add ToC handling to release pipeline

jgadsden · web-flow · commit a2a0667d41b3 · 2024-09-28T10:44:26.000+01:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -145,6 +145,11 @@ jobs:
           find release -name "*.md" -exec sed -i ':a; /^\n*$/{ s/\n//; N;  ba};' {} +
           find release -name "*.md" -exec sed -i '${/^$/d;}' {} +
 
+      - name: Fix up ToC sidebar
+        run: |
+          cp  _data/draft.yaml _data/release.yaml
+          sed -i "s/^docs_list_title.*/docs_list_title: Developer Guide/" _data/release.yaml
+
       - name: Retrieve pdfs and epubs
         uses: actions/download-artifact@v4.1.7
         with:
diff --git a/_data/draft.yaml b/_data/draft.yaml
@@ -163,7 +163,7 @@ docs:
 - title: '6.2 Tools'
   url: verification/tools
 
-- title: '6.2.1 DAST'
+- title: '6.2.1 DAST tools'
   url: verification/tools/dast
 
 - title: '6.2.2 Amass'
diff --git a/_data/release-pt-br.yaml b/_data/release-pt-br.yaml
@@ -190,8 +190,8 @@ docs:
 - title: '6.2 Tools'
   url: verification/tools
 
-- title: '6.2.1 Zed Attack Proxy'
-  url: verification/tools/zed_attack_proxy
+- title: '6.2.1 DAST tools'
+  url: verification/tools/dast
 
 - title: '6.2.2 Amass'
   url: verification/tools/amass
diff --git a/_data/release.yaml b/_data/release.yaml
@@ -163,8 +163,8 @@ docs:
 - title: '6.2 Tools'
   url: verification/tools
 
-- title: '6.2.1 Zed Attack Proxy'
-  url: verification/tools/zed_attack_proxy
+- title: '6.2.1 DAST tools'
+  url: verification/tools/dast
 
 - title: '6.2.2 Amass'
   url: verification/tools/amass
diff --git a/draft/02-toc.md b/draft/02-toc.md
@@ -73,7 +73,7 @@ permalink:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [DAST](#dast)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/draft/05-requirements/03-opencre.md b/draft/05-requirements/03-opencre.md
@@ -48,7 +48,7 @@ This provides an overview of tools and techniques used for most SDLCs.
 * OWASP [Proactive Controls][proactiveocre]
 * OWASP [Cheat Sheets][csocre]
 * OWASP [WSTG][wstgocre]
-* [ZAP][zapocre] from [Crash Override][crash]
+* [ZAP][zapocre]
 
 The aim of this project is to 'Link all the things with OpenCRE' which will:
 
@@ -105,7 +105,6 @@ then [submit an issue][issue0503] or [edit on GitHub][edit0503].
 
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
 [capecocre]: https://opencre.org/search/CAPEC
-[crash]: https://crashoverride.com/
 [csocre]: https://opencre.org/search/OWASP%20Cheat%20Sheets
 [cweocre]: https://opencre.org/search/CWE
 [cwe]: https://cwe.mitre.org/
diff --git a/draft/08-verification/00-toc.md b/draft/08-verification/00-toc.md
@@ -44,7 +44,7 @@ Sections:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [DAST](#dast)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/draft/08-verification/02-tools/00-toc.md b/draft/08-verification/02-tools/00-toc.md
@@ -27,7 +27,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [DAST](#dast)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/draft/08-verification/02-tools/01-dast.md b/draft/08-verification/02-tools/01-dast.md
@@ -3,10 +3,10 @@
 title: DAST
 layout: col-document
 tags: OWASP Developer Guide
-contributors: Jon Gadsden, Johan Sydseter
+contributors: Johan Sydseter, Jon Gadsden
 document: OWASP Developer Guide
-order: 821
-permalink: /draft/verification/tools/dast/
+order: 8210
+permalink: /release/verification/tools/dast/
 
 ---
 
@@ -37,9 +37,10 @@ by actually performing attacks.
 
 #### Different DAST tools
 
-The OWASP Community projects contains a [list of DAST tools][dast] can be used to conduct DAST. All of these tools have
-their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the
-[OWASP Benchmark][benchmark] project, which attempts to scientifically measure the effectiveness of all types of
+The OWASP Community projects contains a [list of DAST tools][dast] that can be used to conduct DAST.
+All of these tools have their own strengths and weaknesses.
+If you are interested in the effectiveness of DAST tools, check out the [OWASP Benchmark][benchmark] project,
+which attempts to scientifically measure the effectiveness of all types of
 vulnerability detection tools, including DAST.
 
