Fix openapi

Author: jesusfcr

cmd/vulcan-zap/main.go

@@ -20,6 +20,7 @@ import (
 	"github.com/adevinta/vulcan-check-sdk/helpers/command"
 	checkstate "github.com/adevinta/vulcan-check-sdk/state"
 	report "github.com/adevinta/vulcan-report"
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -70,8 +71,8 @@ jobs:
 {{ if .OpenapiUrl }}
 - type: openapi
   parameters:
-    apiUrl: {{ .OpenapiUrl }}
-    targetUrl: ""
+    apiUrl: "{{ .OpenapiUrl }}"
+    targetUrl: "{{ .OpenapiHost }}"
 {{ end }}
 - type: passiveScan-config
   parameters:
@@ -264,80 +265,85 @@ func main() {
 			return fmt.Errorf("unable to parse report: %v", err)
 		}
 
-		if len(r.Site) != 1 {
-			return fmt.Errorf("unexecpected site len in report %d", len(r.Site))
-		}
-
 		vulnerabilities := make(map[string]*report.Vulnerability)
 		vulnSummary2PluginID := make(map[string]string)
-		for _, a := range r.Site[0].Alerts {
-
-			cwe := 0
-			if a.Cweid != "-1" {
-				cwe, err = strconv.Atoi(a.Cweid)
-				if err != nil {
-					logger.Warnf("Wrong number Cweid %d", cwe)
-				}
+		for _, site := range r.Site {
+			logger.WithFields(logrus.Fields{
+				"site.host":       site.Host,
+				"site.num_alerts": len(site.Alerts)}).Info("alerts")
+			if !strings.Contains(target, site.Host) {
+				// This can happen i.e. when the openapi target url is other than the target.
+				// DOUBT: Filter? exclude?
+				logger.Warnf("Reporting alerts from an outside target %s %s", target, site.Host)
 			}
-			v := report.Vulnerability{
-				Summary:         a.Name,
-				Description:     trimP(a.Desc),
-				Details:         a.Otherinfo,
-				Recommendations: splitP(a.Solution),
-				References:      splitP(a.Reference),
-				Labels:          []string{"issue", "web", "zap", a.Pluginid}, // DOUBT: Added Pluginid as label.
-				CWEID:           uint32(cwe),
-				Score: func(risk string) float32 {
-					switch risk {
-					case "0":
-						return report.SeverityThresholdNone
-					case "1":
-						return report.SeverityThresholdLow
-					case "2":
-						return report.SeverityThresholdMedium
-					case "3":
-						return report.SeverityThresholdHigh
+			for _, a := range site.Alerts {
+
+				cwe := 0
+				if a.Cweid != "-1" {
+					cwe, err = strconv.Atoi(a.Cweid)
+					if err != nil {
+						logger.Warnf("Wrong number Cweid %d", cwe)
 					}
-					return float32(report.SeverityNone)
-				}(a.Riskcode),
-			}
+				}
+				v := report.Vulnerability{
+					Summary:         a.Name,
+					Description:     trimP(a.Desc),
+					Details:         a.Otherinfo,
+					Recommendations: splitP(a.Solution),
+					References:      splitP(a.Reference),
+					Labels:          []string{"issue", "web", "zap", a.Pluginid}, // DOUBT: Added Pluginid as label.
+					CWEID:           uint32(cwe),
+					Score: func(risk string) float32 {
+						switch risk {
+						case "0":
+							return report.SeverityThresholdNone
+						case "1":
+							return report.SeverityThresholdLow
+						case "2":
+							return report.SeverityThresholdMedium
+						case "3":
+							return report.SeverityThresholdHigh
+						}
+						return float32(report.SeverityNone)
+					}(a.Riskcode),
+				}
 
-			// DOUBT: Only the fist instance?
-			if len(a.Instances) > 0 {
-				i := a.Instances[0]
-				v.Resources = []report.ResourcesGroup{
-					{
-						Name: "Affected Requests",
-						Header: []string{
-							"Method",
-							"URL",
-							"Parameter",
-							"Attack",
-							"Evidence",
-						},
-						Rows: []map[string]string{
-							{
-								"Method":    i.Method,
-								"URL":       i.URI,
-								"Parameter": i.Param,
-								"Attack":    i.Attack,
-								"Evidence":  i.Evidence,
+				// DOUBT: Only the fist instance?
+				if len(a.Instances) > 0 {
+					i := a.Instances[0]
+					v.Resources = []report.ResourcesGroup{
+						{
+							Name: "Affected Requests",
+							Header: []string{
+								"Method",
+								"URL",
+								"Parameter",
+								"Attack",
+								"Evidence",
+							},
+							Rows: []map[string]string{
+								{
+									"Method":    i.Method,
+									"URL":       i.URI,
+									"Parameter": i.Param,
+									"Attack":    i.Attack,
+									"Evidence":  i.Evidence,
+								},
 							},
 						},
-					},
+					}
+				}
+				vulnSummary2PluginID[v.Summary] = a.Pluginid
+				if _, ok := vulnerabilities[v.Summary]; ok {
+					vulnerabilities[v.Summary].Resources[0].Rows = append(
+						vulnerabilities[v.Summary].Resources[0].Rows,
+						v.Resources[0].Rows...,
+					)
+				} else {
+					vulnerabilities[v.Summary] = &v
 				}
-			}
-			vulnSummary2PluginID[v.Summary] = a.Pluginid
-			if _, ok := vulnerabilities[v.Summary]; ok {
-				vulnerabilities[v.Summary].Resources[0].Rows = append(
-					vulnerabilities[v.Summary].Resources[0].Rows,
-					v.Resources[0].Rows...,
-				)
-			} else {
-				vulnerabilities[v.Summary] = &v
 			}
 		}
-
 		for _, v := range vulnerabilities {
 			// NOTE: Due to a signifcant number of false positive findings
 			// reported for low severity issues by ZAP, the MinScore option