Add body to vulnerability evidence request and response in DAST schema
Problem to solve
Providing a fast workflow for vulnerability triage and remediation. A fast workflow requires pertinent information be presented to the user. Currently the body of the request and response in the vulnerability evidence is not captured or displayed.
Intended users
Users who review, triage, and resolve, DAST vulnerability reports.
User experience goal
Provide this information to the user when viewing a vulnerability without extra steps on their part.
Proposal
Include a body field of type string to the request and response fields in the vulnerability evidence to support display of information in the UI.
- Intended for display purposes
- Non-binary message bodies
- Trimmed to a maximum size
Further details
- Mike: When I review vulnerability findings from a dast tool, the first thing I want to see is the full request/response pair associated with the finding. Many times this will allow a quick determination if the issue should be investigated further or is a false positive.
- With micro services their are two popular locations for a request correlation identifier: header, response body. These identifiers are needed to perform log correlation.
- API responses may include custom error codes or incident codes that will assist in vulnerability investigation
- Other schema extensions will want to display http message bodies. This may impact the design chosen.
- See #230132 (closed)