Recently , we have been working on security and vulnerability of our application in dotnet core using coverity tool.
We are using Swagger / Swashbuckle in our API application where we are getting the security threat issue as Unrestricted document type definitions (XML_EXTERNAL_ENTITY) for the line below.
c.IncludeXmlComments(xmlPath);
Also the recommended is also mentioned , however I am unable to implement . Please suggest.
The recommended and strongest prevention against both external entity and entity expansion attacks is to disable DTD processing in the parser. Set the XML parser configuration to disable DTD processing.
Related
My project uses different protocols to communicate with other services:
REST API
WebSocket (STOMP)
gRPC
own framework build over gRPC.
I need a tool, or a bunch of tools, which allow me to generate documentation for the APIs. In the best scenario, it's a maven plugin that generates a report with all APIs.
We use Swagger to describe the REST API. It has poor export options and needs a lot of annotations in the code, but describes the API well and offer the test machine.
Alternatively, Spring RestDocs (AsciiDoctor) could be used for the REST API describing. It offers a better format for reporting, but we prefer Swagger.
That's all I found for the REST API. But I didn't find anything for describing WebSocket API, gRPC and the custom framework.
I will be very grateful for any help and ideas to solve the problem.
From the Ahoy repository's examples (see the README), in the basic example, they do use XML Comments to generate some metadata for Swagger to serve up. However, they only configure it if the app is in the Development configuration. See that specific setup here.
However, what if we want to keep the metadata generated by the XML comments for our production environment? Do you suggest deploying with XML Comments enabled - does it matter? What are you currently doing? Is there a better way?
I'm creating an API that will be consumed by other developers. I want the metadata I've placed in XML comments to be out there for those developers to see in production, not just the Swashbuckle-generated things from the ASP.NET Core annotations.
The functions for operating the restful api is quite same. Is there any project that can generate the source code for different platform such android,ios and backend stuff.
I suggest you to use API description languages such Swagger ou RAML.
After having described your RESTful application with a language like this, you will be able to generate things like server skelekons and client sdks with different technologies and languages. You can even generate documentations.
With Swagger, swagger-codegen will do that. swagger-ui may also interest you for the documentation part.
To finish, I would like to mention the Restlet studio that allows to define graphically and quickly the structure of RESTful applications and generate then the corresponding Swagger and RAML contents. The APISpark plaform provides a mecanism to introspect Restlet applications and generate the corresponding contents with these languages. It also allow you to generate a set of server skelekons and client sdks.
Hope it helps you.
I will suggest you to use Spring RESTful webservices starter kit. Which will manage your back-end with centralized database. Also Spring has its own android libs to communicate with REST Apis.
I am using XACML 3.0 for authorization in my project is their any open source policy editor tool so that I can create policies on the fly.
There are several open source policies editors. As i know,
UMU XACML editor
WSO2 Identity Server
OpenAM Server
Also Non open sources, but you can download freely such as
ALFA Plugin by Axiomatics (non-commercial use)
Free GUI based XACML Editor (XACML2.0 to XACML3.0 conversion)
If you want to integrate policy creation in to your project. I guess, best approach is to use Balana utils library. It is a library that can be used to create XACML 3.0 policies and XACML 3.0 request using an simple object model. You find the source code of Balana util from here. Basically WSO2 Identity Server policy editors are used this library to build the policies.
The RESTful Web service APIs are implemented using Restlet. I need to generate the API documentation for these. Rather than starting with a separate document, I am evaluating if this can be generated from the source code annotations itself.
I looked at Swagger and enunciate. Swagger seems to be based on the JAX-RS specification. Enunciate looked a little more promising as there is an FAQ that mentions how to generate for non JAX-RS implementations but there is no help.
Are there any tools (or if the community has used any) for generating API documentation from Restlet annotations?
Has anyone integrated Restlet with enunciate for generating documentation?
Restlet now supports the ability to generate either corresponding Swagger and RAML contents based your application at runtime.
Following docs could help you:
For Swagger (extension org.restlet.ext.swagger): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/swagger
for RAML (extension org.restlet.ext.raml): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/raml
You can then leverage tools from the tool community to generate your API documentation. You could consider Swagger UI that is a great tool to display online what an API provides and interact with it.
Hope it helps you,
Thierry