Active Scan Rule Updates

[Omkar Kumbhar]

Hi Team,

I have one query regarding Active Scan rule updates. I have read in ZAP docs that " ZAP will automatically download and install any updates to the scanner rules you have installed."

However, if new active/passive scanner rule is developed then will the new rule installed automatically or do we have to manually install it.

For e.g. after disclosure of Log4J vulnerability, new Log4J scan rule got added in ZAP. This rule got installed to all ZAP versions automatically or end-user had to manually install it?

Thanks,

Omkar

[psiinon]

Hi Omkar,

"It depends" :)

As stated: "ZAP will automatically download and install any updates to the scanner rules you have installed."

If you change that option then you will not get auto updates.

Also, it depends on what scan rules you have installed.

The stable release only contains "release" quality scan rules.

The docker packaged scans use both "release" and "beta" quality scan rules.

New scan rules always start of as "alpha" quality.

If you do not install the alpha quality scan rules then you wont have access to them or get updates to them.

You would only get then when they are promoted into one of the add-ons you have installed.

Does that make sense?

Cheers,

Simon

[Omkar Kumbhar]

Hi Simon,

Yes, I understood. 

That means, if I have installed alpha quality rules and selected the option "ZAP will automatically download and install any updates to the scanner rules you have installed." then if any new scan rule is developed then it will get automatically installed in my ZAP setup. I hope my understanding is correct.

Thanks,

Omkar

[psiinon]

Hi Omkar,

Yes, this is correct.

We do sometime include scan rules with other add-ons where we need to add significant support for a specific type of technology - so the SOAP specific rules are actually included in the soap add-on, but thats a much less usual situation.

Cheers,

Simon

[Omkar Kumbhar]

Alright! Thanks Simon.

Best regards,

Omkar