 #### Why use it?
diff --git a/draft/08-verification/02-tools/toc.md b/draft/08-verification/02-tools/toc.md
@@ -38,7 +38,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [DAST](01-dast.md)  
+6.2.1 [DAST tools](01-dast.md)  
 6.2.2 [Amass](02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](03-owtf.md)  
 6.2.4 [Nettacker](04-nettacker.md)  
diff --git a/draft/08-verification/03-frameworks/01-secure-codebox.md b/draft/08-verification/03-frameworks/01-secure-codebox.md
@@ -62,7 +62,7 @@ OWASP secureCodeBox orchestrates a range of security-testing tools in various do
   * Nikto web server vulnerability scanner
   * Nuclei template based vulnerability scanner.
   * Screenshooter takes screenshots of websites
-  * ZAP and ZAP Advanced web application & OpenAPI vulnerability scanner extend with authentication features
+  * ZAP Advanced web application & OpenAPI vulnerability scanner
 
 Other tools may be added over time.
 
diff --git a/draft/08-verification/toc.md b/draft/08-verification/toc.md
@@ -55,7 +55,7 @@ Sections:
 6.1.2 [MAS Testing Guide](01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](01-guides/03-asvs.md)  
 6.2 [Tools](02-tools/toc.md)  
-6.2.1 [DAST](02-tools/01-dast.md)  
+6.2.1 [DAST tools](02-tools/01-dast.md)  
 6.2.2 [Amass](02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](02-tools/03-owtf.md)  
 6.2.4 [Nettacker](02-tools/04-nettacker.md)  
diff --git a/draft/09-training-education/01-vulnerable-apps/02-webgoat.md b/draft/09-training-education/01-vulnerable-apps/02-webgoat.md
@@ -28,7 +28,7 @@ permalink: /draft/training_education/vulnerable_applications/webgoat/
 
 The OWASP [WebGoat][webgoat] project is a deliberately insecure web application that can be
 used to attack common application vulnerabilities in a safe environment.
-It can also be used to exercise application security tools, such as [ZAP][zap], to practice
+It can also be used to exercise application security tools to practice
 scanning and identifying the various vulnerabilities built into WebGoat.
 
 WebGoat is a well established OWASP project and achieved Lab Project status many years ago.
@@ -105,7 +105,7 @@ WebWolf provides:
 
 Try all the WebGoat lessons, they will certainly inform and educate.
 Use WebGoat in demonstrations of your favourite attack chains.
-Exercise Zap and Burp Suite against WebGoat, or other attack tools you have with you.
+Exercise available attack tools against WebGoat.
 
 Try out the WebGoat desktop environment by running `docker run -p 127.0.0.1:3000:3000 webgoat/webgoat-desktop`
 and navigating to `http://localhost:3000/`.
@@ -116,7 +116,6 @@ There are various ways of configuring WebGoat, see the [github repo][goatgithub]
 
 * OWASP [WebGoat][webgoat] and WebWolf
 * [Docker][dockerinstall]
-* [ZAP][zap]
 
 ----
 
@@ -130,6 +129,5 @@ then [submit an issue][issue090102] or [edit on GitHub][edit090102].
 [edit090102]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/09-training-education/01-vulnerable-apps/02-webgoat.md
 [issue090102]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2009-training-education/01-vulnerable-apps/02-webgoat
 [webgoat]: https://owasp.org/www-project-webgoat/
-[zap]: https://www.zaproxy.org/
 
