Revert "merge for 2.9.1 (#286)"

This reverts commit fefb91f.

.tekton/integration-test.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1
+apiVersion: tekton.dev/v1beta1
 kind: Pipeline
 metadata:
   name: rapidast-e2e
@@ -54,11 +54,13 @@ spec:
           - name: revision
             value: main
           - name: pathInRepo
-            value: task/eaas-provision-space/0.1/eaas-provision-space.yaml
+            value: task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml
       params:
-        - name: ownerName
+        - name: KONFLUXNAMESPACE
+          value: $(context.pipelineRun.namespace)
+        - name: PIPELINERUN_NAME
           value: $(context.pipelineRun.name)
-        - name: ownerUid
+        - name: PIPELINERUN_UID
           value: $(context.pipelineRun.uid)
 
     - name: copy-nessus-secret
@@ -101,11 +103,13 @@ spec:
           - name: revision
             value: main
           - name: pathInRepo
-            value: task/eaas-provision-space/0.1/eaas-provision-space.yaml
+            value: task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml
       params:
-        - name: ownerName
+        - name: KONFLUXNAMESPACE
+          value: $(context.pipelineRun.namespace)
+        - name: PIPELINERUN_NAME
           value: $(context.pipelineRun.name)
-        - name: ownerUid
+        - name: PIPELINERUN_UID
           value: $(context.pipelineRun.uid)
 
     # XXX integrations tests can't reference Tasks in the same PR AFAICT

.tekton/rapidast-push.yaml

@@ -414,7 +414,7 @@ spec:
             default: []
         steps:
           - name: select-tags-based-on-branch
-            image: registry.access.redhat.com/ubi9/ubi-minimal:9.5-1736404155@sha256:e408de45e95eed0539fe821d31aa4288fe430d94f09a24c13c567bf99044dace
+            image: registry.access.redhat.com/ubi9/ubi-minimal:9.4-1194@sha256:73f7dcacb460dad137a58f24668470a5a2e47378838a0190eef0ab532c6e8998
             script: |
               #!/bin/bash -ex
 

README.md

@@ -6,15 +6,13 @@ RapiDAST (Rapid DAST) is an open-source security testing tool that automates DAS
 
 RapiDAST provides:
 
-- Automated HTTP/API security scanning using ZAP
-- Kubernetes operator scanning using OOBTKUBE
-- Automated vulnerability scanning using Nessus (requires a Nessus instance)
+- Simplified HTTP/API security scanning using [ZAP]
 - Command-line execution with yaml configuration, suitable for integration in CI/CD pipelines
 - Ability to run automated DAST scanning with pre-built or custom container images
 - HTML, JSON and XML report generation
-- Integration with Google Cloud Storage and [OWASP DefectDojo](https://owasp.org/www-project-defectdojo/)
+- Integration with reporting solutions such as [OWASP DefectDojo](https://owasp.org/www-project-defectdojo/)
 
-RapiDAST is for testing purposes, and should not be used on production systems.
+RapiDAST is used for testing applications, and should not be used on production systems.
 
 ## Quickstart
 
@@ -179,10 +177,7 @@ This method uses firefox in the background to load a login page and fill in user
         * `username`
         * `password`
         * `loginPageUrl`: the URL to the login page (either the full URL, or relative to the `application.url` value)
-        * `loginPageWait`: The number of seconds to wait after submitting the login form before the browser is closed. (default: 2)
         * `verifyUrl`: a URL that "proves" the user is authenticated (either the full URL, or relative to the `application.url` value). This URL must return a success if the user is correctly authenticated, and an error otherwise.
-        * `loggedInRegex`: Regex pattern used to identify Logged in messages (default: `\\Q 200 OK\\`)
-        * `loggedOutRegex`: Regex pattern used to identify Logged Out messages (default: `\\Q 403 Forbidden\\`)
 
