feat(engine_dast): new dast scanning engine.

.gitignore

@@ -50,4 +50,7 @@ jf.exe
 target
 dependencies_to_scan
 node_modules
-DevSecOps_Remote_Config
+DevSecOps_Remote_Config
+/azp
+result_dast_scan.json
+/customized-nuclei-templates

tools/devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py

@@ -76,6 +76,7 @@ def get_inputs_from_cli(args):
     parser.add_argument("--token_vulnerability_management", required=False, help="Token to connect to the Vulnerability Management")
     parser.add_argument("--token_engine_container", required=False, help="Token to execute engine_container if is necessary")
     parser.add_argument("--token_engine_dependencies", required=False, help="Token to execute engine_dependencies if is necessary")
+    parser.add_argument("--dast_file_path", required=False, help="Engine DAST path file")
     args = parser.parse_args()
     return {
         "platform_devops": args.platform_devops,
@@ -90,6 +91,7 @@ def get_inputs_from_cli(args):
         "token_vulnerability_management": args.token_vulnerability_management,
         "token_engine_container": args.token_engine_container,
         "token_engine_dependencies": args.token_engine_dependencies,
+        "dast_file_path": args.dast_file_path
     }
 
 def application_core():

tools/devsecops_engine_tools/engine_core/src/domain/usecases/handle_scan.py

@@ -26,10 +26,12 @@
 from devsecops_engine_tools.engine_sca.engine_dependencies.src.applications.runner_dependencies_scan import (
     runner_engine_dependencies,
 )
+from devsecops_engine_tools.engine_dast.src.applications.runner_dast_scan import (
+    runner_engine_dast
+)
 from devsecops_engine_tools.engine_core.src.infrastructure.helpers.util import (
     define_env,
 )
-
 from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
 from devsecops_engine_tools.engine_utilities import settings
 
@@ -121,7 +123,13 @@ def process(self, dict_args: any, config_tool: any):
                 )
             return findings_list, input_core
         elif "engine_dast" in dict_args["tool"]:
-            print(MESSAGE_ENABLED)
+            findings_list, input_core = runner_engine_dast(
+                dict_args,
+                config_tool,
+                secret_tool,
+                self.devops_platform_gateway
+            )
+            return findings_list, input_core
         elif "engine_secret" in dict_args["tool"]:
             findings_list, input_core = runner_secret_scan(
                 dict_args,

tools/devsecops_engine_tools/engine_dast/src/applications/runner_dast_scan.py

@@ -0,0 +1,93 @@
+import json
+from typing import List
+from devsecops_engine_tools.engine_dast.src.infrastructure.entry_points.entry_point_dast import (
+    init_engine_dast,
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.driven_adapters.nuclei.nuclei_tool import (
+    NucleiTool,
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.driven_adapters.jwt.jwt_object import (
+    JwtObject,
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.driven_adapters.jwt.jwt_tool import (
+    JwtTool,
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.driven_adapters.oauth.generic_oauth import (
+    GenericOauth,
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.driven_adapters.http.client.auth_client import (
+    AuthClientCredential,
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.api_config import (
+    ApiConfig
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.api_operation import (
+    ApiOperation
+)
+
+
+def runner_engine_dast(dict_args, config_tool, secret_tool, devops_platform):
+    try:
+        # Define driven adapters
+        # Initialize variables
+        devops_platform_gateway = devops_platform
+        extra_tools = []
+        target_config = None
+
+        # Filling operations list with adapters
+        with open(dict_args["dast_file_path"], 'r') as dast_file:
+            data = json.load(dast_file)
+            if "operations" in data: # Api
+                operations: List = []
+                for elem in data["operations"]:
+                    security_type = elem["operation"]["security_auth"]["type"].lower()
+                    if security_type == "jwt":
+                        operations.append(
+                            ApiOperation(
+                                elem,
+                                JwtObject(
+                                    elem["operation"]["security_auth"]
+                        )))
+                    elif security_type == "oauth":
+                        operations.append(
+                            ApiOperation(
+                                elem,
+                                GenericOauth(
+                                    elem["operation"]["security_auth"]
+                                )
+                            )
+                        )
+                    else:
+                        operations.append(
+                            ApiOperation(
+                                elem,
+                                AuthClientCredential(
+                                    elem["operation"]["security_auth"]
+                                )
+                            )
+                        )
+                data["operations"] = operations
+                target_config = ApiConfig(data)
+            else: # Web Application
+                pass
+
+
+        if config_tool["ENGINE_DAST"]["TOOL"].lower() == "nuclei": # tool_gateway is the main Tool
+            tool_run = NucleiTool()
+
+        if any((k.lower() == "jwt") for k in config_tool["ENGINE_DAST"]["EXTRA_TOOLS"]) and \
+        any(isinstance(o.authentication_gateway, JwtObject) for o in data["operations"] ):
+            extra_tools.append(JwtTool(target_config))
+
+        return init_engine_dast(
+            devops_platform_gateway=devops_platform_gateway,
+            tool_gateway=tool_run,
+            dict_args=dict_args,
+            secret_tool=secret_tool,
+            config_tool=config_tool,
+            extra_tools=extra_tools,
+            target_data=target_config
+        )
+
+    except KeyError as e:
+        raise KeyError(f"Error accessing the key in runner engine dast: {str(e)}")

