at io.swagger.parser.util.DeserializationUtils$CustomSnakeYamlConstructor.getSingleData(DeserializationUtils.java:279)
[zap.out] ... 17 moreConsider changing the log config to reduce the noise. ZAP uses log4j under the hood. For an example log config, see https://gitlab.com/gitlab-org/security-products/dast/blob/master/config/zap-log4j.properties.