Enhanced JSON Reports

[shardy-lbar]

Based on PR #44 , to solve issue #38 . This adds a new parameter to the zapArchive step (enhancedReport) which generates a more detailed JSON (and html) report.

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[shardy-lbar]

There is currently 2 issues with this implementation (at least for me):

1. The size of the report that is generated. Some of the APIs on my own projects can have larger response bodies, and these massively pad out the report. For example, a json report that was 1.7kB when not enhanced, became 532kB when enhanced. I had another report that I simply could not open in the browser, as it was simply too large.
2. Security. As the "request headers" are reported, this appeared to include authorization headers and cookies. For my setups, this isn't too bad as by the time the report is published, the docker instance it was testing has been shutdown and removed. However if other users are testing against a live or long-lived system, this might be a security issue to have it available in the logs.

[shardy-lbar]

Solutions for issue 1. could be:

• To drop the response body section.
• To set a character limit on the response body.
  This behaviour could be configurable if needed.

Potential solution to issue 2:

• Regex replace the Authorization header with XXX for its value.
• ^ as above, for common auth related headers.
• Potentially provide a configuration option to say which headers to mask.

[bhecquet]

Hello

I agree with all of your points
On our setup, tests are done on QA environments so there are no sensible data, but you are right to point the security issue.
The reason I added this is because pour developer did not have enough information to analyze the alert
So we should probably added several options to let the user choose the amount of data it needs