rapidast icon indicating copy to clipboard operation
rapidast copied to clipboard

Published 20 hours ago verified publisher icon RedHatProductSecurity

Support to set multiple "scanners.zap.apiScan.apis.apiUrl"s in the config file

Open lunarwhite opened this issue 1 year ago • 3 comments

Background

Currently in the RapiDAST configuration file, it seems that scanners.zap.apiScan.apis.apiUrl only support single value:

config:
  configVersion: 4

# `application` contains data related to the application, not to the scans.
application:
  shortName: "APP_SHORT_NAME"
  url: "https://kubernetes.default.svc" # to be replaced with your cluster API server URL
...
scanners:
  zap:
    # define a scan through the ZAP scanner
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT/openapi/v3/apis/MY_CRD/v2" # to be replaced with your API group information
...

I'm wondering if we could set multiple apiUrls in one config file. In some scenarios, users may want to scan multiple API groups. If there are no differences except for the scanners.zap.apiScan.apis.apiUrl field, they may need to create and apply multiple files repeatedly.

Possible solutions

Not quite familiar with the codebase, one possible way may be to convert the schema to an array:

...
scanners:
  zap:
    apiScan:
      apis:
        apiUrl: 
        - "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_1/v2"
        - "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_2/v2"
        - "https://MY_ENDPONIT_2/openapi/v3/apis/MY_CRD_3/v2"
        -  ...
...

It would be nice to have this kind of feature. Alternatively, is there any suggested workaround?

lunarwhite avatar Mar 26 '24 08:03 lunarwhite

Thanks for raising the issue. That will be a surely useful addition but our bandwidth is a bit limited at this moment. Will update later.

jeremychoi avatar Apr 15 '24 23:04 jeremychoi

Quick very late update: There is actually a workaround, which is to launch several scan (one per openAPI). That can be done by explicitly naming each ZAP runs, like this:

scanners:
  zap_<unique name for this scan>:
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_1/v2"
  zap_<another unique name for this scan>:
    apiScan:
      apis:
        apiUrl: "https://MY_ENDPONIT_1/openapi/v3/apis/MY_CRD_2/v2"
... etc...

The results will be however separated per endpoints, in the results directory. See https://github.com/RedHatProductSecurity/rapidast/?tab=readme-ov-file#running-several-instance-of-a-scanner for the relevant doc on using explicitly named scanners.

cedricbu avatar Sep 25 '24 16:09 cedricbu

Will the workaround work for you @lunarwhite ?

jeremychoi avatar Sep 26 '24 03:09 jeremychoi