Entry script of the DAST image can only parse short options, but auth params are long options
Summary
The entry script of the DAST image can only parse short options. When invoked with long options, as is necessary for the authentication-related options, option parsing fails.
Steps to reproduce
Run the DAST image with authentication parameters
docker run --rm -i -v $(pwd)/wrk:/zap/wrk/:rw dast /analyze \
-t http://mysite.localhost/users/sign_in \
--auth-url http://mysite.localhost/users/sign_in \
--auth-username someone \
--auth-password p@ssw0rd \
--auth-username-field "user[login]" \
--auth-password-field "user[password]"
What is the current bug behavior?
analyze
fails to parse the -t
parameter (https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L6-13). In consequence, the script does not check if the target website is reachable (https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L15-28).
The check if the website is reachable will time out and normal execution continues.
What is the expected correct behavior?
analyze
should be able to parse short and long options.
Edited by Dennis Appelt