Description
When trying to set up a scan in ScanCentral DAST API Scan Wizard against a swagger file for only specific operations, it does not recognize the Included operation.
Furthermore, when trying to Exclude operations, they are no excluded from the scans and are scanned anyway.
API Scan Wizard path: Content and Filters | Specific Operations | Include or Exclude.
Error message: An error was encountered while parsing the API definition:
The API definition does not contain operations to audit.
Resolution
The swagger file used does not have operationId values defined for any of the operations on any of the endpoints. One thing to keep in mind is that one endpoint can have several operations defined for it.
For example /Sup-example/ could have
GET /Sup-example
POST/ Sup-example
and so on.
Please refer to the Swagger documentation for a more detailed explanation. https://swagger.io/docs/specification/v3_0/paths-and-operations/
In order for WebInspect to be able to refer to them for exclusion/inclusion, the operations in question need to have a operationId defined, as that's what that list refers to.
(for example the way the API is defined at https://petstore3.swagger.io/api/v3/openapi.json with operationId for each one)
An alternative that could work if you don't have other Swagger file is to create a Postman collection with the request/response that you want to include/exclude and use that to guide the WI scan.