-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZAP import accepts types other than "url" #269
Merged
cedricbu
merged 4 commits into
RedHatProductSecurity:development
from
cedricbu:zap_import_various_sources
Dec 16, 2024
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
config: | ||
configVersion: 5 | ||
configVersion: 6 | ||
|
||
application: | ||
shortName: "example-1.0" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,209 @@ | ||
# This is a verbose configuration template. A lot of value do not need to be present, for most configuration. | ||
# | ||
# Author: Red Hat Product Security | ||
# | ||
# See "config-template.yaml" for a simpler configuration file. | ||
# All the values are optional (except `config.configVersion`): if a key is missing, it will mean either "disabled" or a sensible default will be selected | ||
|
||
config: | ||
# WARNING: `configVersion` indicates the schema version of the config file. | ||
# This value tells RapiDAST what schema should be used to read this configuration. | ||
# Therefore you should only change it if you update the configuration to a newer schema | ||
# It is intended to keep backward compatibility (newer RapiDAST running an older config) | ||
configVersion: 5 | ||
|
||
# all the results of all scanners will be stored under that location | ||
base_results_dir: "./results" | ||
|
||
# In RapiDAST only: should RapiDAST verify certificates | ||
# possible values: true [default], false, /path/to/a/PEM/file | ||
tls_verify_for_rapidast_downloads: true | ||
|
||
# Import a particular environment, and inject it for each scanner | ||
environ: | ||
envFile: "path/to/env/file" | ||
|
||
# Export to Google Cloud Storage | ||
googleCloudStorage: | ||
keyFile: "/path/to/GCS/key" # optional: path to the GCS key file (alt.: use GOOGLE_APPLICATION_CREDENTIALS) | ||
bucketName: "<name-of-GCS-bucket-to-export-to>" # Mandatory | ||
directory: "<override-of-default-directory>" # Optional, defaults to `RapiDAST-{app_name}` | ||
|
||
|
||
|
||
# `application` contains data related to the application, not to the scans. | ||
application: | ||
shortName: "MyApp-1.0" | ||
url: "<Mandatory. root URL of the application>" | ||
|
||
# `general` is a section that will be applied to all scanners. | ||
# Any scanner can override a value by creating an entry of the same name in their own configuration | ||
general: | ||
|
||
|
||
# remove `proxy` entirely for direct connection | ||
proxy: | ||
proxyHost: "<hostname>" | ||
proxyPort: "<port>" | ||
|
||
# remove `authentication` entirely for unauthenticated connection | ||
authentication: | ||
type: "oauth2_rtoken" | ||
parameters: | ||
client_id: "cloud-services" | ||
token_endpoint: "<token retrieval URL>" | ||
rtoken_from_var: "RTOKEN" # referring to a env defined in general.environ.envFile | ||
#preauth: false # set to true to pregenerate a token, and stick to it (no refresh) | ||
# Other types of authentication: | ||
#type: "http_header" | ||
#parameters: | ||
# name: "Authorization" | ||
# value: "MySecretHeader" | ||
#type: "http_basic" | ||
#parameters: | ||
# username: "user" | ||
# password: "mypassw0rd" | ||
#type: "cookie" | ||
#parameters: | ||
# name: "cookie name" | ||
# value: "cookie value" | ||
# | ||
# "browser" authentication will use firefox in the background to generate cookies | ||
# - verifyUrl must return an error if the user is not logged in | ||
#type: "browser" | ||
#parameters: | ||
# username: "user" | ||
# password: "mypassw0rd" | ||
# loginPageUrl: "https://myapp/login" | ||
# verifyUrl: "https://myapp/user/info" | ||
|
||
|
||
container: | ||
# This configures what technology is to be used for RapiDAST to run each scanner. | ||
# Currently supported: `podman` and `none` | ||
# none: Default. RapiDAST runs each scanner in the same host or inside the RapiDAST image container | ||
# podman: RapiDAST orchestrates each scanner on its own using podman | ||
# When undefined, relies on rapidast-defaults.yaml, or `none` if nothing is set | ||
#type: "none" | ||
|
||
# (Optional) configure to export the results to Defect Dojo. | ||
# WARNING: requires an export to be configured: either config.googleCloudStorage or config.defectDojo | ||
defectDojoExport: | ||
# Parameters contain data that will directly be sent as parameters to DefectDojo's import/reimport endpoints. | ||
# For example: commit tag, version, push_to_jira, etc. | ||
# See https://demo.defectdojo.org/api/v2/doc/ for a list of possibilities | ||
# The minimum set of data is whatever is needed to identify which engagement/test needs to be chosen. | ||
# If neither a test ID (`test` parameter), nor product_name and engagement_name were provided, sane default will be attempted: | ||
# - product_name chosen from either application.productName or application.shortName | ||
# - engagement_name: "RapiDAST" [this way the same engagement will always be chosen, regardless of the scanner] | ||
parameters: | ||
product_name: "My Product" | ||
engagement_name: "RapiDAST" | ||
# - or - | ||
#engagement: 3 # engagement ID | ||
# - or - | ||
#test_title: "ZAP" | ||
# - or - | ||
#test: 5 # test ID, that will force "reimport" mode | ||
