Contributor.. phf5 Contributor..
Contributor..
720 views

change password via API

Help updating parameters in ScanTemplates for WebInspect particularly passwords (networkAuthPassword)

We'd like to automate the process if possible, either using the REST Api or another method. We've tried to do so using the REST Api call. In particular, the following endpoint: /api/v2/scanTemplates . However, this hasn't updated the ScanTemplate. If there is a way, we'd like to know so we can automate the process so we can update several templates. In particular updating the password field.

0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: change password via WIE API

Based on the sample URI you included, I assume you mean the WebInspect Enterprise 18.20 API and not the WebInspect 18.20 desktop API.  Please let us know if that is not accurate.

 

Reviewing the Swagger interface for WIE (https://{wiehost}/WIE/REST/), it does not appear that the WIE API has a method to replace only a password or username once it has been saved within a Login Macro and then subsequently stored within the Scan Template.  The API endpoint at ../WIE/REST/Api/PUT-api-v2-scanTemplates only appears to only offer replacements for three select portions of the Scan Template, specifically the Login Macro, the scan Policy used, and the Starting URL.

{
"id": "0e8bfcf7-bc27-4ae5-8bc5-bb9e652f1c28",
"name": "template name sample string 2",
"updateScheduledScans": true,
"overrides": {
"startUri": "sample string 1",
"policyId": "12ab3b7c-32d5-4ca2-9803-a994b147a82f",
"macroId": "2e81dc49-dbf2-45a2-899e-63591e80cdc4",
"macroFileID": "5b79fc4f-e043-44fa-95a3-f0608300bb50",
"macroName": "sample string 2"
}
}

 

To perform your Password Replacement for WIE API, I believe you will have to edit the Login Macro first, use an API endpoint to identify the Macro's ID and Name, then use the ScanTemplate endpoint to push in the updated Login Macro to the Scan Template.

  1. manually update Login Macro
  2. request list of Login Macros, to ID yours:  ../WIE/REST/Api/GET-api-v1-macros_start_limit
  3. identify the Scan Template to be updated, ../WIE/REST/Api/GET-api-v2-scanTemplates_start_limit
  4. push the new Login Macro into the desired Scan Template, ../WIE/REST/Api/PUT-api-v2-scanTemplates

 

You may want to run this question by Fortify Support (https://softwaresupport.softwaregrp.com), not only for API assistance, but also to provide API feedback to them for the Product Management team (WIE enhancements).

 

Outside of WIE, the WebInspect desktop API tends to lead with the newer API features and currently offers a good number of advanced items such as Overrides for select items within a saved scan setting file.  Once you have the updated scan setting file from WebInspect desktop, it can be uploaded to the WIE API interface, to create a new Scan Template.

You may also find some WebInspect Enterprise input at the following articles regarding Fortify API automation.

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Contributor.. phf5 Contributor..
Contributor..

Re: change password via WIE API

First, thank you for the reply. We appreciate the feedback and guidance. Regarding our approach, we are trying to move away from using Scan Templates.

A serious concern we came across is that when requesting a Scan Template using the following endpoint (GET /api/v2/scanTemplates/{id}) any username/password stored will be sent back in clear text. Most of the applications we will be scanning will require network authentication, and without sufficient "dummy" users to configure, it doesn't seem practical to have real user's credentials stored away in templates.

Hence, as an alternative, we are now focusing only on using Scan Settings files in our scan automation process. Does anyone know how to go about retrieving the most basic Scan Setting file? This would ideally be a pruned down settings XML file without any unnecessary references to ScanTemplates or Macros (of which we aren't using).

Thanks again for the assistance.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.