Project 'gitlab-org/gitlab-ee' was moved to 'gitlab-org/gitlab'. Please update any links and bookmarks that may still have the old path.

Entry script of the DAST image can only parse short options, but auth params are long options

Summary

The entry script of the DAST image can only parse short options. When invoked with long options, as is necessary for the authentication-related options, option parsing fails.

Steps to reproduce

Run the DAST image with authentication parameters

docker run --rm -i -v $(pwd)/wrk:/zap/wrk/:rw dast /analyze \
  -t http://mysite.localhost/users/sign_in \
  --auth-url http://mysite.localhost/users/sign_in \
  --auth-username someone \
  --auth-password p@ssw0rd \
  --auth-username-field "user[login]" \
  --auth-password-field "user[password]"

What is the current bug behavior?

analyze fails to parse the -t parameter (https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L6-13). In consequence, the script does not check if the target website is reachable (https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L15-28).

The check if the website is reachable will time out and normal execution continues.

What is the expected correct behavior?

analyze should be able to parse short and long options.

Edited Feb 21, 2019 by Dennis Appelt