Error in jenkins when inserting execute ZAP in Build step

Question

I have the last version of Jenkins and I have installed the OWASP Zap plugin with the latest version 2.10.0 I have an error in inserting Execute ZAP in the Build step. If I click save after having inserted it in the Build step, I got an error and in the log I saw:

2021-04-04 14:06:09.460+0000 [id=15]    WARNING o.e.j.s.h.ContextHandler$Context#log: Error while serving http://localhost:8080/job/zap-project/configSubmit
java.lang.NullPointerException
    at org.jenkinsci.plugins.zap.ZAPBuilder.<init>(ZAPBuilder.java:94)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
    at org.kohsuke.stapler.RequestImpl.invokeConstructor(RequestImpl.java:530)
    at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:794)
    at org.kohsuke.stapler.RequestImpl.access$200(RequestImpl.java:84)
    at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:679)
    at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:479)
    at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:475)
    at hudson.model.Descriptor.newInstance(Descriptor.java:598)
Caused: java.lang.Error: Failed to instantiate class org.jenkinsci.plugins.zap.ZAPBuilder from {"zapHost":"localhost","zapPort":"8090","startZAPFirst":false,"jdk":"InheritFromJob","autoInstall":"true","toolUsed":"ZAP_2.10.0","zapHome":"ZAPROXY_HOME","timeout":"60","zapSettingsDir":"","autoLoadSession":"true","loadSession":"","sessionFilename":"","removeExternalSites":false,"internalSites":"","contextName":"","includedURL":"","excludedURL":"","alertFilters":"","authMode":false,"username":"","password":"[value redacted]","$redact":"password","loggedInIndicator":"","loggedOutIndicator":"","authMethod":"FORM_BASED","loginURL":"","usernameParameter":"","passwordParameter":"","extraPostData":"","authScript":"","scriptParameterName":"","scriptParameterValue":"","targetURL":"","spiderScanURL":false,"spiderScanRecurse":true,"spiderScanSubtreeOnly":false,"spiderScanMaxChildrenToCrawl":"0","ajaxSpiderURL":false,"ajaxSpiderInScopeOnly":false,"activeScanURL":false,"activeScanPolicy":"","activeScanRecurse":true,"generateReports":false,"deleteReports":false,"reportFilename":"JENKINS_ZAP_VULNERABILITY_REPORT","selectedReportMethod":"DEFAULT_REPORT","selectedReportFormats":[],"selectedExportFormats":[],"exportreportTitle":"","exportreportBy":"","exportreportFor":"","exportreportScanDate":"","exportreportReportDate":"","exportreportScanVersion":"","exportreportReportVersion":"","exportreportReportDescription":"","exportreportAlertHigh":true,"exportreportAlertMedium":true,"exportreportAlertLow":true,"exportreportAlertInformational":true,"exportreportCWEID":true,"exportreportWASCID":true,"exportreportDescription":true,"exportreportOtherInfo":true,"exportreportSolution":true,"exportreportReference":true,"exportreportRequestHeader":false,"exportreportResponseHeader":false,"exportreportRequestBody":false,"exportreportResponseBody":false,"jiraCreate":false,"jiraProjectKey":"","jiraAssignee":"","jiraAlertHigh":false,"jiraAlertMedium":false,"jiraAlertLow":false,"jiraFilterIssuesByResourceType":false,"stapler-class":"org.jenkinsci.plugins.zap.ZAPBuilder","$class":"org.jenkinsci.plugins.zap.ZAPBuilder"}
    at hudson.model.Descriptor.newInstance(Descriptor.java:606)
    at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1075)
    at hudson.model.Descriptor.newInstancesFromHeteroList(Descriptor.java:1037)
    at hudson.util.DescribableList.rebuildHetero(DescribableList.java:208)
    at hudson.model.Project.submit(Project.java:230)
    at hudson.model.Job.doConfigSubmit(Job.java:1335)
    at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:768)
    at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
Caused: java.lang.reflect.InvocationTargetException
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:400)
    at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
    at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:36)
    at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
    at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
    at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
    at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
    at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
    at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92)
    at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.base/java.lang.Thread.run(Thread.java:834)

How can I solve this problem? Thanks in advance

I am facing the same issue too. May be plugin compatibility issue with newer version of Jenkins. This plugin hasnt been updates since ages. — Sasidhar, Apr 05 '21 at 11:31

score 0 · Answer 1 · answered Apr 06 '21 at 21:37

This issue is with the newer version of Jenkins. I cannot downgrade my Jenkins for various reasons and has to use the newer version. So I downloaded an older jenkins war and launchd this temporarily. I installed the official zap plugin, and here I was able to save the build step without any issues. I copied this jobs configuration file config.xml back to my new jenkins job and reloaded the configuration from disk. The execution went fine but still I am not able to do any modifications through the browser on the newer version of Jenkins for this job. Any configuration change that is needed I am doing this by editing the config file directly and reloading the configuration from disk.

