Merge pull request #39 from GovindarajanL/framework-reporting

Framework reporting

Author: GovindarajanL

pom.xml

@@ -96,6 +96,18 @@
             <version>${junit.version}</version>
             <scope>test</scope>
         </dependency>
+        <!-- YAML Processing -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+            <version>${jackson.version}</version>
+        </dependency>
+        <!-- JSON Processing -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson.version}</version>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/org/owasp/astf/core/Scanner.java

@@ -1,15 +1,20 @@
 package org.owasp.astf.core;
 
+import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.owasp.astf.core.config.ScanConfig;
+import org.owasp.astf.core.discovery.EndpointDiscoveryService;
 import org.owasp.astf.core.http.HttpClient;
 import org.owasp.astf.core.result.Finding;
 import org.owasp.astf.core.result.ScanResult;
@@ -19,126 +24,184 @@
 
 /**
  * The main scanner engine that orchestrates the API security testing process.
+ * This class is responsible for:
+ * <ul>
+ *   <li>Initializing and executing the scan based on configuration</li>
+ *   <li>Managing endpoint discovery or using provided endpoints</li>
+ *   <li>Coordinating test case execution across endpoints</li>
+ *   <li>Collecting and aggregating findings</li>
+ *   <li>Providing progress updates and metrics</li>
+ * </ul>
  */
 public class Scanner {
     private static final Logger logger = LogManager.getLogger(Scanner.class);
 
     private final ScanConfig config;
     private final HttpClient httpClient;
     private final TestCaseRegistry testCaseRegistry;
+    private final EndpointDiscoveryService discoveryService;
 
+    // Scan metrics and tracking
+    private final AtomicInteger completedTasks = new AtomicInteger(0);
+    private final AtomicInteger totalTasks = new AtomicInteger(0);
+    private final Map<Severity, AtomicInteger> findingsBySeverity = new ConcurrentHashMap<>();
+    private LocalDateTime scanStartTime;
+    private LocalDateTime scanEndTime;
+
+    /**
+     * Creates a new scanner with the specified configuration.
+     *
+     * @param config The scan configuration
+     */
     public Scanner(ScanConfig config) {
         this.config = config;
         this.httpClient = new HttpClient(config);
         this.testCaseRegistry = new TestCaseRegistry();
+        this.discoveryService = new EndpointDiscoveryService(config, httpClient);
+
+        // Initialize severity counters
+        for (Severity severity : Severity.values()) {
+            findingsBySeverity.put(severity, new AtomicInteger(0));
+        }
     }
 
     /**
      * Executes a full scan based on the provided configuration.
      *
-     * @return The scan results containing all findings.
+     * @return The scan results containing all findings
      */
     public ScanResult scan() {
-        logger.info("Starting API security scan for target: {}", config.getTargetUrl());
-
+        scanStartTime = LocalDateTime.now();
         List<Finding> findings = new ArrayList<>();
 
-        // Determine if we need to discover endpoints or use provided ones
-        List<EndpointInfo> endpoints = new ArrayList<>();
-        if (config.isDiscoveryEnabled() && config.getEndpoints().isEmpty()) {
-            endpoints = discoverEndpoints();
-        } else {
-            endpoints = config.getEndpoints();
-        }
+        try {
+            logger.info("Starting API security scan for target: {}", config.getTargetUrl());
+
+            // Determine if we need to discover endpoints or use provided ones
+            List<EndpointInfo> endpoints = new ArrayList<>();
+            if (config.isDiscoveryEnabled() && config.getEndpoints().isEmpty()) {
+                logger.info("No endpoints provided. Attempting endpoint discovery...");
+                endpoints = discoverEndpoints();
+            } else {
+                endpoints = config.getEndpoints();
+                logger.info("Using {} provided endpoints", endpoints.size());
+            }
+
+            if (endpoints.isEmpty()) {
+                logger.warn("No endpoints found to scan. Check target URL or provide endpoints manually.");
+                return createEmptyScanResult();
+            }
 
-        logger.info("Found {} endpoints to scan", endpoints.size());
-
-        // Get applicable test cases
-        List<TestCase> testCases = testCaseRegistry.getEnabledTestCases(config);
-        logger.info("Running {} test cases", testCases.size());
-
-        // Run test cases against endpoints
-        ExecutorService executor = Executors.newFixedThreadPool(config.getThreads());
-
-        for (EndpointInfo endpoint : endpoints) {
-            for (TestCase testCase : testCases) {
-                executor.submit(() -> {
-                    try {
-                        List<Finding> testFindings = testCase.execute(endpoint, httpClient);
-                        synchronized (findings) {
-                            findings.addAll(testFindings);
-                        }
-                    } catch (Exception e) {
-                        logger.error("Error executing test case {} on endpoint {}: {}",
-                                testCase.getId(), endpoint.getPath(), e.getMessage());
+            // Get applicable test cases
+            List<TestCase> testCases = testCaseRegistry.getEnabledTestCases(config);
+            logger.info("Running {} test cases against {} endpoints", testCases.size(), endpoints.size());
+
+            // Calculate total tasks for progress tracking
+            totalTasks.set(endpoints.size() * testCases.size());
+
+            // Run test cases against endpoints using virtual threads (Java 21)
+            try (ExecutorService executor = Executors.newVirtualThreadPerTaskExecutor()) {
+                List<CompletableFuture<Void>> futures = new ArrayList<>();
+
+                for (EndpointInfo endpoint : endpoints) {
+                    for (TestCase testCase : testCases) {
+                        CompletableFuture<Void> future = CompletableFuture.runAsync(() -> {
+                            try {
+                                logger.debug("Executing {} on {}", testCase.getId(), endpoint);
+                                List<Finding> testFindings = testCase.execute(endpoint, httpClient);
+
+                                if (!testFindings.isEmpty()) {
+                                    synchronized (findings) {
+                                        findings.addAll(testFindings);
+
+                                        // Update severity counters
+                                        for (Finding finding : testFindings) {
+                                            findingsBySeverity.get(finding.getSeverity()).incrementAndGet();
+                                        }
+                                    }
+
+                                    logger.debug("Found {} issues with {} on {}",
+                                            testFindings.size(), testCase.getId(), endpoint);
+                                }
+                            } catch (Exception e) {
+                                logger.error("Error executing test case {} on endpoint {}: {}",
+                                        testCase.getId(), endpoint.getPath(), e.getMessage());
+                                logger.debug("Exception details:", e);
+                            } finally {
+                                // Update progress
+                                int completed = completedTasks.incrementAndGet();
+                                if (completed % 10 == 0 || completed == totalTasks.get()) {
+                                    logProgress();
+                                }
+                            }
+                        }, executor);
+
+                        futures.add(future);
                     }
-                });
+                }
+
+                // Wait for all tasks to complete or timeout
+                CompletableFuture.allOf(futures.toArray(new CompletableFuture[0]))
+                        .orTimeout(config.getTimeoutMinutes(), TimeUnit.MINUTES)
+                        .exceptionally(ex -> {
+                            logger.warn("Scan interrupted or timed out before completion: {}", ex.getMessage());
+                            return null;
+                        })
+                        .join();
             }
-        }
 