tools/devsecops_engine_tools/engine_dast/src/domain/model/api_config.py

@@ -0,0 +1,12 @@
+from typing import List
+from devsecops_engine_tools.engine_dast.src.domain.model.api_operation import ApiOperation
+
+class ApiConfig():
+    def __init__(self, api_data: dict):
+        try:
+            self.target_type: str = "API"
+            self.endpoint: str = api_data["endpoint"]
+            self.rate_limit: str = api_data.get("rate_limit")
+            self.operations: "List[ApiOperation]" = api_data["operations"]
+        except KeyError:
+            raise KeyError("Configuración faltante, validar endpoint y  acda uno de los operations")

tools/devsecops_engine_tools/engine_dast/src/domain/model/api_operation.py

@@ -0,0 +1,10 @@
+class ApiOperation():
+    def __init__(self, operation, authentication_gateway):
+        self.authentication_gateway = authentication_gateway
+        self.data = operation
+        self.credentials = ("auth_header", "token")
+
+    def authenticate(self):
+        self.credentials = self.authentication_gateway.get_credentials()
+        if self.credentials is not None:
+            self.data["headers"][self.credentials[0]] = self.credentials[1]

tools/devsecops_engine_tools/engine_dast/src/domain/model/config_tool.py

@@ -0,0 +1,25 @@
+from devsecops_engine_tools.engine_core.src.domain.model.threshold import Threshold
+
+
+class ConfigTool:
+    def __init__(self, json_data, tool):
+        self.version = json_data[tool]["VERSION"]
+        self.exclusions_path = json_data[tool]["EXCLUSIONS_PATH"]
+        self.use_external_checks_git = json_data[tool]["USE_EXTERNAL_CHECKS_GIT"]
+        self.external_checks_git = json_data[tool]["EXTERNAL_CHECKS_GIT"]
+        self.repository_ssh_host = json_data[tool]["EXTERNAL_GIT_SSH_HOST"]
+        self.repository_public_key_fp = json_data[tool][
+            "EXTERNAL_GIT_PUBLIC_KEY_FINGERPRINT"
+        ]
+        self.use_external_checks_dir = json_data[tool]["USE_EXTERNAL_CHECKS_DIR"]
+        self.external_dir_owner = json_data[tool]["EXTERNAL_DIR_OWNER"]
+        self.external_dir_repository = json_data[tool]["EXTERNAL_DIR_REPOSITORY"]
+        self.external_asset_name = json_data[tool]["EXTERNAL_DIR_ASSET_NAME"]
+        self.message_info_dast = json_data[tool]["MESSAGE_INFO_DAST"]
+        self.threshold = Threshold(json_data[tool]["THRESHOLD"])
+        self.rules_data_type = json_data[tool]["RULES"]
+        self.scope_pipeline = ""
+        self.exclusions = None
+        self.exclusions_all = None
+        self.exclusions_scope = None
+        self.rules_all = {}

tools/devsecops_engine_tools/engine_dast/src/domain/model/gateways/authentication_method.py

@@ -0,0 +1,7 @@
+from abc import ABCMeta, abstractmethod
+
+
+class AuthenticationGateway(metaclass=ABCMeta):
+    @abstractmethod
+    def get_credentials(self) -> dict:
+        "get_credentials"

tools/devsecops_engine_tools/engine_dast/src/domain/model/gateways/devops_platform_gateway.py

@@ -0,0 +1,11 @@
+from abc import ABCMeta, abstractmethod
+
+
+class DevopsPlatformGateway(metaclass=ABCMeta):
+    @abstractmethod
+    def get_remote_config(self, remote_config_repo, remote_config_path_file) -> dict:
+        "get_remote_config"
+
+    @abstractmethod
+    def get_variable(self, variable):
+        "get_variable"

tools/devsecops_engine_tools/engine_dast/src/domain/model/gateways/remote_config_gateway.py

@@ -0,0 +1,9 @@
+from abc import ABCMeta, abstractmethod
+
+
+class RemoteConfigGateway(metaclass=ABCMeta):
+    @abstractmethod
+    def get_remote_json_config(
+        self, remote_config_repo, remote_config_path_file
+    ) -> dict:
+        "remote config"

tools/devsecops_engine_tools/engine_dast/src/domain/model/gateways/token_technology.py

@@ -0,0 +1,11 @@
+from dataclasses import dataclass
+from abc import ABCMeta, abstractmethod
+
+
+@dataclass
+class Token(metaclass=ABCMeta):
+    token: str
+
+    @abstractmethod
+    def get_token(self):
+        "return_token"

tools/devsecops_engine_tools/engine_dast/src/domain/model/gateways/tool_gateway.py

