Disable Auto Update of ZAP addons on DAST startup
Problem to solve
When DAST/ZAP starts, it accesses an XML file to determine what ZAP plugins are available, and what their latest versions are. New plugins and more recent versions are automatically downloaded.
This creates a few problems:
- Some plugins have broken live DAST functionality (e.g. a WebDriver update caused our Selenium version to not be found).
- As the ZAP image DAST depends on gets older, there are many updates to download, which causes the scan to take longer.
- DAST is not able to be run in an internet-isolated environment.
- The tests in DAST consistently fail as plugins get updated, this affects the pace of DAST development.
Example of DAST Log
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/alertFilters-release-9.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/hud-beta-0.6.0.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/websocket-release-20.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/webdriverlinux-release-12.zap
org.parosproxy.paros.CommandLine - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v19/pscanrulesBeta-beta-19.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/alertFilters-release-9.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/hud-beta-0.6.0.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/websocket-release-20.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/webdriverlinux-release-12.zap
org.parosproxy.paros.CommandLine - Add-on downloaded to: /root/.ZAP/plugin/pscanrulesBeta-beta-19.zap
Intended users
Proposal
-
When DAST/ZAP starts up, if automatic updates are disabled then ZAP should not request or update -
Automatic updates are disabled by default -
DAST should pin to versions of ZAP addons. These versions should be downloaded and baked into the DAST docker image. - Periodically (or on each addon release), the DAST team will create and play issues that will update pinned addon versions.
Documentation
The DAST configuration documentation Available variables
should be updated to include new variable.
What is the type of buyer?
/cc @sethgitlab /cc @derekferguson