DAST scans do not conform to the 14.0.3 Secure schema
Proposal
There are a select number of DAST scans that produce a report which does not conform to the Secure report schema. This causes the scan to either produce a warning when ingested into GitLab, or worse, fail to be ingested altogether.
This was raised on an internal slack thread.
More details
This situation has been reported to occur when an alert produced by ZAP does not contain a HTTP message (the cause of which has not been identified).
There are two known problems:
- The
14.0.3
schema does not allow for headers will empty values. This is allowed according to the HTTP spec, and more recent schema versions have corrected this error. - Having a
vulnerabilities[].evidence.request
orvulnerabilities[].evidence.response
value ofnull
violates the schema. Instead, the field should be omitted.
Implementation plan
-
In DAST, omit the request and response when the have no value (gitlab-org/security-products/dast!607 (merged)) -
In DAST, upgrade the Secure report to schema version 14.1.2
(gitlab-org/security-products/dast!607 (merged)) -
In Browserker, upgrade the Secure report to schema version 14.1.2
(https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/644) -
Release Browserker -
Upgrade DAST to the latest Browserker (gitlab-org/security-products/dast!608 (merged)) -
Release DAST
Assigning this a weight of 2
.
Edited by Philip Cunningham