@@ -0,0 +1,9 @@
+from abc import ABCMeta, abstractmethod
+
+
+class ToolGateway(metaclass=ABCMeta):
+    @abstractmethod
+    def run_tool(
+        self, init_config_tool, exclusions, environment, pipeline, secret_tool
+    ) -> str:
+        "run_tool"

tools/devsecops_engine_tools/engine_dast/src/domain/model/security_auth.py

@@ -0,0 +1,3 @@
+class SecurityAuth():
+    def __init__(self, authentication_gateway):
+        print()

tools/devsecops_engine_tools/engine_dast/src/domain/model/wa_config.py

@@ -0,0 +1,5 @@
+class WaConfig:
+    def __init__(self, data: dict):
+        self.target_type: str = "WA"
+        self.url: str = data["endpoint"]
+        self.data: dict = data.wa_data

tools/devsecops_engine_tools/engine_dast/src/domain/usecases/dast_scan.py

@@ -0,0 +1,121 @@
+from typing import (
+    List, Tuple, Any
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.gateways.tool_gateway import (
+    ToolGateway,
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.gateways.devops_platform_gateway import (
+    DevopsPlatformGateway,
+)
+from devsecops_engine_tools.engine_core.src.domain.model.input_core import (
+    InputCore,
+)
+from devsecops_engine_tools.engine_core.src.domain.model.exclusions import (
+    Exclusions,
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.config_tool import (
+    ConfigTool,
+)
+
+class DastScan:
+    def __init__(
+        self,
+        tool_gateway: ToolGateway,
+        devops_platform_gateway: DevopsPlatformGateway,
+        data_target,
+        aditional_tools: "List[ToolGateway]"
+    ):
+        self.tool_gateway = tool_gateway
+        self.devops_platform_gateway = devops_platform_gateway
+        self.data_target = data_target
+        self.other_tools = aditional_tools
+
+    def complete_config_tool(
+        self, data_file_tool, exclusions, tool
+    ) -> "Tuple[ConfigTool, Any]":
+        config_tool = ConfigTool(
+            json_data=data_file_tool,
+            tool=tool,
+        )
+
+        config_tool.exclusions = exclusions
+        config_tool.scope_pipeline = self.devops_platform_gateway.get_variable(
+            "pipeline_name"
+        )
+
+        if config_tool.exclusions.get("All") is not None:
+            config_tool.exclusions_all = config_tool.exclusions.get("All").get(
+                tool
+            )
+        if config_tool.exclusions.get(config_tool.scope_pipeline) is not None:
+            config_tool.exclusions_scope = config_tool.exclusions.get(
+                config_tool.scope_pipeline
+            ).get(config_tool)
+
+        data_target_config = self.data_target
+        return config_tool, data_target_config
+
+    def process(
+        self, dict_args, secret_tool, config_tool
+    ) -> "Tuple[List, InputCore]":
+        init_config_tool = self.devops_platform_gateway.get_remote_config(
+            dict_args["remote_config_repo"], "engine_dast/configTool.json"
+        )
+
+        exclusions = self.devops_platform_gateway.get_remote_config(
+            dict_args["remote_config_repo"],
+            "engine_dast/Exclusions.json"
+         )
+
+
+        config_tool, data_target = self.complete_config_tool(
+            data_file_tool=init_config_tool,
+            exclusions=exclusions,
+            tool=config_tool["ENGINE_DAST"]["TOOL"],
+        )
+
+        finding_list, path_file_results = self.tool_gateway.run_tool(
+            target_data=data_target,
+            config_tool=config_tool,
+            secret_tool=secret_tool,
+        )
+        #Here exceute other tools and append to finding list
+        if len(self.other_tools) > 0:
+            extra_finding_list = self.other_tools[0].run_tool(
+                target_data=data_target,
+                config_tool=config_tool
+            )
+            if len(extra_finding_list) > 0:
+                finding_list.extend(extra_finding_list)
+
+        totalized_exclusions = []
+        (
+            totalized_exclusions.extend(
+                map(
+                    lambda elem: Exclusions(**elem), config_tool.exclusions_all
+                )
+            )
+            if config_tool.exclusions_all is not None
+            else None
+        )
+        (
+            totalized_exclusions.extend(
+                map(
+                    lambda elem: Exclusions(**elem),
+                    config_tool.exclusions_scope,
+                )
+            )
+            if config_tool.exclusions_scope is not None
+            else None
+        )
+
+        input_core = InputCore(
+            totalized_exclusions=totalized_exclusions,
+            threshold_defined=config_tool.threshold,
+            path_file_results=path_file_results,
+            custom_message_break_build=config_tool.message_info_dast,
+            scope_pipeline=config_tool.scope_pipeline,
+            stage_pipeline="Release",
+        )
+
+        return finding_list, input_core