From 02ed051a2f66b5694ee7b87a23fe99b80d886355 Mon Sep 17 00:00:00 2001
From: Jan Winz <jan.winz@mercedes-benz.com>
Date: Mon, 23 Oct 2023 14:02:51 +0200
Subject: [PATCH] Update ZAPROXY version and ZAPROXY plugins #2604

---
 .../docker/Owasp-Zap-Debian.dockerfile        | 23 ++++++-------
 .../owaspzap/docker/scripts/owasp-zap.sh      |  5 ++-
 .../owaspzap/docker/zap-addons.txt            | 32 +++++++++----------
 sechub-pds-solutions/owaspzap/env             |  4 +--
 4 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/sechub-pds-solutions/owaspzap/docker/Owasp-Zap-Debian.dockerfile b/sechub-pds-solutions/owaspzap/docker/Owasp-Zap-Debian.dockerfile
index 8ed650d39b..da0bc7bc91 100644
--- a/sechub-pds-solutions/owaspzap/docker/Owasp-Zap-Debian.dockerfile
+++ b/sechub-pds-solutions/owaspzap/docker/Owasp-Zap-Debian.dockerfile
@@ -10,10 +10,10 @@ LABEL org.opencontainers.image.description="A container which combines OWASP ZAP
 LABEL maintainer="SecHub FOSS Team"
 
 # Build args
-ARG OWASPZAP_VERSION="2.13.0"
-ARG OWASPZAP_SHA256SUM="24dfba87278515e3dabe8d24c259981cd812a8f6e66808c956104c3283d91d9d"
+ARG OWASPZAP_VERSION="2.14.0"
+ARG OWASPZAP_SHA256SUM="219d7f25bbe25247713805ab02cc12279898c870743c1aae3c2b0b1882191960"
 
-ARG OWASPZAP_WRAPPER_VERSION="1.2.0"
+ARG OWASPZAP_WRAPPER_VERSION="1.3.1"
 
 # OWASP ZAP host and port
 ENV ZAP_HOST="127.0.0.1"
@@ -37,16 +37,17 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get install --assume-yes openjdk-17-jre firefox-esr wget && \
     apt-get clean
 
-# Install OWASP ZAP
+# Download ZAP
 RUN cd "$DOWNLOAD_FOLDER" && \
-	# download latest release of owasp zap
-	wget --no-verbose https://github.com/zaproxy/zaproxy/releases/download/v${OWASPZAP_VERSION}/zaproxy_${OWASPZAP_VERSION}-1_all.deb && \
+	# download latest release of zap
+	wget --no-verbose https://github.com/zaproxy/zaproxy/releases/download/v${OWASPZAP_VERSION}/ZAP_${OWASPZAP_VERSION}_Linux.tar.gz && \
 	# verify that the checksum and the checksum of the file are same
-    echo "${OWASPZAP_SHA256SUM} zaproxy_${OWASPZAP_VERSION}-1_all.deb" | sha256sum --check && \
-	dpkg -i zaproxy_${OWASPZAP_VERSION}-1_all.deb && \
-	# remove zaproxy deb package
-	rm zaproxy_${OWASPZAP_VERSION}-1_all.deb
-
+    echo "${OWASPZAP_SHA256SUM} ZAP_${OWASPZAP_VERSION}_Linux.tar.gz" | sha256sum --check && \
+    # install ZAP
+	tar xf ZAP_${OWASPZAP_VERSION}_Linux.tar.gz -C "$TOOL_FOLDER" && \
+	ln -s "$TOOL_FOLDER/ZAP_${OWASPZAP_VERSION}/zap.sh" "/usr/local/bin/zap" && \
+	# remove plugins installed on default
+	rm $TOOL_FOLDER/ZAP_${OWASPZAP_VERSION}/plugin/*.zap
 
 # Install SecHub OWASP ZAP wrapper
 RUN cd "$TOOL_FOLDER" && \
diff --git a/sechub-pds-solutions/owaspzap/docker/scripts/owasp-zap.sh b/sechub-pds-solutions/owaspzap/docker/scripts/owasp-zap.sh
index 97e84c222d..05530d0e61 100755
--- a/sechub-pds-solutions/owaspzap/docker/scripts/owasp-zap.sh
+++ b/sechub-pds-solutions/owaspzap/docker/scripts/owasp-zap.sh
@@ -3,8 +3,7 @@
 
 shutdownZAP() {
 	# --full: to specify the process by looking at full command line including the parameters
-	pkill -9 --full "/usr/bin/owasp-zap"
-	pkill -9 --full "/usr/share/zaproxy/zap-"
+	pkill -9 --full "/pds/tools/ZAP_"
 }
 
 # Start OWASP-ZAP server
@@ -13,7 +12,7 @@ echo "Starting up OWASP-ZAP server"
 #   This addon is mandatory now but the telemetry calls can be deactivated.
 #   This feature addtionally disables automated update calls, e.g. to update extensions.
 #   Otherwise, if you want to use a specific versions of extensions e.g. for testing reasons, ZAP would automatically check for updates.
-owasp-zap -daemon -silent -nostdout -host "$ZAP_HOST" -port "$ZAP_PORT" -config "api.key=$ZAP_API_KEY" &
+zap -daemon -silent -nostdout -host "$ZAP_HOST" -port "$ZAP_PORT" -config "api.key=$ZAP_API_KEY" &
 
 echo "Waiting for OWASP-ZAP to start"
 RETRIES=20
diff --git a/sechub-pds-solutions/owaspzap/docker/zap-addons.txt b/sechub-pds-solutions/owaspzap/docker/zap-addons.txt
index 0f6bcf84e8..951a7fa2eb 100644
--- a/sechub-pds-solutions/owaspzap/docker/zap-addons.txt
+++ b/sechub-pds-solutions/owaspzap/docker/zap-addons.txt
@@ -1,16 +1,16 @@
-https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.14.0/commonlib-release-1.14.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v55/ascanrules-release-55.zap
-https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.12.1/selenium-release-15.12.1.zap
-https://github.com/zaproxy/zap-extensions/releases/download/spiderAjax-v23.14.1/spiderAjax-release-23.14.1.zap
-https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v49/pscanrules-release-49.zap
-https://github.com/zaproxy/zap-extensions/releases/download/retire-v0.23.0/retire-release-0.23.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/domxss-v15/domxss-release-15.zap
-https://github.com/zaproxy/zap-extensions/releases/download/webdriverlinux-v56/webdriverlinux-release-56.zap
-https://github.com/zaproxy/zap-extensions/releases/download/network-v0.9.0/network-beta-0.9.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/openapi-v34/openapi-beta-34.zap
-https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.6.0/callhome-release-0.6.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.4.0/spider-release-0.4.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/database-v0.1.0/database-alpha-0.1.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.15.0/oast-beta-0.15.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/reports-v0.22.0/reports-release-0.22.0.zap
-https://github.com/zaproxy/zap-extensions/releases/download/replacer-v12/replacer-release-12.zap
+https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.18.0/commonlib-release-1.18.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v58/ascanrules-release-58.zap
+https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.15.0/selenium-release-15.15.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/spiderAjax-v23.17.0/spiderAjax-release-23.17.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v52/pscanrules-release-52.zap
+https://github.com/zaproxy/zap-extensions/releases/download/retire-v0.26.0/retire-release-0.26.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/domxss-v18/domxss-release-18.zap
+https://github.com/zaproxy/zap-extensions/releases/download/webdriverlinux-v64/webdriverlinux-release-64.zap
+https://github.com/zaproxy/zap-extensions/releases/download/network-v0.12.0/network-beta-0.12.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/openapi-v37/openapi-beta-37.zap
+https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.8.0/callhome-release-0.8.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.7.0/spider-release-0.7.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/database-v0.3.0/database-alpha-0.3.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.17.0/oast-beta-0.17.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/reports-v0.26.0/reports-release-0.26.0.zap
+https://github.com/zaproxy/zap-extensions/releases/download/replacer-v15/replacer-release-15.zap
diff --git a/sechub-pds-solutions/owaspzap/env b/sechub-pds-solutions/owaspzap/env
index ff402bd3da..791ed3de28 100644
--- a/sechub-pds-solutions/owaspzap/env
+++ b/sechub-pds-solutions/owaspzap/env
@@ -6,8 +6,8 @@ BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base"
 # See: https://github.com/mercedes-benz/sechub/releases/
 OWASPZAP_WRAPPER_VERSION="1.3.1"
 # See: https://github.com/zaproxy/zaproxy/releases/latest
-OWASPZAP_VERSION="2.13.0"
-OWASPZAP_SHA256SUM="24dfba87278515e3dabe8d24c259981cd812a8f6e66808c956104c3283d91d9d"
+OWASPZAP_VERSION="2.14.0"
+OWASPZAP_SHA256SUM="219d7f25bbe25247713805ab02cc12279898c870743c1aae3c2b0b1882191960"
 
 PDS_START_MODE=localserver
 ADMIN_USERID=admin