Build a DAST:5 release candidate
Problem
The DAST release candidate, v5.5.0, has been released. This needs to be tested to verify that customers will be able to use it with minimal disruption.
Proposal
- Test the release candidate.
- Make required changes based on testing.
Things to test
-
Test what happens when the URL isn't set -
Test what happens when the build fails -
Test authentication -
Test the auth report -
Test debug logging, consider lowercase module names. Consider writing the report to /browserker/gl-dast*.log
so that it's automatically picked up as an artifact -
Test the crawl report -
Test excluding an element -
Test passive scans, active scans, crawl only -
Test "FULL SCAN" CI/CD variable -
Test excluding a rule -
Verify defaults in DAST vs Browserker
Things to fix
-
cam_swords
!150289 (merged) UpdateDAST.latest.gitlab-ci.yml
- Set
DAST_VERSION
to5
- Remove
if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]
from script. Set script toscript: [/browserker/analyzer run]
. - Remove
after_script
because/zap/wrk
doesn’t exist. If artifacts can be written to current directory by default, remove entirely. Otherwise, setafter_script: [cp /browserker/gl-dast-*.* ./]
- Update artifacts:
artifacts: when: always reports: dast: gl-dast-report.json paths: - gl-dast-*.*
- Make sure other things to fix are complete first
- Set
-
Update the on demand CI template - Need to turn on the feature flag after this
- Should work regardless of order
-
Remove --dot
from tests, and fromflag_consts
(nice-to-have) -
Remove ReplayRunner
(nice-to-have) -
adietrich
Create default for data path, should be in /browserker directory (i.e. not exported to users as an artifact) -
adietrich
Create default for secure report, should be /browserker/gl-dast-report.json -
adietrich
Create default for number of browsers, default to number of CPUs -
adietrich
Default file log path to /browserker/gl-dast-scan.log if file log levels are configured. That way, the user doesn't need to specify the file log path ever, it will automatically get picked up by the artifact pathgl-dast-*.*
. -
cam_swords
See if we can create artifacts in the current working directory (without knowing what it is). At the moment, they're saved to /browserker, e.g./browserker/gl-dast-debug-auth-report.html
. To expose this as an artifact, we have to addafter_script: [cp /browserker/gl-dast-*.* ./]
. See if there's a way for us to remove the after_script. -
cam_swords
Target availability check should run by default. A change should be made todast
to setRunAvailabilityCheck = false
in theBrowserkerConfigurationFile
. -
cam_swords
Set browser width and height to 1300x700 inconfig.NewConfig
for parity with what DAST uses -
cam_swords
SetPluginResourcePath
to/browserker/resources/
inconfig.NewConfig
because this is where definitions are installed in the Dockerfile -
DavidNelsonGL
Allow lowercase names when configuring log (because this is already documented) -
cam_swords
SetMaxActions
to10000
inconfig.NewConfig
for parity with what DAST uses -
cam_swords
RemoveTimeouts.actionTimeout
because it's not used (nice-to-have) -
cam_swords
RemoveTimeouts.stableAfterAction
because it's not useful (stableAfterNavigation is enough) (nice-to-have) -
cam_swords
DAST_BROWSER_DOM_READY_AFTER_TIMEOUT
/DAST_PAGE_DOM_STABLE_WAIT
should configureTimeouts.domReadyAfterTimeout
-
cam_swords
DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT
/DAST_PAGE_DOM_READY_TIMEOUT
should configureTimeouts.stableAfterNavigation
-
cam_swords
DAST_BROWSER_NAVIGATION_TIMEOUT
/DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT
should configureTimeouts.navigationTimeout
-
cam_swords
DAST_BROWSER_STABILITY_TIMEOUT
/DAST_PAGE_READY_AFTER_ACTION_TIMEOUT
should configureTimeouts.defaultStabilityTimeout
-
Bug - Testing DVLA returns duplicate vulnerabilities. These attacks should be marked as duplicates and not sent. There's also a bug that headers aren't included in request/response evidence. (nice-to-have) -
Rename timeout config fields to match names of environment variables (nice-to-have)
Edited by Alexander Dietrich