Remove DAST report legacy ZAProxy fields
Context
The DAST tool is migrating from a custom ZAProxy format to use the Common Report Format. This will enable the Secure team to reuse key parts of our codebase.
The migration has three stages:
- DAST will create a
gl-dast-report.json
report containing the legacy ZAProxy fields and the Common Report Fields. #14053 (closed) - The GitLab Rails codebase will use the Common Report Format for DAST instead of the ZAProxy fields. #33913 (closed)
- DAST will remove the legacy ZAProxy fields from the report. #33915 (closed)
This issue represents step 3. of the migration.
Prerequisites to removing fields:
-
DAST diffs must not be performed on the front end. This logic has been moved to the backend, but please make sure the front end code has been removed. -
Some fields (e.g.This field will not be included in the Secure Report Format.urlsInScope
) have not yet been included in the Common Report Format. This issue can only progress once all ZAP fields have been deprecated.
Technical Details
Use config.dast_major_version >=2
to ensure that the fields @generated
, @version
, site
and spider
are not present in reports generated by DAST 2.x
Edited by Avielle Wolfe