Docker stable - auto update issue
58 views
Skip to first unread message
Simon Bennetts
Jul 25, 2024, 4:35:22 AM7/25/24
to ZAP User Group
We have identified a problem with the stable docker image when using auto update.
It impacted the passive scan rules - some of them may not have been installed correctly and would therefore not run.
It was a side effect of the ongoing work to move functionality from the core to add-ons. We've re-released the docker image and we believe the problem is resolved.
If you have had a problem with the stable docker image in the last couple of days then please try again, pulling the latest version.
If you have any problems then let us know asap.
We are also looking into adding additional checks so that we get alerted to any similar problems in the future.
Sorry about the inconvenience,
Simon
Jean Marc Le Solliec
Jul 25, 2024, 9:07:24 AM7/25/24
to ZAP User Group
Hi
It seems it works better now, with your lasted updated image, i could not find with docker the vulnerabilities i could find with a ZAP GUI Automated scan, now it is much more in phase, i even find some more vulnerabilities in my report_full_scan.html with command
docker run -v $(pwd):/zap/wrk/:rw -t
ghcr.io/zaproxy/zaproxy:stable
zap-full-scan.py -t https://xxx.yyy.zzzz -r
report_full_scan.html
Have to check why this difference now, docker scan find in addition "MEDIUM=Proxy disclosure + Low=Permissions Policy Header Not Set + Informational=Storable and Cacheable Content
In the ZAP GUI Automated Scan, i checked the "Use traditional Spider" and for the docker
zap-full-scan.py , i did not use the option -j ( ajax spider). So it seems i should be in phase with both reports.
phil young
Jul 25, 2024, 9:13:07 AM7/25/24
to ZAP User Group
cool :) was ajax spider impacted at all? Out of interest?
(sorry Simon, I missed your earlier message in the posts below about logs)
(sorry Simon, I missed your earlier message in the posts below about logs)
psiinon
Jul 25, 2024, 9:30:52 AM7/25/24
to zaprox...@googlegroups.com
Good to hear its working for you now :)
We're not aware that it impacted the AJAX Spider.
Cheers,
Simon
--
For commercial support options see https://www.zaproxy.org/support/
ZAP is supported by the Crash Override Open Source Fellowship https://crashoverride.com/open-source?zap=user
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1902856d-b338-46c4-a082-1b6365ef0bdbn%40googlegroups.com.
--
ZAP Project leader
Reply all
Reply to author
Forward
0 new messages