Pin zap add-ons to specific versions
What does this MR do?
ZAP add-ons come pre-installed with each ZAP Docker image (see /zap/plugin
on a running DAST image). When a ZAP scan is executed, ZAP will attempt to update all of the installed add-ons.
This causes problems:
- A DAST user can't decide not to take the add-on (the auto-update functionality is hard-coded)
- DAST can't be run in an offline mode
- The DAST engineering team tests suddenly fail when a release is made to dependent packages in https://github.com/zaproxy/zap-extensions/releases
This MR disables add-on auto-updating when the command line option --auto-update-addons false
is passed to /analyze
. Add-ons will update if the option is not provided. A later decision can be made as to whether or not add-on updates should be disabled by default.
This MR in part solves issues gitlab-org/gitlab#198456 (closed) and gitlab-org/gitlab#12728 (closed). It also fixes the broken master build on DAST.
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Cameron Swords