 \newpage
diff --git a/draft/toc.md b/draft/toc.md
@@ -79,7 +79,7 @@ This draft version has the latest contributions to the Developer Guide so expect
 6.1.2 [MAS Testing Guide](08-verification/01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](08-verification/01-guides/03-asvs.md)  
 6.2 [Tools](08-verification/02-tools/toc.md)  
-6.2.1 [DAST](08-verification/02-tools/01-dast.md)  
+6.2.1 [DAST tools](08-verification/02-tools/01-dast.md)  
 6.2.2 [Amass](08-verification/02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](08-verification/02-tools/03-owtf.md)  
 6.2.4 [Nettacker](08-verification/02-tools/04-nettacker.md)  
diff --git a/release-pt-br/02-toc.md b/release-pt-br/02-toc.md
@@ -73,7 +73,7 @@ permalink:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/release-pt-br/08-verification/00-toc.md b/release-pt-br/08-verification/00-toc.md
@@ -44,7 +44,7 @@ Sections:
 6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/release-pt-br/08-verification/02-tools/00-toc.md b/release-pt-br/08-verification/02-tools/00-toc.md
@@ -27,7 +27,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
+6.2.1 [DAST tools](#dast-tools)  
 6.2.2 [Amass](#amass)  
 6.2.3 [Offensive Web Testing Framework](#offensive-web-testing-framework)  
 6.2.4 [Nettacker](#nettacker)  
diff --git a/release-pt-br/08-verification/02-tools/01-dast.md b/release-pt-br/08-verification/02-tools/01-dast.md
@@ -0,0 +1,74 @@
+---
+
+title: DAST
+layout: col-document
+tags: OWASP Developer Guide
+contributors: Johan Sydseter, Jon Gadsden
+document: OWASP Developer Guide
+order: 28210
+permalink: /release-pt-br/verification/tools/dast/
+
+---
+
+{% include breadcrumb.html %}
+
+<style type="text/css">
+.image-right {
+  height: 180px;
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+  float: right;
+}
+</style>
+
+Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and
+vulnerabilities in applications. The testing process can be carried out manually or be automated. Manual assessment of an
+application involves human intervention to identify security flaws which might slip from an automated tool. Usually
+business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual
+assessments.
+
+### 6.2.1 DAST tools
+
+DAST tools are programs which communicates with a web application through the web front-end in order to identify potential
+security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static
+application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities
+by actually performing attacks.
+
+#### Different DAST tools
+
+The OWASP Community projects contains a [list of DAST tools][dast] that can be used to conduct DAST.
+All of these tools have their own strengths and weaknesses.
+If you are interested in the effectiveness of DAST tools, check out the [OWASP Benchmark][benchmark] project,
+which attempts to scientifically measure the effectiveness of all types of
+vulnerability detection tools, including DAST.
+
+#### Why use it?
+
+The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities.
+With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they
+can become exploited.
+
+#### Cons
+
+Because these tools does dynamic testing, it cannot cover 100% of the source code of the application and then, the
+application itself. The penetration tester should look at the coverage of the web application or of its attack surface to
+know if the tool was configured correctly or was able to understand the web application.
+
+#### References
+
+* [Dynamic application security testing][wikipedia]
+* [Vulnerability Scanning Tools][dast]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue080201] or [edit on GitHub][edit080201].
+
+[benchmark]: https://owasp.org/www-project-benchmark/
+[dast]: https://owasp.org/www-community/Vulnerability_Scanning_Tools
+[edit080201]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/08-verification/02-tools/01-dast.md
+[issue080201]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2008-verification/02-tools/01-dast
+[wikipedia]: https://en.wikipedia.org/wiki/Dynamic_application_security_testing
+
+\newpage
diff --git a/release-pt-br/08-verification/02-tools/01-zap.md b/release-pt-br/08-verification/02-tools/01-zap.md
diff --git a/release-pt-br/08-verification/02-tools/toc.md b/release-pt-br/08-verification/02-tools/toc.md
@@ -38,7 +38,7 @@ whereas manual security testing of high-risk components requires good knowledge
 
 Sections:
 
-6.2.1 [Zed Attack Proxy](01-zap.md)  
+6.2.1 [DAST tools](01-dast.md)  
 6.2.2 [Amass](02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](03-owtf.md)  
 6.2.4 [Nettacker](04-nettacker.md)  
diff --git a/release-pt-br/08-verification/toc.md b/release-pt-br/08-verification/toc.md
@@ -55,7 +55,7 @@ Sections:
 6.1.2 [MAS Testing Guide](01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](01-guides/03-asvs.md)  
 6.2 [Tools](02-tools/toc.md)  
-6.2.1 [Zed Attack Proxy](02-tools/01-zap.md)  
+6.2.1 [DAST tools](02-tools/01-dast.md)  
 6.2.2 [Amass](02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](02-tools/03-owtf.md)  
 6.2.4 [Nettacker](02-tools/04-nettacker.md)  
diff --git a/release-pt-br/toc.md b/release-pt-br/toc.md
@@ -79,7 +79,7 @@ permalink: /release-pt-br/
 6.1.2 [MAS Testing Guide](08-verification/01-guides/02-mastg.md)  
 6.1.3 [Application Security Verification Standard](08-verification/01-guides/03-asvs.md)  
 6.2 [Tools](08-verification/02-tools/toc.md)  
-6.2.1 [Zed Attack Proxy](08-verification/02-tools/01-zap.md)  
+6.2.1 [DAST tools](08-verification/02-tools/01-dast.md)  
 6.2.2 [Amass](08-verification/02-tools/02-amass.md)  
 6.2.3 [Offensive Web Testing Framework](08-verification/02-tools/03-owtf.md)  
 6.2.4 [Nettacker](08-verification/02-tools/04-nettacker.md)  
diff --git a/release/08-verification/02-tools/01-dast.md b/release/08-verification/02-tools/01-dast.md
diff --git a/release/08-verification/02-tools/01-zap.md b/release/08-verification/02-tools/01-zap.md