|
||
# For additional options, see https://defectdojo.github.io/django-DefectDojo/integrations/importing/ | ||
|
||
# `scanners' is a section that configures scanning options | ||
scanners: | ||
zap: | ||
# define a scan through the ZAP scanner | ||
apiScan: | ||
target: "<optional, if different from application.url>" | ||
apis: | ||
apiUrl: "<URL to openAPI>" | ||
# alternative to apiURL: apiFile: "<local path to openAPI file>" | ||
|
||
# A list of URLs can also be provided, from a text file (1 URL per line) | ||
importUrlsFromFile: "<path to import URL>" | ||
|
||
graphql: | ||
endpoint: "<URL to GraphQL API endpoint>" | ||
# schemaUrl: "" # String: URL pointing to a GraphQL Schema | ||
# schemaFile: "" # String: Local file path of a GraphQL Schema | ||
# maxQueryDepth: 5 # The maximum query generation depth | ||
# lenientMaxQueryDepthEnabled: true # Whether or not Maximum Query Depth is enforced leniently | ||
# maxAdditionalQueryDepth: 5 # The maximum additional query generation depth (used if enforced leniently) | ||
# maxArgsDepth: 5 # The maximum arguments generation depth | ||
# optionalArgsEnabled: true # Whether or not Optional Arguments should be specified | ||
# argsType: both # Enum [inline, variables, both]: How arguments are specified | ||
# querySplitType: leaf # Enum [leaf, root_field, operation]: The level for which a single query is generated | ||
# requestMethod: post_json # Enum [post_json, post_graphql, get]: The request method | ||
|
||
spider: | ||
maxDuration: 0 # in minutes, default: 0 unlimited | ||
url: "" # url to start spidering from, default: application.url set above | ||
|
||
spiderAjax: | ||
# The list of parameters: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/ | ||
#maxCrawlStates: 10 # this may be useful when running in a memory limited environment (default: 0 unlimited) | ||
#maxCrawlDepth: 10 # default: unlimited | ||
maxDuration: 0 # in minutes, default: 0 unlimited | ||
url: "" # url to start spidering from, default: application.url set above | ||
browserId: firefox-headless | ||
|
||
passiveScan: | ||
# Optional comma-separated list of passive rules to disable | ||
# Use https://www.zaproxy.org/docs/alerts/ to match rule with its ID | ||
disabledRules: "2,10015,10024,10027,10054,10096,10109,10112" | ||
|
||
activeScan: | ||
# The list of parameters: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/ | ||
#maxRuleDurationInMins: max scan time for each Rule (default: unlimited) | ||
#maxScanDurationInMins: max scan time for the entire scan. Useful for debugging automation | ||
# | ||
# If no policy is chosen, a default ("API-scan-minimal") will be selected | ||
# The list of policies can be found in scanners/zap/policies/ | ||
policy: "API-scan-minimal" | ||
|
||
container: | ||
parameters: | ||
image: "ghcr.io/zaproxy/zaproxy:stable" # for type such as podman | ||
#podName: "mypod" # optional: inject ZAP in an existing Pod | ||
|
||
executable: "zap.sh" # for Linux | ||
#executable: "/Applications/OWASP ZAP.app/Contents/Java/zap.sh" # for MacOS, when general.container.type is 'none' only | ||
|
||
report: | ||
format: ["json"] | ||
#format: ["json","html","sarif","xml"] # default: "json" only | ||
|
||
urls: | ||
# Optional, `includes` and `excludes` take a list of regexps. | ||
# includes: A URL matching that regexp will be in the scope of scanning, in addition to application.url which is already in scope | ||
# excludes: A URL matching that regexp will NOT be in the scope of scanning | ||
# Note: The regular expressions MUST match the whole URL. | ||
# e.g.: 'http://example.com/do-not-descend-here/' will actually descend | ||
|
||
#includes: | ||
# - "^https?://example.com:3000/.*$" | ||
#excludes: | ||
# - "^https?://example.com:3000/do-not-descend-here/.*$" | ||
|
||
miscOptions: | ||
# EnableUI (default: false), requires a compatible runtime (e.g.: `type: none`) | ||
enableUI: False | ||
|
||
# Defaults to False, set True to force auto update of ZAP plugins | ||
updateAddons: True | ||
|
||
# List (comma-separated string or list) of additional addons to install | ||
additionalAddons: "ascanrulesBeta" | ||
|
||
# If set to True and authentication is oauth2_rtoken: manually download schemas (e.g.: openAPI, GraphQL) | ||
oauth2ManualDownload: False | ||
|
||
# Overwrite the default port in case it is required. The default port was selected to avoid any collision with other services | ||
zapPort: 8080 | ||
|
||
# Maximum heap size of the JVM. Default: ¼ of the RAM. acceptable values: [0-9]+[kKmMgG]? | ||
# This may be required for large OpenAPI definition | ||
memMaxHeap: "6144m" | ||
|
||
overrideConfigs: | ||
- formhandler.fields.field(0).fieldId=namespace | ||
- formhandler.fields.field(0).value=default |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this require a config schema version change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not if we keep backward compatibility: we can simply suggest only the new method, while keeping the old one valid for historical purpose.
[quick additional note: backward compatibility was removed based on next conversation]