From f7af4593dbeb99f1eae140295aa86fcc304909b0 Mon Sep 17 00:00:00 2001
From: Theauditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Mon, 13 Apr 2026 15:54:52 +0700
Subject: [PATCH 1/2] Add fetchZAPResults.sh script to download ZAP reports
 from a URL.

Adds a shell script that downloads a ZAP XML report from a remote ZAP
instance via its REST API and saves it to the results/ directory. This
enables scorecard generation when ZAP and Benchmark run in separate
Docker containers without a shared filesystem.

Closes #21
---
 scripts/fetchZAPResults.sh | 60 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100755 scripts/fetchZAPResults.sh

diff --git a/scripts/fetchZAPResults.sh b/scripts/fetchZAPResults.sh
new file mode 100755
index 0000000000..6253cc2daa
--- /dev/null
+++ b/scripts/fetchZAPResults.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# Downloads a ZAP XML report from a URL and saves it to the results/ directory.
+# After downloading, run createScorecards.sh to generate the scorecard.
+#
+# Usage: scripts/fetchZAPResults.sh <ZAP_REPORT_URL> [OUTPUT_FILENAME]
+#
+# Examples:
+#   scripts/fetchZAPResults.sh http://172.17.0.3:8090/OTHER/core/other/xmlreport/
+#   scripts/fetchZAPResults.sh "http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123"
+#   scripts/fetchZAPResults.sh http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml
+
+source scripts/requireCommand.sh
+
+requireCommand curl
+
+if [ $# -eq 0 ]; then
+    echo "Usage: $0 <ZAP_REPORT_URL> [OUTPUT_FILENAME]"
+    echo ""
+    echo "Downloads a ZAP XML report from the given URL and saves it to results/."
+    echo "After downloading, run createScorecards.sh to generate the scorecard."
+    echo ""
+    echo "Examples:"
+    echo "  $0 http://172.17.0.3:8090/OTHER/core/other/xmlreport/"
+    echo "  $0 \"http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123\""
+    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml"
+    exit 1
+fi
+
+zap_url="$1"
+
+if [ $# -ge 2 ]; then
+    filename="$2"
+else
+    benchmark_version=$(scripts/getBenchmarkVersion.sh)
+    date_stamp=$(date +%Y%m%d)
+    filename="Benchmark_${benchmark_version}-ZAP-${date_stamp}.xml"
+fi
+
+output="results/${filename}"
+
+echo "Downloading ZAP report from: ${zap_url}"
+http_code=$(curl -sS -o "${output}" -w '%{http_code}' --connect-timeout 10 --max-time 120 "${zap_url}")
+
+if [ "${http_code}" -ne 200 ]; then
+    echo "ERROR: Download failed with HTTP status ${http_code}"
+    rm -f "${output}"
+    exit 1
+fi
+
+if ! head -2 "${output}" | grep -q "OWASPZAPReport"; then
+    echo "ERROR: Downloaded file does not appear to be a ZAP XML report."
+    echo "First 3 lines of downloaded content:"
+    head -3 "${output}"
+    rm -f "${output}"
+    exit 1
+fi
+
+echo "ZAP report saved to: ${output}"
+echo "To generate the scorecard, run: ./createScorecards.sh"

From 987d40de328a749cbadee99d1b488081a9f7f6ee Mon Sep 17 00:00:00 2001
From: Theauditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Mon, 13 Apr 2026 18:15:22 +0700
Subject: [PATCH 2/2] Address review feedback on fetchZAPResults.sh

- Add mkdir -p results/ before curl writes to it (fixes failure on fresh clone)
- Pass API key via X-ZAP-API-Key header instead of URL query param (keeps
  key out of process list and shell history)
- Redirect all error/usage output to stderr
- Validate getBenchmarkVersion.sh output is non-empty before building filename
---
 scripts/fetchZAPResults.sh | 51 +++++++++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 17 deletions(-)

