v2.9.0

RapiDAST core changes:

• Store configurations in the results directory (#227, #233)

Scanners changes:

• Nessus: new integration with SARIF conversion (#230, #259, #260, #265)
• ZAP: Added error handling for when wrong scan policy name is configured (#266)
• ZAP: Fixed typo when setting browserId in _setup_ajax_spider (#264)
• ZAP: Added error handling for when no openapi config exists (#257)
• ZAP: Improved startup time (#250)
• ZAP: Switched from the Nashorn engine to Graal.js for executing the the export-site-tree script (#234)
• ZAP: Export the ZAP site tree as a JSON file (#229)
• ZAP: Added error handling for when zap is not installed (#223)

v2.8.0

RapiDAST core changes:

• added tls_verify_for_rapidast_downloads option (#217)
• podman mode uses userns (#211)

Scanners changes:

• AjaxSpider and activeScan accept any parameter for ZAP automation (#212)
• updated Trivy scan template (#213)
• Fixed duplication of 'rules' in SARIF output for Trivy (#216)

v2.7.0

RapiDAST core changes

• Add a function to remove recursive ref in OpenAPI documents (#201)

Scanners changes

• ZAP: add HTTP Header authentication method (#203)
• ZAP: add browser authentication method (#209)
• ZAP: add warning in the ‘none’ container mode when there is little shared memory (#199)
• ZAP: check pid limits for running AjaxSpider and warn/remove the limits (#200)
• oobtkube: add INFO logs to show test progress (#202)
• oobtkube: handle socket_timeout (#206)
• oobtkube: suppress kube API errors unless debug logging (#204)
• oobtkube: add a check for authentication to the Kubernetes cluster (#208)

v2.6.0

Features:

• Store results in external storage (GCP) for asynchronous consumption

Fixes:

• Fixed issue with ZAP path in the config template for MacOS due to ZAP no longer being part of OWASP
• Updated Zap default image URL to the latest one
• [ZAP] Ajax spider requires a lot of shared memory
• Resolved crawl failure issue specific to OpenShift environments

v2.5.1

v2.5.1 changes:

• Fixed an issue that fails scans where a proxy is used in a certain scenario
• Fixed an issue that Ajax spider fails in a Jenkins environment
• Submerged the oobtkube script’s debug messages

v2.5.0

v2.5.0 changes:

• Added Aqua Trivy which can scan cluster, workload and container images
• Added Trivy scan configuration template files
• Added a script to convert Trivy k8s scan result to SARIF for DefectDojo integration
• added Redocly which can resolve $ref in OpenAPI document
• The base directory for Helm scan has changed to ‘/opt/rapidast/results‘
• Upgraded ZAP to v2.14
• Updated README with instruction to help with handling large size OpenAPI documents

v2.4.0

v2.4.0 changes:

• An experimental generic scanner - oobtkube - has been added, which can scan Kubernetes Operators controller with a relevant CR config file input
• The default container.type mode has changed to 'none' from ‘podman’. Generic scanners can run on the ‘none’ container.type mode as well (previously only supported for the ‘podman’ mode)
• generic scanner results(in the SARIF format) now can be exported to Defect Dojo
• accepts report.format as string
• RapiDAST image size has been reduced by half thanks to @lunarwhite
• The directory path where the scan policy(scanPolicyXML) of the default Helm chart values.yaml file copies into has changed to /opt/rapidast/scanners/zap/policies/ in the RapiDAST image. This is to fix a permission error.
• Added error handling when apiUrl or apiFile is not specified

v2.3.0

RapiDAST core changes:

• Added Jenkins integration job examples
• RapiDAST now can run user-defined scanners and store their results. (container.type: podman mode only)
• Upgrade to ZAP 2.13.0 and include Firefox ESR for Ajax spidering in the RapiDAST container image
• new config templates with separate generic plugin
• rapidast-defaults.yaml can be used to set default options
• Fixed an OCI error on MacOS
• [DefectDojo integration] Handling timeout
• [DefectDojo integration] adding SSL verification management

ZAP scanning configuration related changes:

• added new active scan policies
• allow user to override default Java max heap
• add the option to optionally download schemas
• fixed a ZAP’s issue if the target URL does not end with ‘/’
• support to disable all passive scanner rules
• fixed an issue that passive scanner rule is not disabled in certain environments
• added overrideConfigs option
• Added ability to install specific addons
• Added preauth option to oauth2-rtoken authentication to help in a few environments

v2.2.1

RapiDAST v2.2.1 changes:

• Adds git package to rapidast image (now Containerfile.multiuser merged into Containerfile)
• Helm chart updated to be able to work with the new Containerfile
• Allows for a scanner to be run multiple times (good for run both authenticated and unauthenticated scans with a single config file)
• store zap.log file with the result files for better troubleshooting

v2.2.0

RapiDAST v2.2.0 changes:

• Fixed the issue that a missing OWASP DefectDojo config resulted in an error
• More support for running a scan with Podman on MacOS
• Be able to run a scan within the running pod (a sidecar pattern)
• Added ability to scan with a remote config file
• Added 'verbose log level with more error handlings to help troubleshooting
• Added containerfile for multiuser environment's use
• added workaround for OWASP ZAP 2.12.0 issue which deletes installed add-ons