 ### MacOS
 
@@ -493,26 +488,6 @@ scanners:
         	- formhandler.fields.field(0).value=default
 ```
 
-#### Nessus
-
-Nessus is a vulnerability scanner developed by Tenable, Inc. It helps organizations identify and address security vulnerabilities across various systems, devices, and applications.
-
-The following is an example to launch a scan:
-```yaml
-scanners:
-  nessus:
-    server:
-      url: https://nessus-example.com/ # URL of Nessus instance
-      username: foo # OR username_from_var: NESSUS_USER
-      password: bar # OR password_from_var: NESSUS_PASSWORD
-    scan:
-      name: test-scan # name of new scan to create
-      folder: test-folder # name of folder in to contain scan
-      policy: "py-test" # policy used for scan
-      # timeout: 600 # timeout in seconds to complete scan
-      targets:
-      - 127.0.0.1
-```
 
 #### Generic scanner
 

config/config-template-generic-scan.yaml

@@ -7,7 +7,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
   # (Optional) configure to export scan results to OWASP Defect Dojo
   #defectDojo:

config/config-template-multi-scan.yaml

@@ -10,7 +10,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
 # `application` contains data related to the application, not to the scans.
 application:

config/config-template-nessus.yaml

@@ -2,7 +2,7 @@ config:
   # WARNING: `configVersion` indicates the schema version of the config file.
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
-  configVersion: 6
+  configVersion: 5
 
   # all the results of all scanners will be stored under that location
   # base_results_dir: "./results"

config/config-template-trivy-image-scan.yaml

@@ -7,7 +7,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
 # `application` contains data related to the application, not to the scans.
 application:

config/config-template-trivy-k8s-scan.yaml

@@ -7,7 +7,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
 # `application` contains data related to the application, not to the scans.
 application:
@@ -40,7 +40,7 @@ scanners:
     # 'inline' is used when container.type is not 'podman'
     # 'toolDir' specifies the default directory where inline scripts are located
     #toolDir: scanners/generic/tools
-    inline: "trivy k8s --kubeconfig=/opt/rapidast/.kube/config -n default pod --scanners=misconfig --report all --format json | convert_trivy_k8s_to_sarif.py"
+    inline: "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n default pod --scanners=misconfig --report all --format json | convert_trivy_k8s_to_sarif.py"
 
     container:
       parameters:

config/config-template-zap-long.yaml

@@ -10,7 +10,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
   # all the results of all scanners will be stored under that location
   base_results_dir: "./results"
@@ -76,10 +76,6 @@ general:
     #  password: "mypassw0rd"
     #  loginPageUrl: "https://myapp/login"
     #  verifyUrl: "https://myapp/user/info"
-    #  loginPageWait: 2,
-    #  loggedInRegex: "\\Q 200 OK\\E"
-    #  loggedOutRegex: "\\Q 403 Forbidden\\E"
-
 
 
   container:
@@ -122,10 +118,8 @@ scanners:
         apiUrl: "<URL to openAPI>"
         # alternative to apiURL: apiFile: "<local path to openAPI file>"
 
-    # A list of URLs can also be provided, type supported: 'har', 'modsec2', 'url' (default), 'zap_messages'
-    importUrlsFromFile:
-      type: "url"
-      fileName: "<path to import URL>"
+    # A list of URLs can also be provided, from a text file (1 URL per line)
+    importUrlsFromFile: "<path to import URL>"
 
     graphql:
       endpoint: "<URL to GraphQL API endpoint>"
@@ -157,18 +151,6 @@ scanners:
       # Use https://www.zaproxy.org/docs/alerts/ to match rule with its ID
       disabledRules: "2,10015,10024,10027,10054,10096,10109,10112"
 
