feat(STONEINTG-1119): PoC RapiDAST scan as Konflux I.T.

[jencull]

Part of Konflux-3456Document how to do DAST for users by adding DAST scanning to rh-trex demo app

[jencull]

Logs of successful scan:

STEP-RUN-RAPIDDAST

curl -L -o /tmp/ocm https://github.com/openshift-online/ocm-cli/releases/download/v1.0.3/ocm-linux-amd64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

100 50.2M 100 50.2M 0 0 163M 0 --:--:-- --:--:-- --:--:-- 163M
chmod +x /tmp/ocm
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/zap/:/opt/rapidast/:/opt/firefox/:/tmp
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/zap/:/opt/rapidast/:/opt/firefox/:/tmp
cat /tekton/results/authenticated_url
AUTH_URL=http://127.0.0.1:8000/api/rh-trex/v1/dinosaurs
CONFIG_PATH=/workspace/config.yaml
RESULTS_DIR=/tmp/results
LOCAL_OPENAPI_PATH=/workspace/openapi.yaml
curl -L -o /workspace/openapi.yaml https://raw.githubusercontent.com/jencull/rh-trex/main/openapi/openapi.yaml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 10373 100 10373 0 0 64831 0 --:--:-- --:--:-- --:--:-- 64831
mkdir -p /tmp/results
chmod o+w /tmp/results
cat
/rapidast.py --config /workspace/config.yaml
INFO:Starting the redaction and dumping process for the configuration file: /workspace/config.yaml
INFO:Created destination directory: ./results/test-app/DAST-20250123-142252-RapiDAST-test-app
INFO:Redacting sensitive information from configuration /workspace/config.yaml
INFO:Saving redacted configuration to ./results/test-app/DAST-20250123-142252-RapiDAST-test-app/config.yaml
INFO:Redacted configuration saved successfully
INFO:Starting the redaction and dumping process for the configuration file: /opt/rapidast/./rapidast-defaults.yaml
INFO:Redacting sensitive information from configuration /opt/rapidast/./rapidast-defaults.yaml
INFO:Saving redacted configuration to ./results/test-app/DAST-20250123-142252-RapiDAST-test-app/rapidast-defaults.yaml
INFO:Redacted configuration saved successfully
INFO:Loading defaults from: /opt/rapidast/./rapidast-defaults.yaml
INFO:Next scanner: 'zap'
INFO:Preparing ZAP configuration
INFO:ZAP configured with Authentication using HTTP Header
INFO:Starting validation of ZAP active scan policy: '/opt/rapidast/scanners/zap/policies/API-scan-minimal.policy'
INFO:Validation successful for policy file: '/opt/rapidast/scanners/zap/policies/API-scan-minimal.policy'
INFO:Saved Automation Framework in /tmp/rapidast_zap_nqiuc0n7/workdir/af.yaml
INFO:Running up the ZAP scanner on the host
INFO:The addon state file /tmp/rapidast_zap_nqiuc0n7/zaphomedir/add-ons-state.xml was not created
INFO:The addon state file /tmp/rapidast_zap_nqiuc0n7/zaphomedir/add-ons-state.xml was not created
INFO:Running ZAP with the following command:
['zap.sh', '-dir', '/tmp/rapidast_zap_nqiuc0n7/zaphomedir', '-config', 'network.connection.httpProxy.enabled=false', '-config', 'network.localServers.mainProxy.port=8080', '-Xmx2048m', '-silent', '-newsession', '/tmp/rapidast_zap_nqiuc0n7/workdir/session_data/session', '-cmd', '-autorun', '/tmp/rapidast_zap_nqiuc0n7/workdir/af.yaml']
Found Java version 11.0.25
Available memory: 63281 MB
Using JVM args: -Xmx2048m
409 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /tmp/rapidast_zap_nqiuc0n7/zaphomedir/config.xml
489 [main] INFO org.parosproxy.paros.Constant - Creating directory /tmp/rapidast_zap_nqiuc0n7/zaphomedir/session
489 [main] INFO org.parosproxy.paros.Constant - Creating directory /tmp/rapidast_zap_nqiuc0n7/zaphomedir/dirbuster
489 [main] INFO org.parosproxy.paros.Constant - Creating directory /tmp/rapidast_zap_nqiuc0n7/zaphomedir/fuzzers
489 [main] INFO org.parosproxy.paros.Constant - Creating directory /tmp/rapidast_zap_nqiuc0n7/zaphomedir/plugin
Jan 23, 2025 2:22:55 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
This ZAP installation is over a year old - its probably very out of date
Job sessionManagement set method = cookie
Job sessionManagement set parameters = {}
Job passiveScan-config set disableAllRules = true
Job passiveScan-config set enableTags = false
Job passiveScan-config set maxAlertsPerRule = 10
Job passiveScan-config set maxBodySizeInBytesToScan = 10,000
Job passiveScan-config set scanOnlyInScope = true
Job requestor set user =
Job openapi set apiFile = /tmp/rapidast_zap_nqiuc0n7/workdir/openapi.json
Job openapi set context = Default Context
Job openapi set targetUrl = http://127.0.0.1:8000/api/rh-trex/v1/dinosaurs/
Job activeScan set context = Default Context
Job activeScan set policy = API-scan-minimal
Job activeScan set user =
Job report set displayReport = false
Job report set reportDescription =
Job report set reportDir = /tmp/rapidast_zap_nqiuc0n7/workdir/reports/
Job report set reportFile = zap-report.json
Job report set reportTitle = ZAP Scanning Report
Job report set template = traditional-json-plus
Job report set displayReport = false
Job report set reportDescription =
Job report set reportDir = /tmp/rapidast_zap_nqiuc0n7/workdir/reports/
Job report set reportFile = zap-report.html
Job report set reportTitle = ZAP Scanning Report
Job report set template = traditional-html-plus
Job outputSummary set format = LONG
Job outputSummary set summaryFile = /tmp/rapidast_zap_nqiuc0n7/workdir/summary.json
Job export-site-tree-filename-global-var-add set action = add
Job export-site-tree-filename-global-var-add set engine = ECMAScript : Graal.js
Job export-site-tree-filename-global-var-add set inline =
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar('siteTreeFileName','zap-site-tree.json')

