Failed to load DAST report

Summary

Even I can see that the reported was generated and published to the artifact, I still receive Failed to load DAST report message on MR page.

Steps to reproduce

Init a blank project with .gitlab-ci.yml in it with below content:

image: busybox:latest

dast:
  image: owasp/zap2docker-stable
  variables:
    website: "https://hantran.info/"
  script:
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]

Do commit and create merge request.

After the job done, it's shown Failed to load DAST report

I tried to debug the request (from Chrome Browser) then I see that the report Json URL work fine.

Example Project

https://gitlab.com/han.tran.yamaneco/dast/

What is the current bug behavior?

DAST report was not displayed!

What is the expected correct behavior?

DAST report should be displayed!

Relevant logs and/or screenshots

DAST job log:

Expand for output related to DAST job log

Running with gitlab-runner 10.4.0 (857480b6) on docker-auto-scale (72989761) Using Docker executor with image owasp/zap2docker-stable ... Using docker image sha256:f468c85b2ffaddcd43e2b433515c0f8921c7b76642f5eeef9ec95be40b286309 for predefined container... Pulling docker image owasp/zap2docker-stable ... Using docker image owasp/zap2docker-stable ID=sha256:40848e80b7fbb18e00340d40502795c35d321ce193bc0b96726d92911923bacb for build container... Running on runner-72989761-project-5368699-concurrent-0 via runner-72989761-srm-1517819141-ea415dc7... Cloning repository... Cloning into '/builds/han.tran.yamaneco/dast'... Checking out 6f572f5b as test... Skipping Git submodules setup $ mkdir /zap/wrk/ $ /zap/zap-baseline.py -J gl-dast-report.json -t $website || true _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. Feb 05, 2018 8:28:13 AM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Total of 187 URLs PASS: Content-Type Header Missing [10019] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Informations in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Viewstate Scanner [10032] PASS: Weak Authentication Method [10105] PASS: Private IP Disclosure [2] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Insecure JSF ViewState [90001] PASS: Charset Mismatch [90011] PASS: Application Error Disclosure [90022] PASS: Loosely Scoped Cookie [90033] WARN-NEW: Cookie No HttpOnly Flag [10010] x 10 https://hantran.info/wp-login.php https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F WARN-NEW: Cookie Without Secure Flag [10011] x 7 https://hantran.info/ https://hantran.info/robots.txt https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 102 https://hantran.info/ https://hantran.info/robots.txt https://hantran.info/sitemap.xml https://hantran.info/about-me/ https://hantran.info/contact/ WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 52 https://hantran.info/ https://hantran.info/about-me/ https://hantran.info/contact/ https://hantran.info/privacy-policy/ https://hantran.info/author/hantran/ WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 46 https://hantran.info/ https://hantran.info/about-me/ https://hantran.info/contact/ https://hantran.info/privacy-policy/ https://hantran.info/author/hantran/ WARN-NEW: Multiple X-Frame-Options Header Entries [10020] x 5 https://hantran.info/wp-login.php https://hantran.info/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fhantran.info%2Fwp-admin%2F https://hantran.info/wp-login.php?action=lostpassword https://hantran.info/wp-login.php https://hantran.info/wp-login.php?action=lostpassword WARN-NEW: X-Content-Type-Options Header Missing [10021] x 3 https://hantran.info/wp-includes/images/smilies/simple-smile.png https://hantran.info/wp-content/uploads/2016/06/gif-xf.gif https://hantran.info/wp-content/uploads/2016/06/ZtOSY.png WARN-NEW: Secure Pages Include Mixed Content [10040] x 2 https://hantran.info/ios-why-itunesconnect-show-up-ifda-when-release-app/ https://hantran.info/xenforo-how-to-create-an-input-box-with-autocomplete-for-username/ WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 64 https://hantran.info/ https://hantran.info/about-me/ https://hantran.info/contact/ https://hantran.info/privacy-policy/ https://hantran.info/author/hantran/ FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 9 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 15 $ cp /zap/wrk/gl-dast-report.json . Uploading artifacts... gl-dast-report.json: found 1 matching files
Uploading artifacts to coordinator... ok id=51040630 responseStatus=201 Created token=TzHzhBav Job succeeded

MR: han.tran.yamaneco/dast!1

DAST report JSON file: https://gitlab.com/han.tran.yamaneco/dast/-/jobs/51040630/artifacts/raw/gl-dast-report.json

Output of checks

This bugs happened on Gitlab.Com and my EEU local instance.

Results of GitLab environment info

Expand for output related to GitLab environment info

Version: 10.4.2-ee Revision: 30275e2 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.5 URL: http://gitlab.ee.com HTTP Clone URL: http://gitlab.ee.com/some-group/some-project.git SSH Clone URL: git@gitlab.ee.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: no

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab Shell ...

GitLab Shell version >= 5.11.0 ? ... OK (5.11.0) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 2/1 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Reply by email is disabled in config/gitlab.yml Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/1 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.6) Git version >= 2.7.3 ? ... yes (2.14.3) Git user has default SSH configuration? ... yes Active users: ... 1 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)

Checking GitLab ... Finished