-    #replacer:                          # replacer replaces strings in requests and responses during active scan
-    #  parameters:
-    #    deleteAllRules: True           # Boolean, if true then will delete all existing replacer rules, default false
-    #  rules:                           # list of rules
-    #  - description:                   # String, the name of the rule
-    #    url:                           # (optional) String, a regex which will be used to match URLs, if empty then it will match all
-    #    matchType:                     # String, one of req_header, req_header_str, req_body_str, resp_header, resp_header_str, resp_body_str
-    #    matchString:                   # String, will be used to identify what should be replaced
-    #    matchRegex:                    # Boolean, if set then the matchString will be treated as a regex, default false
-    #    replacementString:             # String, the new string that will replace the specified selection
-    #    tokenProcessing:               # (optional) Boolean, when enabled the replacementString may contain a single token
-
     activeScan:
       # The list of parameters: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/
       #maxRuleDurationInMins: max scan time for each Rule (default: unlimited)

config/config-template-zap-mac.yaml

@@ -10,7 +10,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
 # `application` contains data related to the application, not to the scans.
 application:

config/config-template-zap-simple.yaml

@@ -10,7 +10,7 @@ config:
   # This value tells RapiDAST what schema should be used to read this configuration.
   # Therefore you should only change it if you update the configuration to a newer schema
   # It is intended to keep backward compatibility (newer RapiDAST running an older config)
-  configVersion: 6
+  configVersion: 5
 
 # `application` contains data related to the application, not to the scans.
 application:

config/config-template-zap-tiny.yaml

@@ -1,5 +1,5 @@
 config:
-  configVersion: 6
+  configVersion: 5
 
 application:
   shortName: "example-1.0"

configmodel/converter.py

@@ -5,7 +5,7 @@
 
 # WARNING: this needs to be incremented everytime a non-compatible change is made in the configuration.
 # A corresponding function also needs to be written
-CURR_CONFIG_VERSION = 6
+CURR_CONFIG_VERSION = 5
 
 
 def config_converter_dispatcher(func):
@@ -48,25 +48,6 @@ def convert_configmodel(conf):
     raise RuntimeError(f"There was an error in converting configuration. No convertion available for version {version}")
 
 
-@convert_configmodel.register(5)
-def convert_from_version_5_to_6(old):
-    """Returns a *copy* of the original rapidast config file, but updated to v6
-    scanner.zap.importUrlsFromFile is now a dictionary, not a string
-    """
-    new = copy.deepcopy(old)
-
-    for key in old.conf["scanners"]:
-        if key.startswith("zap") and old.exists(f"scanners.{key}.importUrlsFromFile"):
-            new.delete(f"scanners.{key}.importUrlsFromFile")  # start from fresh
-            new.set(f"scanners.{key}.importUrlsFromFile.fileName", old.get(f"scanners.{key}.importUrlsFromFile"))
-            new.set(f"scanners.{key}.importUrlsFromFile.type", "url")
-
-    # Finally, set the correct version number
-    new.set("config.configVersion", 6)
-
-    return new
-
-
 @convert_configmodel.register(4)
 def convert_from_version_4_to_5(old):
     """Returns a *copy* of the original rapidast config file, but updated to v5

containerize/Containerfile

@@ -9,12 +9,12 @@ RUN microdnf install -y tar gzip bzip2 java-11-openjdk nodejs
 
 ## ZAP, build and install scanners in advance (more scanners will be added)
 RUN mkdir -p /opt/zap /tmp/zap && \
-  curl -sfL 'https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2.15.0_Linux.tar.gz' | tar zxvf - -C /tmp/zap && \