diff --git a/scripts/fetchZAPResults.sh b/scripts/fetchZAPResults.sh
index 6253cc2daa..060baed156 100755
--- a/scripts/fetchZAPResults.sh
+++ b/scripts/fetchZAPResults.sh
@@ -3,55 +3,72 @@
 # Downloads a ZAP XML report from a URL and saves it to the results/ directory.
 # After downloading, run createScorecards.sh to generate the scorecard.
 #
-# Usage: scripts/fetchZAPResults.sh <ZAP_REPORT_URL> [OUTPUT_FILENAME]
+# Usage: scripts/fetchZAPResults.sh <ZAP_REPORT_URL> [OUTPUT_FILENAME] [API_KEY]
 #
 # Examples:
 #   scripts/fetchZAPResults.sh http://172.17.0.3:8090/OTHER/core/other/xmlreport/
-#   scripts/fetchZAPResults.sh "http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123"
 #   scripts/fetchZAPResults.sh http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml
+#   scripts/fetchZAPResults.sh http://zap:8090/OTHER/core/other/xmlreport/ "" my-secret-api-key
 
 source scripts/requireCommand.sh
 
 requireCommand curl
 
 if [ $# -eq 0 ]; then
-    echo "Usage: $0 <ZAP_REPORT_URL> [OUTPUT_FILENAME]"
-    echo ""
-    echo "Downloads a ZAP XML report from the given URL and saves it to results/."
-    echo "After downloading, run createScorecards.sh to generate the scorecard."
-    echo ""
-    echo "Examples:"
-    echo "  $0 http://172.17.0.3:8090/OTHER/core/other/xmlreport/"
-    echo "  $0 \"http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123\""
-    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml"
+    echo "Usage: $0 <ZAP_REPORT_URL> [OUTPUT_FILENAME] [API_KEY]" >&2
+    echo "" >&2
+    echo "Downloads a ZAP XML report from the given URL and saves it to results/." >&2
+    echo "After downloading, run createScorecards.sh to generate the scorecard." >&2
+    echo "" >&2
+    echo "Arguments:" >&2
+    echo "  ZAP_REPORT_URL   URL to the ZAP XML report endpoint" >&2
+    echo "  OUTPUT_FILENAME   Optional custom filename (saved under results/)" >&2
+    echo "  API_KEY           Optional ZAP API key (passed via header, not in URL)" >&2
+    echo "" >&2
+    echo "Examples:" >&2
+    echo "  $0 http://172.17.0.3:8090/OTHER/core/other/xmlreport/" >&2
+    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml" >&2
+    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ \"\" my-secret-api-key" >&2
     exit 1
 fi
 
 zap_url="$1"
 
-if [ $# -ge 2 ]; then
+if [ -n "${2:-}" ]; then
     filename="$2"
 else
     benchmark_version=$(scripts/getBenchmarkVersion.sh)
+    if [ -z "${benchmark_version}" ]; then
+        echo "ERROR: Could not determine Benchmark version from pom.xml." >&2
+        exit 1
+    fi
     date_stamp=$(date +%Y%m%d)
     filename="Benchmark_${benchmark_version}-ZAP-${date_stamp}.xml"
 fi
 
+api_key="${3:-}"
+
+mkdir -p results/
 output="results/${filename}"
 
+curl_args=(-sS -o "${output}" -w '%{http_code}' --connect-timeout 10 --max-time 120)
+if [ -n "${api_key}" ]; then
+    curl_args+=(-H "X-ZAP-API-Key: ${api_key}")
+fi
+
 echo "Downloading ZAP report from: ${zap_url}"
-http_code=$(curl -sS -o "${output}" -w '%{http_code}' --connect-timeout 10 --max-time 120 "${zap_url}")
+http_code=$(curl "${curl_args[@]}" "${zap_url}")
 
 if [ "${http_code}" -ne 200 ]; then
-    echo "ERROR: Download failed with HTTP status ${http_code}"
+    echo "ERROR: Download failed with HTTP status ${http_code}" >&2
     rm -f "${output}"
     exit 1
 fi
 
 if ! head -2 "${output}" | grep -q "OWASPZAPReport"; then
-    echo "ERROR: Downloaded file does not appear to be a ZAP XML report."
-    echo "First 3 lines of downloaded content:"
-    head -3 "${output}"
+    echo "ERROR: Downloaded file does not appear to be a ZAP XML report." >&2
+    echo "First 3 lines of downloaded content:" >&2
+    head -3 "${output}" >&2
     rm -f "${output}"
     exit 1
 fi