Add a source for vulnerability evidence in the DAST schema
Problem to solve
API Fuzzer has multiple ways a vulnerability can be detected. This includes methods such as a request status code, and log analysis. This information is useful for the user to:
- Determine how to handle false positives
- In API Security, the detection mechanisms can be modified when false positives are found.
- Confidence in the detected vulnerability
- Different types of detection may be seen as higher confidence by the user. For example a database error in the logs vs. a response status code.
- Providing context for the provided evidence (e.g. summary).
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Priyanka (Platform Engineer)
User experience goal
Source is presented to the user in conjunction with other evidence in the UI.
Proposal
Add a new optional field vulnerabilities[].evidence.source
. This field captures the source of the evidence collected.
- [optional]
evidence.source
- [required]
evidence.source.id
The identifier of the source - [required]
evidence.source.name
The name of the source for display - [optional]
evidence.source.url
Optional link to documentation about source
An evidence source for DAST scanners would include:
- Status Code
- Log analysis
- Custom error code