refactor: removed unused code

docs: added answer for Q3.4
Signed-off-by: Klagarge <remi@heredero.ch>

.gitlab-ci.yml

@@ -1,8 +1,6 @@
 variables:
   DOCKER_IMAGE_TEST: registry.forge.hefr.ch/klagarge/mse2425-grp09/python-pdm:latest
   DOCKER_IMAGE_APP: registry.forge.hefr.ch/klagarge/mse2425-grp09/devsecops-app:latest
-  APP_PORT: 5000
-  TARGET_URL: "http://app:${APP_PORT}"
 
 default:
   image: $DOCKER_IMAGE_TEST
@@ -88,18 +86,8 @@ docker-build-app:
 
 include:
   - template: Jobs/SAST.gitlab-ci.yml
-#  - template: DAST.gitlab-ci.yml
 
-#dast-ci:
-#  stage: dast
-#  dast_configuration:
-#    site_profile: "dast-site-profile-devsecops-mse"
-#    scanner_profile: "dast-scanner-profile-devsecops-mse"
-#services:
-#  - name: $DOCKER_IMAGE_APP
-#    alias: app
-
-dast-local:
+dast:
   stage: dast
   image: ghcr.io/zaproxy/zaproxy:stable
   services:
@@ -108,5 +96,4 @@ dast-local:
   script:
     - echo "Waiting for the app to start on http://app:5000"
     - timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done'
-    - zap-full-scan.py -t http://app:5000 -I
-  allow_failure: true # Allow failure for DAST job (because GitLab is not well configured and network didn't work)
+    - zap-full-scan.py -t http://app:5000 -I

docs/questions-part3.md

@@ -2,7 +2,7 @@
 
 ## Part 3
 
-- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/ 
+- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
 - **Q3.2**: Describe the found problems (alerts) in the `calculator app` (in the original code, git tag `v3.0`)
 - **Q3.3**: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code
 - **Q3.4**: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. *Note: you must ensure that your application is running while you are testing!*
@@ -14,7 +14,7 @@
 
 ## Q3.2
 
-For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally. 
+For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.
 
 ![SAST-report](figures/SAST-report.png)
 
@@ -22,4 +22,14 @@ For some reasons, semgrep works locally, but not on GitLab. Here is the report w
 
 After performing a scan, we can see a few alerts as seen on this screenshot :
 
-![alt text](figures/OWASP-ZAP.png)
+![alt text](figures/OWASP-ZAP.png)
+
+## Q3.4
+The integrate DAST in Github doesn't work on our version, we need the _Ultimate_ version of GitLab selfhosted.
+
+We create a new Docker image for the application. This image auto launch the flask app when the container is started.
+
+We used this image as a service for the DAST stage on our CI.
+The stage use zaproxy to test the application. Warning do not return wailure, so the stage pass if no error is found by the OWASP ZAP.
+
+We don't understand why the stage fail when we try to provide the html report as artifact. So if the stage fail, we can see the error in the logs.