Draft: Refactor top level Python

Review changes
Download
Patches
Plain diff

Avielle Wolfe requested to merge create-scan-coordinator into master Aug 06, 2020

Overview 7
Commits 10
Pipelines 4
Changes 21

What does this MR do?

This MR refactors our top level Python for clarity and extensibility.

NOTE: right now this MR is a spike. It needs unit tests and types added before merging.

Context

I was migrating the active scan logic out of the ZAP scripts when I ran into trouble getting the API scan to work: we have no easy way to pass around an API target. It's easy enough to get the target from config.target for website scans, but we have to get it by loading config.api_specification for API scans. Moreover, an API target host can be overridden via the DAST_API_HOST_OVERRIDE option, and there's an existing bug where that option is ignored if the API specification is given as a file.

At first I tried to repurpose TargetWebsite, but loading the API specification requires access to ZAProxy. This was getting complicated fast! I decided it was time to clean up our top level and make the order of operation clearer so everything can have access to the information it needs.

Summary

I simplified the ZAP scanning process into 9 steps. Note that this is not an exhaustive list of what happens. I'm intending it to just be a summary of the main act:

Parse configuration
Start ZAP
Instantiate ZAProxy
If API: load API specification
Validate and determine target
If website: run spider
If active: run active scan
Run passive scan
Writes reports + print summary

Technical Details

Extract setup for steps 1 - 4 from dependencies.py to ScanInitializer
Extract setup for steps 5 - 9 from dependencies.py to ScanRunner
Since CustomHooks contains functionality for steps 5 - 9, ScanRunner now initializes it
Once CustomHooks is gone, dependencies.py will no longer be necessary and ScanInitializer and ScanRunner can be called directly from zap-scan-launcher.py

What are the relevant issue numbers?

N/A

Does this MR meet the acceptance criteria?

Changelog entry added
Documentation created/updated for GitLab EE, if necessary
Documentation created/updated for this project, if necessary
Documentation reviewed by technical writer or follow-up review issue created
Tests added for this feature/bug
Job definition updated, if necessary
- Job definition example
- Vendored CI Templates (also in CE)
Conforms to the code review guidelines
Conforms to the Go guidelines
Security reports checked/validated by reviewer

Edited Aug 06, 2020 by Avielle Wolfe

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking