add rapidast config and instruction to run it #1054
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PratikMahajan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/cc |
|
@PratikMahajan: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
DavidHurta
left a comment
DavidHurta
left a comment
There was a problem hiding this comment.
A few notes and requests for changes.
Is there also a Jira we can link the PR to using the PR title?
| podman run --rm \ | ||
| -v $(pwd)/rapidast-config.yaml:/tmp/config.yaml \ | ||
| -v $(pwd)/results:/opt/rapidast/results \ | ||
| quay.io/redhatproductsecurity/rapidast:latest \ | ||
| --config /tmp/config.yaml |
There was a problem hiding this comment.
Running the command as is results in (with a modified results directory permissions):
$ podman run -v $(pwd)/rapidast-config.yaml:/tmp/config.yaml -v $(pwd)/results:/opt/rapidast/results quay.io/redhatproductsecurity/rapidast:latest --config /tmp/config.yaml
Traceback (most recent call last):
File "/opt/rapidast/./rapidast.py", line 625, in <module>
run()
File "/opt/rapidast/./rapidast.py", line 348, in run
validate_config_schema(config_file)
File "/opt/rapidast/./rapidast.py", line 293, in validate_config_schema
config = yaml.safe_load(load_config_file(config_file))
File "/opt/rapidast/./rapidast.py", line 91, in load_config_file
return open(config_file_location, mode="r", encoding="utf-8")
PermissionError: [Errno 13] Permission denied: '/tmp/config.yaml'
I had a look at the respective docs. They reference the usage of :Z regarding the permissions on the mounts.
| podman pull quay.io/redhatproductsecurity/rapidast:latest | ||
|
|
||
| # Create results directory | ||
| mkdir -p results |
There was a problem hiding this comment.
Running the following podman command as is results in:
$ podman run -v $(pwd)/rapidast-config.yaml:/tmp/config.yaml:Z -v $(pwd)/results:/opt/rapidast/results:Z quay.io/redhatproductsecurity/rapidast:latest --config /tmp/config.yaml
INFO:Validating configuration
INFO:Configuration is valid
INFO:Starting the redaction and dumping process for the configuration file: /tmp/config.yaml
ERROR:Error occurred while dumping redacted config: [Errno 13] Permission denied: './results/openshift-upgrades-api'
ERROR:Failed to dump configuration. Exiting.
I had a look at the respective docs. They reference running $ chmod o+w ./results after creating the directory. This fixes the issue for me.
There was a problem hiding this comment.
Maybe I am a mac user (same as Pratik?), the exact command works for me.
There was a problem hiding this comment.
NIT: Could we add dist/rapidast/results/ into .gitignore?
| -v $(pwd)/rapidast-config.yaml:/tmp/config.yaml \ | ||
| -v $(pwd)/results:/opt/rapidast/results \ | ||
| quay.io/redhatproductsecurity/rapidast:latest \ | ||
| --config /tmp/config.yaml |
There was a problem hiding this comment.
Note: We can omit the --config flag if we utilize the default configuration path /opt/rapidast/config/config.yaml for the mount. Noting this in case you find it helpful.
| # 10054: Cookie without SameSite Attribute (not applicable) | ||
| # 10112: Session Management Response Identified (not applicable) | ||
| disabledRules: "10054,10112" | ||
|
|
There was a problem hiding this comment.
Note: I have quickly found out that html reports are supported! Could we add them as a format for a human-readable output? Although that may depend on how the configuration is to be consumed, which is not clear to me at the moment.
| report: | |
| format: ["json","html"] | |
|
The And the cargo-test is failing?? 👀 |
hongkailiu
left a comment
hongkailiu
left a comment
There was a problem hiding this comment.
The scanning result looks not bad.
2 Low and 1 Informative risks. 😄
| @@ -0,0 +1,26 @@ | |||
| # RapidAST Security Scanning | |||
|
|
|||
| Run automated security scans against OpenShift APIs using RapidAST container. | |||
There was a problem hiding this comment.
NIT: to keep consistent with last section in the page.
| Run automated security scans against OpenShift APIs using RapidAST container. | |
| Run automated security scans against OpenShift upgrades APIs using RapidAST container. |
| podman pull quay.io/redhatproductsecurity/rapidast:latest | ||
|
|
||
| # Create results directory | ||
| mkdir -p results |
There was a problem hiding this comment.
Maybe I am a mac user (same as Pratik?), the exact command works for me.
|
|
||
| # Additional ZAP extensions | ||
| miscOptions: | ||
| additionalAddons: "ascanrulesBeta" # Beta active scan rules |
There was a problem hiding this comment.
What is ascanrulesBeta for?
I cannot see its meaning in https://github.com/search?q=repo%3ARedHatProductSecurity%2Frapidast%20ascanrulesBeta&type=code
I cannot tell the difference either in the generated report withoutmiscOptions.
3 participants
No description provided.