-  mv -T /tmp/zap/ZAP_2.15.0 /opt/zap && \
+  curl -sfL 'https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2.14.0_Linux.tar.gz' | tar zxvf - -C /tmp/zap && \
+  mv -T /tmp/zap/ZAP_2.14.0 /opt/zap && \
   ### Update add-ons
   /opt/zap/zap.sh -cmd -silent -addonupdate && \
   ### Copy them to installation directory
-  cp /root/.ZAP/plugin/*.zap /opt/zap/plugin/
+  cp /root/.ZAP/plugin/*.zap /opt/zap/plugin/ || :
 
 ## Firefox, for Ajax
 RUN mkdir -p /opt/firefox /tmp/firefox && \
@@ -72,13 +72,14 @@ RUN microdnf install -y --setopt=install_weak_deps=0 java-11-openjdk shadow-util
   pip3 install --no-cache-dir -r /opt/rapidast/requirements.txt && \
   ln -s /opt/redocly/node_modules/@redocly/cli/bin/cli.js /usr/local/bin/redocly
 
-RUN useradd -u 1000 -d /opt/rapidast -m -s /bin/bash rapidast && \
-  chown -R 1000 /opt/rapidast && \
-  # OpenShift runs containers with arbitrary user ids, belonging to root group
-  chgrp -R 0 /opt/rapidast && \
-  chmod -R g=u /opt/rapidast
+### Allow the `dast` usergroup to make modifications to rapidast
+RUN groupadd dast && \
+  chown -R :dast /opt/rapidast && \
+  chmod -R g+w /opt/rapidast && \
+  ### Allow a user of random UID(e.g. on OpenShift) to create a custom scan policy file
+  chmod -R a+w /opt/rapidast/scanners/zap/policies && \
+  useradd -u 1000 -d /home/rapidast -m -s /bin/bash -G dast rapidast && \
+  echo rapidast:rapidast | chpasswd
 
 USER rapidast
 WORKDIR /opt/rapidast
-ENV HOME /opt/rapidast
-ENTRYPOINT ["./rapidast.py"]

e2e-tests/conftest.py

@@ -157,7 +157,7 @@ def teardown_class(cls):
                 logging.debug(f"calling {func}")
                 func()
         # XXX oobtukbe does not clean up after itself
-        os.system(f"kubectl delete ConfigMap/vulnerable -n {NAMESPACE}")
+        os.system(f"kubectl delete Task/vulnerable -n {NAMESPACE}")
 
     def create_from_yaml(self, path: str):
         # delete resources in teardown method later

e2e-tests/manifests/rapidast-nessus-pod.yaml

@@ -4,7 +4,13 @@ metadata:
   name: rapidast-nessus
 spec:
   containers:
-  - env:
+  - command:
+    - bash
+    - -c
+    - ./rapidast.py
+    env:
+    - name: HOME
+      value: /opt/rapidast
     - name: NESSUS_USER
       value: admin
     - name: NESSUS_PASSWORD
@@ -22,6 +28,8 @@ spec:
     volumeMounts:
     - name: config-volume
       mountPath: /opt/rapidast/config
+  securityContext:
+    supplementalGroups: [1000] # "dast" group, necessary to write to /opt/rapidast/results if no PVC mounted
   volumes:
   - name: config-volume
     configMap:

e2e-tests/manifests/rapidast-oobtkube-configmap.yaml

@@ -21,15 +21,25 @@ data:
         results: "/tmp/oobtkube.sarif.json"   # if None or "*stdout", the command's standard output is selected
         # toolDir: scanners/generic/tools
         inline: "python3 oobtkube.py --log-level debug -d 60 -p 6000 -i rapidast-oobtkube -f /opt/rapidast/config/cr_example.yaml | tee /tmp/oobtkube.sarif.json"
-  # ConfigMap is used as target because it is a default resource
+  # XXX using tekton Task because it has:
+  # - a resource type that has a .spec field (required by oobtkube script)
+  # - fields in .spec that are arbitrary string (.spec.description)
+  # this could be replaced later with something more common like a ConfigMap,
+  # once oobtkube can test non .spec values
   cr_example.yaml: |+
-    apiVersion: v1
-    kind: ConfigMap
+    apiVersion: tekton.dev/v1
+    kind: Task
     metadata:
       name: vulnerable
-    data:
-      foo: bar
-      target: foobar
+    spec:
+      description: foobar
+      params:
+        - name: foo
+          type: string
+      steps:
+      - image: foo
+        name: foo
+        script: foo
 
 kind: ConfigMap
 metadata: