Zap add-ons usage from pre-downloaded files

[Orsolya Kerner]

Hi All,

I would like to run the owasp-zap in a docker container in jenkins for jenkins CI/CD and I use some add-ons for my zap scan but I would not like the add-ons to update/install automatically at all.

So I would like to download the necessary add-ons and add to the docker container/image once.

How could I do it?

Thanks,

Orsolya

[Adam Baldwin]

Hello,

If you're using the zap2docker image just add the -config start.checkForUpdates=false -config start.checkAddonUpdates=false to the run command. This will prevent update checks.

If the standard set of plugins on the image don't provide the desired plugins it's possible to build a new image using zap as a base and copy your pre-built .zap jars into the image under /zap/plugin.

I hope this helps.

-Adam

[Orsolya Kerner]

Hello Adam,

Thank you for your answer. I tried that you suggested but it did not work for me. I used owasp/zap2docker-stable and owasp/zap2docker-weekly images (of course not in the same time) and I set start.checkForUpdates=false and start.checkAddonUpdates=false in a config file as I use a config file for setting config params, but it still would like to check/download the updates and add-on updates and unfortunately it can not update them with the same error than yesterday:

"43984 [ZAP-cfu] WARN  org.zaproxy.zap.extension.autoupdate.ExtensionAutoUpdate - Failed to check for updates using: https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-dev.xml
java.net.SocketTimeoutException: connect timed out"

I tried to build a new image from some of Dockerfiles here: https://github.com/zaproxy/zaproxy/tree/main/docker but none of builds could finish.

Do you have any other ideas?

Thank you,

Orsolya

[thc...@gmail.com]

Hi.

Use -silent command line argument to prevent ZAP from doing those requests:
https://www.zaproxy.org/faq/what-calls-home-does-zap-make/

Best regards.

[Simon Bennetts]

Hi Orsolya,

That error indicates that ZAP was unable to connect to the URL whoch we use for ZAP updates, so no updates were made.

Thats what you want isnt it?

You can just ignore that warning.

Alternatively pass the "-silent" option to ZAP as per https://www.zaproxy.org/docs/desktop/cmdline/ then ZAP should not make the check-for-updates request.

Cheers,

Simon

[Orsolya Kerner]

Thank for you all. Yes, the -silent comman line argument works, but it seems now the zap can not install the add-ons for example for jython scripts and I need this add-on for my scripts. 

So my question is how I could use pre-downloaded add-ons without building a new zap image, as the image building did not work for me either.

This is the zap part of my docker-compose file:

zap:
     container_name: owasp-zap
     image: owasp/zap2docker-weekly
     command: zap.sh -daemon -port 8090 -host 0.0.0.0 -configfile "/my_zap/zap-config.prop" -addoninstall openapi -addoninstall jython -addoninstall formhandler
     volumes:
       - ./:/my_zap
     env_file: ./zap.env

Thank you,

Orsolya

[thc...@gmail.com]

If the container is not able to access GitHub you'll not be able to
install the add-ons, so the "-addoninstall" arguments will not work (and
can be removed).

If you already downloaded them you can map the directory that contains
them into the container and set the option:
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/checkforupdates/#add-on-directories


See also:
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Best regards.

[Orsolya Kerner]

Thank for you all. Yes, it works now.

Thanks again,

Orsolya