Disable addon auto update with Zap Docker

[Ni30 Work]

Hi,
I'm trying to disable the addon update which happens automatically when we run zap in docker. 
I have tried using "-silent" and "-config start.checkForUpdates=false -config start.checkAddonUpdates=false"

Here is the docker command I'm using:

sudo docker run --rm \

-t owasp/zap2docker-stable:s2023-04-04 \

zap-baseline.py -t http://example.com/ --hook=/zap/wrk/scan_hook.py \

-d -z "-silent"

(scan-hook.py is a blank file)
I am force closing (Ctrl + C) the scan after spider starts so that I can see the debug messages. 
And here is something interesting I see:
1. The silent command has been added to the scan parameters

2023-04-26 07:05:25,256 Params: ['/zap/zap-x.sh', '-daemon', '-port', '53815', '-host', '0.0.0.0', '-config', 'database.recoverylog=false', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-addonupdate', '-addoninstall', 'pscanrulesBeta', '-silent']

2. But still this is initialising

4388 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Auto-update Extension - Allows ZAP to check for updates

3. I see here that although the auto updates is shh-ed, it is still updating the addons.

6671 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Shh! No check-for-update - silent mode enabled

7686 [ZAP-daemon] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - There is/are 3 newer addons

10384 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon formhandler v6.2.1

10412 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon formhandler v6.2.1

10430 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon spiderAjax v23.13.1

10495 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Finished installing new addon spiderAjax v23.13.1

10516 [ZAP-DownloadInstaller] INFO org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Installing new addon webdriverlinux v54.0.0

Is there any way I can stop zap-docker from updating addons??

I have attached the full log.
Thankyou.

[Simon Bennetts]

Right now the baseline scan always uses both of the release and beta scan rules.

The stable docker release doesnt include the beta scan rules so we have to perform an update in order to install them.

We discussed changing this behaviour previously but decided that it would impact too many people.

However I can understand people wanting a way to disable the updates.

2 options come to mind:

• Adding a new baseline command line option
• Checking for "-silent" in the ZAP options

I think the second one is probably better and would hopefully not impact people who dont want this effect.

Would that address your problem?

Anyone else think of any problems with this approach?

Cheers,

Simon

[Ni30 Work]

Hi Simon, 
Thanks for the reply. 
I tested with zap-full-scan as well, and the output is same.

Anyways, the `-silent` options seems good. If it can stop the updates, then yes, that will solve my problem.

Thank you,

Nitish

[Simon Bennetts]

It turns out we already have an issue for this, which I've just updated: https://github.com/zaproxy/zaproxy/issues/4633

I'll aim to look at this soon, but if anyone else fancies having a look at it then just comment on the issue and we will assign it to you.

Cheers,

Simon

[Ni30 Work]

Thank you Simon. That helps a lot. 
I don't have the expertise to solve this issue myself, but I hope this is solved soon.

Thanks :) 
- Nitish