Server URL must be an absolute URL

Issue ID: v3-semantic-server-url

Description

The property url of the server object must be an absolute URL.

The Open API Specification (OAS) states that a server object may have a relative URL but that this indicates that the host location is relative to the location where the OpenAPI document is being served. Because API definitions are uploaded to 42Crunch Platform, not retrieved from URLs, Security Audit cannot infer the host location and thus relative URLs are not acceptable.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this issue could look in your API definition. The server object has been defined, but as a relative URL:

{
    "openapi": "3.0.0",
    "servers": [
        {
            "url": "/api"
        }
    ],
    "info": {
        // ...
    }
}

Remediation

Define the URL of the server object as an absolute URL.

{
    "openapi": "3.0.0",
    "servers": [
        {
            "url": "http://petstore.swagger.io/api"
        }
    ],
    "info": {
        // ...
    }
}