If you had to be on the newer version of Jenkins, you can place this configuration in your job's config.xml file and modify the parameters as you need.

<builders>
    <org.jenkinsci.plugins.zap.ZAPBuilder plugin="zap@1.1.0">
      <startZAPFirst>false</startZAPFirst>
      <zaproxy>
        <startZAPFirst>false</startZAPFirst>
        <zapHost>localhost</zapHost>
        <zapPort>8081</zapPort>
        <evaluatedZapPort>0</evaluatedZapPort>
        <cmdLinesZAP/>
        <jdk>InheritFromJob</jdk>
        <toolUsed></toolUsed>
        <zapHome>ZAPROXY_HOME</zapHome>
        <timeout>60</timeout>
        <autoInstall>false</autoInstall>
        <zapSettingsDir>C:\Users\admin\OWASP ZAP</zapSettingsDir>
        <autoLoadSession>false</autoLoadSession>
        <loadSession></loadSession>
        <sessionFilename>zap_test</sessionFilename>
        <removeExternalSites>false</removeExternalSites>
        <internalSites></internalSites>
        <contextName>default</contextName>
        <excludedURL></excludedURL>
        <includedURL>http://localhost:8080</includedURL>
        <alertFilters></alertFilters>
        <authMode>false</authMode>
        <username></username>
        <password></password>
        <loggedInIndicator></loggedInIndicator>
        <loggedOutIndicator></loggedOutIndicator>
        <authMethod>FORM_BASED</authMethod>
        <loginURL></loginURL>
        <usernameParameter></usernameParameter>
        <passwordParameter></passwordParameter>
        <extraPostData></extraPostData>
        <authScript></authScript>
        <authScriptParams/>
        <targetURL>http://localhost:8080</targetURL>
        <spiderScanURL>true</spiderScanURL>
        <spiderScanRecurse>true</spiderScanRecurse>
        <spiderScanSubtreeOnly>false</spiderScanSubtreeOnly>
        <spiderScanMaxChildrenToCrawl>0</spiderScanMaxChildrenToCrawl>
        <ajaxSpiderURL>true</ajaxSpiderURL>
        <ajaxSpiderInScopeOnly>false</ajaxSpiderInScopeOnly>
        <activeScanURL>true</activeScanURL>
        <activeScanRecurse>true</activeScanRecurse>
        <activeScanPolicy></activeScanPolicy>
        <generateReports>true</generateReports>
        <deleteReports>false</deleteReports>
        <reportFilename>JENKINS_ZAP_VULNERABILITY_REPORT</reportFilename>
        <selectedReportMethod>DEFAULT_REPORT</selectedReportMethod>
        <selectedReportFormats>
          <string>html</string>
        </selectedReportFormats>
        <selectedExportFormats/>
        <exportreportTitle></exportreportTitle>
        <exportreportBy></exportreportBy>
        <exportreportFor></exportreportFor>
        <exportreportScanDate></exportreportScanDate>
        <exportreportReportDate></exportreportReportDate>
        <exportreportScanVersion></exportreportScanVersion>
        <exportreportReportVersion></exportreportReportVersion>
        <exportreportReportDescription></exportreportReportDescription>
        <exportreportAlertHigh>true</exportreportAlertHigh>
        <exportreportAlertMedium>true</exportreportAlertMedium>
        <exportreportAlertLow>true</exportreportAlertLow>
        <exportreportAlertInformational>true</exportreportAlertInformational>
        <exportreportCWEID>true</exportreportCWEID>
        <exportreportWASCID>true</exportreportWASCID>
        <exportreportDescription>true</exportreportDescription>
        <exportreportOtherInfo>true</exportreportOtherInfo>
        <exportreportSolution>true</exportreportSolution>
        <exportreportReference>true</exportreportReference>
        <exportreportRequestHeader>false</exportreportRequestHeader>
        <exportreportResponseHeader>false</exportreportResponseHeader>
        <exportreportRequestBody>false</exportreportRequestBody>
        <exportreportResponseBody>false</exportreportResponseBody>
        <jiraCreate>false</jiraCreate>
        <jiraBaseURL></jiraBaseURL>
        <jiraUsername></jiraUsername>
        <jiraPassword></jiraPassword>
        <jiraProjectKey></jiraProjectKey>
        <jiraAssignee></jiraAssignee>
        <jiraAlertHigh>false</jiraAlertHigh>
        <jiraAlertMedium>false</jiraAlertMedium>
        <jiraAlertLow>false</jiraAlertLow>
        <jiraFilterIssuesByResourceType>false</jiraFilterIssuesByResourceType>
      </zaproxy>
      <zapHost>localhost</zapHost>
      <zapPort>8081</zapPort>
    </org.jenkinsci.plugins.zap.ZAPBuilder>
  </builders>

To be clear although it may be named 'official' the core team has no access to the Jenkins pages or content and do not maintain it. — kingthorin, Apr 08 '21 at 02:30

Error in jenkins when inserting execute ZAP in Build step

1 Answers1