Add Support for OWASP ZAP

[msymons]

Current Behavior

Dependency-Track supports Service BOMs. From the CycloneDX website:

SaaSBOMs compliment Infrastructure-as-Code (IaC) by providing a logical representation of a complex system, complete with inventory of all services, their reliance on other services, endpoint URLs, data classifications, and the directional flow of data between services. Optionally, SaaSBOMs may also include the software components that make up each service.

CycloneDX is protocol agnostic and is capable of describing services over HTTP(S), REST, GraphQL, MQTT, and intra-process communication. The specification provides enough information about services to automatically generate dataflow diagrams useful in security and privacy threat modeling.

However, Dependency-Track does not provide any tooling to help with such modelling

Proposed Behavior

Add support for OWASP Zed Attack Proxy (ZAP) so that API endpoints can be tested.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Could you elaborate a bit more on what sort of support you're interested in?

Is the expectation that DT would kick off ZAP scans based on the data it has?