2.12.1

RapiDAST Bug Fixes

What's Changed

• feat(scanner/generic): Remove strict mode from configuration (#403) by @ccronca in #404

Full Changelog: 2.12.0...2.12.1

2.12.0

RapiDAST Core Changes

• SARIF Filtering for False Positives: A new feature called “Exclusions” has been implemented to filter SARIF findings using Common Expression Language (CEL) rules. More info can be found in the USER-GUIDE [#375]
• Enhanced Scanner Configuration Validation: Configuration for ZAP, Generic, Garak, and Nessus scanners has been migrated to use dataclasses, improving validation. This is an ongoing effort as not all configurations are yet migrated. The configuration is now enforced, meaning invalid configurations will cause an early failure in the process [#368, #373, #372]
• Improved Scanner Error Logging: Enhanced error logging with clearer, more readable messages for undefined scanners [#376]
• Python Version Requirement Update: The documentation now states the requirement for Python ≥3.9. Previously, Python ≥3.6 was sufficient, but this is no longer the case [#381]

Scanners Changes

• ZAP: upgraded to ZAP version 2.16.1 This upgrade was originally scheduled for release in version 2.11.0, but due to a bug, the update was not successfully applied (#384)

RapiDAST Pipeline changes

• Dependency Updates: Various updates to pre-commit hooks and other dependencies for improved development workflow and security [#380, #379, #263, #243, #288, #302, #262]
• ZAP URL Exclusion Validation Test: Added an e2e test to validate ZAP's URL exclusion rules, confirming they prevent unwanted URLs in scan reports [#378]
• Konflux Pipeline Rebuild Setting: Set rebuild=true in Konflux pipelines to ensure consistent builds [#374]
• Renovate Configuration: Added renovate.json to configure Renovate for limiting open PRs and automerging minor updates in specific directories [#371]
• Konflux Reference Updates: Updated Konflux references within .tekton/pipeline.yaml [#328]
• RapiDAST LLM Image Tagging: Enabled tagging of the rapidast-llm image in the tagging workflow [#367]

2.11.0

RapiDAST Core Changes

• When googleCloudStorage is configured, all scan results are exported to Google Cloud Storage. A consolidated SARIF result will be generated as well(#344, #345, #346, #349, #350, #353, #360)

Scanners Changes

• ZAP: Fixed the issue that spiderAjax was not working in RapiDAST version 2.10.0 (#365)
• ZAP: upgraded to ZAP version 2.16.1 with no addon updated by default (#361)

RapiDAST Pipeline changes

• Increased CPU and memory resources for the ‘clair-scan’ and the ‘ecosystem-cert-preflight-checks’ tasks of the Tekton pipeline (#362, #363)
• Updated actions/setup-python to v5 to leverage caching (#348)

Full Changelog: 2.10.0...2.11.0

2.10.0

Core Changes

• Add gitlab example (#292)
• Configuration Schema Validation (#293)
• Add deprecation notice for the 'podman' mode which is expected to be deprecated in v2.12.0 (#299)

Scanners Changes

• Trivy has been upgraded from version 0.49.1 to 0.59.0 (#290)
• Support a new scanner for LLM scanning with config templates: Garak (#306, #310, #315, #316, #321)

Pipeline changes

• Prefetching dependencies with Cachi2 for build and integration test (#285, #304, #308, #313)
• increase memory limit for konflux preflight check task(#294)
• preflight task renamed check-container to app-check(#297)
• Add sast checks to pipeline: coverity, shellcheck, unicode check (#312)
• consolidate pr and push pipelines (#320)
• Integration test for LLM functionality (#325)

Full Changelog: 2.9.1...2.10.0

2.9.1

RapiDAST core changes:

• Simplify container permissions (#274)
• Set default container entrypoint (#275)
• Replace Konflux’s deprecated provision-env-with-ephemeral-namespace task (#280, #281)
• Fail container build if zap could not be downloaded (#282)

Scanners changes:

• Oobtkube: fix to handle leaf keys in arrays (#276)
• ZAP: import accepts types other than "url" (#269)
• ZAP: Support replacer job (#273)
• ZAP: update zap to 2.15.0 (#283)
• ZAP: Make some options for browser authentication configurable (#284)

⚠️ Warning:

• The default container entrypoint has been changed to rapidast.py, previously this was unset (#275)

  • Passing parameters to the container like rapidast.py --config config.yaml will now result in error at startup
  • Setting the entrypoint of the container to rapidast.py --config config.yaml should still work

• Running the rapidast container in some environments (e.g. gitlab, jenkins) may need to change the parameters they pass to the rapidast container, or override the entrypoint explicitly

• Running the rapidast container in k8s or openshift should not be affected as the command field in podspecs should override the container's entrypoint

• Running with podman/docker no longer requires setting parameters or entrypoint (see quickstart example)

v2.9.0

RapiDAST core changes:

• Store configurations in the results directory (#227, #233)

Scanners changes:

• Nessus: new integration with SARIF conversion (#230, #259, #260, #265)
• ZAP: Added error handling for when wrong scan policy name is configured (#266)
• ZAP: Fixed typo when setting browserId in _setup_ajax_spider (#264)
• ZAP: Added error handling for when no openapi config exists (#257)
• ZAP: Improved startup time (#250)
• ZAP: Switched from the Nashorn engine to Graal.js for executing the the export-site-tree script (#234)
• ZAP: Export the ZAP site tree as a JSON file (#229)
• ZAP: Added error handling for when zap is not installed (#223)

v2.8.0

RapiDAST core changes:

• added tls_verify_for_rapidast_downloads option (#217)
• podman mode uses userns (#211)

Scanners changes:

• AjaxSpider and activeScan accept any parameter for ZAP automation (#212)
• updated Trivy scan template (#213)
• Fixed duplication of 'rules' in SARIF output for Trivy (#216)

v2.7.0

RapiDAST core changes

• Add a function to remove recursive ref in OpenAPI documents (#201)

Scanners changes

• ZAP: add HTTP Header authentication method (#203)
• ZAP: add browser authentication method (#209)
• ZAP: add warning in the ‘none’ container mode when there is little shared memory (#199)
• ZAP: check pid limits for running AjaxSpider and warn/remove the limits (#200)
• oobtkube: add INFO logs to show test progress (#202)
• oobtkube: handle socket_timeout (#206)
• oobtkube: suppress kube API errors unless debug logging (#204)
• oobtkube: add a check for authentication to the Kubernetes cluster (#208)

v2.6.0

Features:

• Store results in external storage (GCP) for asynchronous consumption

Fixes:

• Fixed issue with ZAP path in the config template for MacOS due to ZAP no longer being part of OWASP
• Updated Zap default image URL to the latest one
• [ZAP] Ajax spider requires a lot of shared memory
• Resolved crawl failure issue specific to OpenShift environments

v2.5.1

v2.5.1 changes:

• Fixed an issue that fails scans where a proxy is used in a certain scenario
• Fixed an issue that Ajax spider fails in a Jenkins environment
• Submerged the oobtkube script’s debug messages