Skip to content

Draft: Refactor top level Python

Avielle Wolfe requested to merge create-scan-coordinator into master

What does this MR do?

This MR refactors our top level Python for clarity and extensibility.

NOTE: right now this MR is a spike. It needs unit tests and types added before merging.

Context

I was migrating the active scan logic out of the ZAP scripts when I ran into trouble getting the API scan to work: we have no easy way to pass around an API target. It's easy enough to get the target from config.target for website scans, but we have to get it by loading config.api_specification for API scans. Moreover, an API target host can be overridden via the DAST_API_HOST_OVERRIDE option, and there's an existing bug where that option is ignored if the API specification is given as a file.

At first I tried to repurpose TargetWebsite, but loading the API specification requires access to ZAProxy. This was getting complicated fast! I decided it was time to clean up our top level and make the order of operation clearer so everything can have access to the information it needs.

Summary

I simplified the ZAP scanning process into 9 steps. Note that this is not an exhaustive list of what happens. I'm intending it to just be a summary of the main act:

  1. Parse configuration
  2. Start ZAP
  3. Instantiate ZAProxy
  4. If API: load API specification
  5. Validate and determine target
  6. If website: run spider
  7. If active: run active scan
  8. Run passive scan
  9. Writes reports + print summary

Technical Details

  • Extract setup for steps 1 - 4 from dependencies.py to ScanInitializer
  • Extract setup for steps 5 - 9 from dependencies.py to ScanRunner
  • Since CustomHooks contains functionality for steps 5 - 9, ScanRunner now initializes it
  • Once CustomHooks is gone, dependencies.py will no longer be necessary and ScanInitializer and ScanRunner can be called directly from zap-scan-launcher.py

What are the relevant issue numbers?

N/A

Does this MR meet the acceptance criteria?

Edited by Avielle Wolfe

Merge request reports

Loading