search

RedHatProductSecurity / rapidast

RapiDAST enables simple, continuous and fully automated application security testing
Apache License 2.0
58 stars 39 forks source link

Support to set multiple "scanners.zap.apiScan.apis.apiUrl"s in the config file #183

Open lunarwhite opened 7 months ago

lunarwhite commented 7 months ago

Background

Currently in the RapiDAST configuration file, it seems that scanners.zap.apiScan.apis.apiUrl only support single value:

config:
  configVersion: 4

# `application` contains data related to the application, not to the scans.
application:
  shortName: "APP_SHORT_NAME"
  url: "https://kubernetes.default.svc" # to be replaced with your cluster API server URL
...
scanners:
  zap:
    # define a scan through the ZAP scanner
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT/openapi/v3/apis/MY_CRD/v2" # to be replaced with your API group information
...

I'm wondering if we could set multiple apiUrls in one config file. In some scenarios, users may want to scan multiple API groups. If there are no differences except for the scanners.zap.apiScan.apis.apiUrl field, they may need to create and apply multiple files repeatedly.

Possible solutions

Not quite familiar with the codebase, one possible way may be to convert the schema to an array: 

...
scanners:
  zap:
    apiScan:
      apis:
        apiUrl: 
        - "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_1/v2"
        - "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_2/v2"
        - "https://MY_ENDPONIT_2/openapi/v3/apis/MY_CRD_3/v2"
        -  ...
...

It would be nice to have this kind of feature. Alternatively, is there any suggested workaround?

jeremychoi commented 6 months ago

Thanks for raising the issue. That will be a surely useful addition but our bandwidth is a bit limited at this moment. Will update later.

cedricbu commented 1 month ago

Quick very late update: There is actually a workaround, which is to launch several scan (one per openAPI). That can be done by explicitly naming each ZAP runs, like this:

scanners:
  zap_<unique name for this scan>:
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_1/v2"
  zap_<another unique name for this scan>:
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_2/v2"
... etc...

The results will be however separated per endpoints, in the results directory. See https://github.com/RedHatProductSecurity/rapidast/?tab=readme-ov-file#running-several-instance-of-a-scanner for the relevant doc on using explicitly named scanners.

jeremychoi commented 1 month ago

Will the workaround work for you @lunarwhite ?