Job export-site-tree-filename-global-var-add set name = export-site-tree-filename-global-var
Job export-site-tree-filename-global-var-add set type = standalone
Job export-site-tree-filename-global-var-run set action = run
Job export-site-tree-filename-global-var-run set name = export-site-tree-filename-global-var
Job export-site-tree-filename-global-var-run set type = standalone
Job export-site-tree-add set action = add
Job export-site-tree-add set engine = ECMAScript : Graal.js
Job export-site-tree-add set file = /opt/rapidast/scanners/zap/scripts/export-site-tree.js
Job export-site-tree-add set name = export-site-tree
Job export-site-tree-add set type = standalone
Job export-site-tree-run set action = run
Job export-site-tree-run set name = export-site-tree
Job export-site-tree-run set type = standalone
Job passiveScan-config started
Job passiveScan-config finished, time taken: 00:00:00
Job requestor started
Job requestor finished, time taken: 00:00:00
Job openapi started
Job openapi added 4 URLs
Job openapi finished, time taken: 00:00:00
Job activeScan started
Job activeScan finished, time taken: 00:00:02
Job report started
Job report generated report /tmp/rapidast_zap_nqiuc0n7/workdir/reports/zap-report.json
Job report finished, time taken: 00:00:00
Job report started
Job report generated report /tmp/rapidast_zap_nqiuc0n7/workdir/reports/zap-report.html
Job report finished, time taken: 00:00:00
Job outputSummary started
Total of 11 URLs
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 0
Job outputSummary finished, time taken: 00:00:00
Job script started
Job: export-site-tree-filename-global-var-add Start action: add
Job script finished, time taken: 00:00:00
Job script started
Job: export-site-tree-filename-global-var-run Start action: run
Job script finished, time taken: 00:00:00
Job script started
Job: export-site-tree-add Start action: add
Job script finished, time taken: 00:00:00
Job script started
Job: export-site-tree-run Start action: run
Site tree data has been written to: /tmp/rapidast_zap_nqiuc0n7/workdir/session_data/zap-site-tree.json
Job script finished, time taken: 00:00:00
Automation plan succeeded!
INFO:The ZAP process finished with no errors, and exited with code 0
INFO:Running postprocess for the ZAP Host environment
INFO:Extracting report, storing in ./results/test-app/DAST-20250123-142252-RapiDAST-test-app/zap
INFO:Saving the session as evidence
INFO:Copying site tree from /tmp/rapidast_zap_nqiuc0n7/workdir/session_data/zap-site-tree.json to ./results/test-app/DAST-20250123-142252-RapiDAST-test-app/zap
INFO:Running cleanup for the ZAP Host environment
INFO:scanner: 'zap' completed successfully
RapiDAST scan completed. Checking results...
echo 'RapiDAST scan completed. Checking results...'
find ./results -type d -name 'DAST-*' -print -quit
FINAL_RESULTS_DIR=./results/test-app/DAST-20250123-142252-RapiDAST-test-app
'[' -z ./results/test-app/DAST-20250123-142252-RapiDAST-test-app ']'
[INFO] Results found in: ./results/test-app/DAST-20250123-142252-RapiDAST-test-app
echo '[INFO] Results found in: ./results/test-app/DAST-20250123-142252-RapiDAST-test-app'
ls -l ./results/test-app/DAST-20250123-142252-RapiDAST-test-app
total 8

[jencull]

@markturansky @gurnben PoC for running RapiDAST scan as an integration test on Konflux. Logs of output above. Thank you for your review. Jen.

[gurnben]

/ok-to-test