-        executor.shutdown();
-        try {
-            executor.awaitTermination(config.getTimeoutMinutes(), TimeUnit.MINUTES);
-        } catch (InterruptedException e) {
-            logger.warn("Scan interrupted before completion");
-            Thread.currentThread().interrupt();
+            logger.info("Scan completed. Found {} issues: {} critical, {} high, {} medium, {} low, {} info",
+                    findings.size(),
+                    findingsBySeverity.get(Severity.CRITICAL).get(),
+                    findingsBySeverity.get(Severity.HIGH).get(),
+                    findingsBySeverity.get(Severity.MEDIUM).get(),
+                    findingsBySeverity.get(Severity.LOW).get(),
+                    findingsBySeverity.get(Severity.INFO).get());
+
+        } catch (Exception e) {
+            logger.error("Unhandled exception during scan: {}", e.getMessage());
+            logger.debug("Exception details:", e);
         }
 
+        scanEndTime = LocalDateTime.now();
         ScanResult result = new ScanResult(config.getTargetUrl(), findings);
-        logger.info("Scan completed. Found {} issues: {} high, {} medium, {} low severity",
-                findings.size(),
-                findings.stream().filter(f -> f.getSeverity() == Severity.HIGH).count(),
-                findings.stream().filter(f -> f.getSeverity() == Severity.MEDIUM).count(),
-                findings.stream().filter(f -> f.getSeverity() == Severity.LOW).count());
+        result.setScanStartTime(scanStartTime);
+        result.setScanEndTime(scanEndTime);
 
         return result;
     }
 
     /**
      * Attempts to discover API endpoints for the target.
-     * This is a basic implementation that uses common paths and OpenAPI detection.
      *
      * @return A list of discovered endpoints
      */
     private List<EndpointInfo> discoverEndpoints() {
-        logger.info("Attempting to discover API endpoints");
-        List<EndpointInfo> endpoints = new ArrayList<>();
-
-        // Try to find OpenAPI/Swagger specification
-        List<String> specPaths = List.of(
-                "/swagger/v1/swagger.json",
-                "/swagger.json",
-                "/api-docs",
-                "/v2/api-docs",
-                "/v3/api-docs",
-                "/openapi.json"
-        );
-
-        for (String path : specPaths) {
-            try {
-                String url = config.getTargetUrl() + path;
-                String response = httpClient.get(url, Map.of());
-
-                if (response != null && !response.isEmpty()) {
-                    logger.info("Found potential API specification at: {}", url);
-                    // TODO: Parse OpenAPI spec and extract endpoints
-                    break;
-                }
-            } catch (Exception e) {
-                // Continue with next path
-            }
-        }
+        return discoveryService.discoverEndpoints();
+    }
 
-        // If no endpoints were found through specifications, return some common ones for testing
-        if (endpoints.isEmpty()) {
-            logger.info("No API spec found, using common paths for testing");
-            endpoints.add(new EndpointInfo("/api/v1/users", "GET"));
-            endpoints.add(new EndpointInfo("/api/v1/users", "POST"));
-            endpoints.add(new EndpointInfo("/api/v1/users/{id}", "GET"));
-            endpoints.add(new EndpointInfo("/api/v1/auth/login", "POST"));
-            endpoints.add(new EndpointInfo("/api/v1/products", "GET"));
-        }
+    /**
+     * Logs the current progress of the scan.
+     */
+    private void logProgress() {
+        int completed = completedTasks.get();
+        int total = totalTasks.get();
+        double percentComplete = (double) completed / total * 100;
+
+        logger.info("Scan progress: {}% ({}/{} tasks completed)",
+                String.format("%.1f", percentComplete), completed, total);
+    }
 
-        return endpoints;
+    /**
+     * Creates an empty scan result when no endpoints are found.
+     *
+     * @return An empty scan result
+     */
+    private ScanResult createEmptyScanResult() {
+        scanEndTime = LocalDateTime.now();
+        ScanResult result = new ScanResult(config.getTargetUrl(), List.of());
+        result.setScanStartTime(scanStartTime);
+        result.setScanEndTime(scanEndTime);
+        return result;
     }
 }