Add support for OpenAPI 3.0

[thomasdejagere]

When trying to import an OpenAPI 3.0 .json file, using the OpenAPI extension, I receive the error 'Failed to parse OpenAPI definition'. Is there support for the OpenAPI 3.0 type?

[thc202]

As mentioned in the PR, version 3.0 is not yet supported.

@kingthorin, @psiinon should we update to the RC or wait for final version of swagger-parser 2.0.0?

[thomasdejagere]

@thc202 Do you have an idea when support for version 3.0 will be added?

[kingthorin]

@kingthorin, @psiinon should we update to the RC or wait for final version of swagger-parser 2.0.0?

I think it's a level of effort trade-off. If it's a 10min job then go for it I guess. If it's gonna take hours then it may as well wait. For my 2 cents anyway.

[psiinon]

👍

[kingthorin]

OpenAPI 3.0 became official at the end of July (2018): https://swagger.io/blog/news/announcing-openapi-3-0/

[Edza]

I have some problems importing C# interfaces with nullable types. OAS 3.0 supports nullable. This might be an additional reason to prioritize this.

[mxbrandi]

👍

[pexus]

Is there any sample OpenAPI 2.0 project that can be used to test the OpenAPI scanning?

[kingthorin]

Is there any sample OpenAPI 2.0 project that can be used to test the OpenAPI scanning?

https://github.com/OAI/OpenAPI-Specification/tree/master/examples/v2.0/json ?

[coobr01]

Its been a year, any updates?

[kingthorin]

Sadly no. No one has taken interest in addressing this.

[kingthorin]

@coobr01 you could always put a bounty on it and see if that spurs any action:
https://www.bountysource.com/issues/56391491-add-support-for-openapi-3-0

[dsever]

I'm also very interested in OpenAPI 3 support, maybe for now is there kid of workarround?

[mxbrandi]

I'm also very interested in OpenAPI 3 support, maybe for now is there kid of workarround?

Hi dsever, as a workaround, you can use an API converter tool (e.g., api-spec-converter) to convert your OpenAPI v3 spec to swagger v2 and finally import this in ZAP. This worked for me.

[dsever]

@mxbrandi,

I was looking for something like that, I will give a try.

Tnx

[secdevmx]

Hello,
We have Added support for OpenAPI 3.0 and tested it locally. The changes are big, so before making a pull request we would like to get some feedback, especially whether this should be merged or released as a new addon.
@psiinon @kingthorin @thc202 can anynone please take a look at the new code.

Thanks,
Murex security team

[psiinon]

@secdevmx thats great! We'll look at your changes asap.
Thanks for taking this on.

[dsever]

Great work!

[psiinon]

@secdevmx sorry for the delay - we've been distracted by other things :/
A PR to the existing repo would be great - I dont think theres any reason to make this a new add-on. Thanks for your patience.

[ntharalla]

OpenAPI v3.0 support would be great

[pauldzy]

Both OpenAPI 3.0 and Swagger 2.0 are complex systems that share a lot of concepts but not a lot of common structure. Asking folks to learn 2.0 just to create documents for input to ZAP is a bummer. I'd rather encourage colleagues to put their time and energy into OpenAPI 3.0.

[kingthorin]

Asking folks to learn 2.0 just to create documents for input to ZAP is a bummer.

I'm not aware of us doing that. Someone in the community may have suggested that as a work around. (Given the current support/functionality.)

Also to be clear, Swagger vs OpenAPI: one is a spec, the other tools implementing the spec. Chances are throughout the history of this issue/ticket they've been used improperly (by all of us, myself included).

https://swagger.io/blog/api-strategy/difference-between-swagger-and-openapi/

Anyway, the good news is that as you can see in the history of this issue a Pull Request adding OpenAPI v3 support was opened just under a month ago. It's a non-trivial change, it's been through one review, we know it's functionality many are interested in.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.