Address review feedback on fetchZAPResults.sh

- Add mkdir -p results/ before curl writes to it (fixes failure on fresh clone)
- Pass API key via X-ZAP-API-Key header instead of URL query param (keeps
  key out of process list and shell history)
- Redirect all error/usage output to stderr
- Validate getBenchmarkVersion.sh output is non-empty before building filename

Author: TheAuditorTool

scripts/fetchZAPResults.sh

@@ -3,55 +3,72 @@
 # Downloads a ZAP XML report from a URL and saves it to the results/ directory.
 # After downloading, run createScorecards.sh to generate the scorecard.
 #
-# Usage: scripts/fetchZAPResults.sh <ZAP_REPORT_URL> [OUTPUT_FILENAME]
+# Usage: scripts/fetchZAPResults.sh <ZAP_REPORT_URL> [OUTPUT_FILENAME] [API_KEY]
 #
 # Examples:
 #   scripts/fetchZAPResults.sh http://172.17.0.3:8090/OTHER/core/other/xmlreport/
-#   scripts/fetchZAPResults.sh "http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123"
 #   scripts/fetchZAPResults.sh http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml
+#   scripts/fetchZAPResults.sh http://zap:8090/OTHER/core/other/xmlreport/ "" my-secret-api-key
 
 source scripts/requireCommand.sh
 
 requireCommand curl
 
 if [ $# -eq 0 ]; then
-    echo "Usage: $0 <ZAP_REPORT_URL> [OUTPUT_FILENAME]"
-    echo ""
-    echo "Downloads a ZAP XML report from the given URL and saves it to results/."
-    echo "After downloading, run createScorecards.sh to generate the scorecard."
-    echo ""
-    echo "Examples:"
-    echo "  $0 http://172.17.0.3:8090/OTHER/core/other/xmlreport/"
-    echo "  $0 \"http://zap:8090/OTHER/core/other/xmlreport/?apikey=abc123\""
-    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml"
+    echo "Usage: $0 <ZAP_REPORT_URL> [OUTPUT_FILENAME] [API_KEY]" >&2
+    echo "" >&2
+    echo "Downloads a ZAP XML report from the given URL and saves it to results/." >&2
+    echo "After downloading, run createScorecards.sh to generate the scorecard." >&2
+    echo "" >&2
+    echo "Arguments:" >&2
+    echo "  ZAP_REPORT_URL   URL to the ZAP XML report endpoint" >&2
+    echo "  OUTPUT_FILENAME   Optional custom filename (saved under results/)" >&2
+    echo "  API_KEY           Optional ZAP API key (passed via header, not in URL)" >&2
+    echo "" >&2
+    echo "Examples:" >&2
+    echo "  $0 http://172.17.0.3:8090/OTHER/core/other/xmlreport/" >&2
+    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ my-zap-results.xml" >&2
+    echo "  $0 http://zap:8090/OTHER/core/other/xmlreport/ \"\" my-secret-api-key" >&2
     exit 1
 fi
 
 zap_url="$1"
 
-if [ $# -ge 2 ]; then
+if [ -n "${2:-}" ]; then
     filename="$2"
 else
     benchmark_version=$(scripts/getBenchmarkVersion.sh)
+    if [ -z "${benchmark_version}" ]; then
+        echo "ERROR: Could not determine Benchmark version from pom.xml." >&2
+        exit 1
+    fi
     date_stamp=$(date +%Y%m%d)
     filename="Benchmark_${benchmark_version}-ZAP-${date_stamp}.xml"
 fi
 
+api_key="${3:-}"
+
+mkdir -p results/
 output="results/${filename}"
 
+curl_args=(-sS -o "${output}" -w '%{http_code}' --connect-timeout 10 --max-time 120)
+if [ -n "${api_key}" ]; then
+    curl_args+=(-H "X-ZAP-API-Key: ${api_key}")
+fi
+
 echo "Downloading ZAP report from: ${zap_url}"
-http_code=$(curl -sS -o "${output}" -w '%{http_code}' --connect-timeout 10 --max-time 120 "${zap_url}")
+http_code=$(curl "${curl_args[@]}" "${zap_url}")
 
 if [ "${http_code}" -ne 200 ]; then
-    echo "ERROR: Download failed with HTTP status ${http_code}"
+    echo "ERROR: Download failed with HTTP status ${http_code}" >&2
     rm -f "${output}"
     exit 1
 fi
 
 if ! head -2 "${output}" | grep -q "OWASPZAPReport"; then
-    echo "ERROR: Downloaded file does not appear to be a ZAP XML report."
-    echo "First 3 lines of downloaded content:"
-    head -3 "${output}"
+    echo "ERROR: Downloaded file does not appear to be a ZAP XML report." >&2
+    echo "First 3 lines of downloaded content:" >&2
+    head -3 "${output}" >&2
     rm -f "${output}"
     exit 1
 fi