Show the list of resources scanned by DAST
Problem to solve
DAST runs against a target application, and it scans many resources. The list of those scanned resources is valuable for customers to figure out if the coverage is enough, or if some section of the app has been skipped.
We should provide this list in the DAST report.
- Sam, Security Analyst
This information depends on the underlying tool that we use (currently, ZAProxy). We need to abstract that and provide a report format that we can manage.
List the resources scanned by DAST and report them along with the DAST vulnerability list. This information can be available for download in the UI.
|In the MR|
|Shows scanned URL count in the UI with a link to the DAST job log|
- View more details will take the user to the DAST job log where URL scanning information is present.
- IF DAST doesn't run: Dast section will not appear
- IF DAST runs and does not return any vulnerability findings: URL count and link to job log will still appear.
Permissions and Security
Users with permissions to see DAST results are also allowed to see the list of scanned resources.
Backend Implementation plan
- Define a schema that DAST will use to define the request and responses that were scanned. The request method, url and response status code are the least that are required. Please document the schema in this issue description (example).
- Update DAST to output requests and their responses in the JSON output. Requests/responses for a spider scan (passive scan), ajax scan and active scan should be returned (see https://github.com/zaproxy/zap-api-python).
- Print the URLs scanned to the DAST Job log. Print the method and the URL.
Add a field called
dast_reportsendpoint that is called by the MR widget. The field should contain the count of urls scanned by DAST.
Add a field called
link_to_urls_scanned. The field should contain a URL that links to the line number in the Job log where the URLs are printed to the screen (this could be considered not part of the MVC).
- Understand what happens when there is more than one DAST Job in a Pipeline.
- This should not break other Secure product MR widgets.