I am trying to setup an application to be scanned using Rapid7 InsightAppSec. It is an ASP.NET Web API, and we maintain a Swagger UI to document the API (thus we are not using something like Swashbuckle to generate the Swagger).
Rapid7 supports uploading Swagger specification files to configure a scan so that its aware of the endpoints present in the application that it should test. However, many of our specifications have references to external "shared" .json files as well. Because of this, it seems Rapid7 can't proceed with the scan, and I receive this error:
Failed to process Swagger File C:\Program Files\Rapid7\InsightAppSec\engine\rest\service\swagger\00e523f6c6c54f648d317967e9312b34\f4f017c0-fb55-411d-bff1-8b10b941bac6-companies.json, Error in parsing Swagger file "C:\Program Files\Rapid7\InsightAppSec\engine\rest\service\swagger\00e523f6c6c54f648d317967e9312b34\f4f017c0-fb55-411d-bff1-8b10b941bac6-companies.json": Could not resolve the following types/references: "Could not resolve external file reference "../../common/authorization-header.json", file "C:\Program Files\Rapid7\InsightAppSec\engine\rest\service\common\authorization-header.json" does not exist.", "Could not resolve external file reference "../../common/company/status-response-property.json#/StatusResponseProperty", file "C:\Program Files\Rapid7\InsightAppSec\engine\rest\service\common\company\status-response-property.json" does not exist."
I've tried uploading the files that the companies.json file references, but that made no difference. The specs use relative paths, something like this:
"parameters": [
{
"$ref": "../../common/authorization-header.json"
}
]
Aside from overhauling a ton of Swagger files, does Rapid7 support a way of using spec files that have relative path references?
