Merge branch 'release-2.7.0' into master

.gitignore

@@ -13,3 +13,6 @@ out/
 
 # Node
 node_modules/
+
+# ZAP
+src/plugin/

.travis.yml

@@ -1,6 +1,9 @@
 language: java
 script: ant -buildfile build/build.xml test
 
+jdk:
+  - oraclejdk8
+
 env:
   global:
    # COVERITY_SCAN_TOKEN

CONTRIBUTING.md

@@ -81,18 +81,18 @@ Fixing [issues](https://github.com/zaproxy/zaproxy/issues) is very valuable (one
 * This is a guideline we should normally be able to hit. If it’s been more than a week and you haven’t heard then please feel free to add a comment to your PR and @ mention the team (@zaproxy/team-zaproxy).
 
 ##### What we (ZAP Team), expect from you?
-* "Atomic commits" (logical changes to be in a single commit). Please don’t group disjointed changes into a single commit/PR.
-* Descriptive commits (subject and message):
- * For example: https://github.com/spring-projects/spring-framework/blob/master/CONTRIBUTING.md#format-commit-messages
-* Discussion about the changes:
- * Should be done in/on the PR or via the Dev Group and a link to that Dev Group thread added to the PR comments. (i.e.: Shared information is important, if something happens via IRC or private email please ensure a summary makes it to the PR.)
- * Discussion will be kept in the pull request unless off topic.
-* No merge commits. Please, rebase.
-* Rebase if the branch has conflicts.
-* How much time will a pull request be left open?
- * This isn’t static, one or more members of the ZAP Team will reach out (using @ mentions in PR comments) once or twice in order to get things back on track. If no input is received after a month or two then the PR will be closed. Total stale time will likely be 2 to 3 months.
-  * Close with a message such as: "The pull request was closed because of lack of activity (as per CONTRIBUTING guidelines)". Labeled as "Stale".
-  * If the contribution is deemed important or still valuable the code may be:
-   * Manually merged (if possible).
-   * Retrieved by another member of the team, fixed up and resubmitted. In which case the commit message (PR message) should contain a reference to the original submission.
+  * "Atomic commits" (logical changes to be in a single commit). Please don’t group disjointed changes into a single commit/PR.
+  * Descriptive commits (subject and message):
+    * For example: https://github.com/spring-projects/spring-framework/blob/master/CONTRIBUTING.md#format-commit-messages
+  * Discussion about the changes:
+    * Should be done in/on the PR or via the Dev Group and a link to that Dev Group thread added to the PR comments. (i.e.: Shared information is important, if something happens via IRC or private email please ensure a summary makes it to the PR.)
+    * Discussion will be kept in the pull request unless off topic.
+  * No merge commits. Please, rebase.
+  * Rebase if the branch has conflicts.
+  * How much time will a pull request be left open?
+    * This isn’t static, one or more members of the ZAP Team will reach out (using @ mentions in PR comments) once or twice in order to get things back on track. If no input is received after a month or two then the PR will be closed. Total stale time will likely be 2 to 3 months.
+    * Close with a message such as: "The pull request was closed because of lack of activity (as per CONTRIBUTING guidelines)". Labeled as "Stale".
+    * If the contribution is deemed important or still valuable the code may be:
+      * Manually merged (if possible).
+      * Retrieved by another member of the team, fixed up and resubmitted. In which case the commit message (PR message) should contain a reference to the original submission.
 

README.md

@@ -1,12 +1,12 @@
 # [![](https://raw.githubusercontent.com/wiki/zaproxy/zaproxy/images/zap32x32.png) OWASP ZAP](https://www.owasp.org/index.php/ZAP)
 [![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 [![GitHub release](https://img.shields.io/github/release/zaproxy/zaproxy.svg)](https://github.com/zaproxy/zaproxy/wiki/Downloads)
-[![Build Status](https://travis-ci.org/zaproxy/zaproxy.svg?branch=master)](https://travis-ci.org/zaproxy/zaproxy)
+[![Build Status](https://travis-ci.org/zaproxy/zaproxy.svg?branch=develop)](https://travis-ci.org/zaproxy/zaproxy)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/24/badge)](https://bestpractices.coreinfrastructure.org/projects/24)
 [![Coverity Scan Build Status](https://scan.coverity.com/projects/5559/badge.svg)](https://scan.coverity.com/projects/zaproxy-zaproxy)
 [![Github Releases](https://img.shields.io/github/downloads/zaproxy/zaproxy/latest/total.svg?maxAge=2592000)](https://zapbot.github.io/zap-mgmt-scripts/downloads.html)
+[![Javadocs](https://javadoc.io/badge/org.zaproxy/zap/2.6.0.svg)](https://javadoc.io/doc/org.zaproxy/zap/2.6.0)
 [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship-brightgreen.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
-[![ToolsWatch Rank 1](https://www.toolswatch.org/badges/toptools/rank1_2015.svg)](http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
 [![Twitter Follow](https://img.shields.io/twitter/follow/zaproxy.svg?style=social&label=Follow&maxAge=2592000)](https://twitter.com/zaproxy)
 
 The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[*](#justification). It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
@@ -24,8 +24,9 @@ For general information about ZAP:
   * [Swag!](https://github.com/zaproxy/zap-swag) - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License
 
 For help using ZAP:
-  * [Getting Started Guide (pdf)](https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf) - an introductory guide you can print
+  * [Getting Started Guide (pdf)](https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf) - an introductory guide you can print
   * [Tutorial Videos](https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB)
+  * [Articles](https://github.com/zaproxy/zaproxy/wiki/ZAP-Articles) - that go into ZAP features in more depth
   * [Frequently Asked Questions](https://github.com/zaproxy/zaproxy/wiki/FAQtoplevel)
   * [User Guide](https://github.com/zaproxy/zap-core-help/wiki) - online version of the User Guide included with ZAP
   * [User Group](https://groups.google.com/group/zaproxy-users) - ask questions about using ZAP

build/.gitignore

@@ -4,3 +4,5 @@ zap
 ZAP*.dmg
 ZAP*.tar.gz
 zap*.deb
+# Used for dmg and installer
+zap-mac

build/build.xml

@@ -2,7 +2,7 @@
 	<description>Build ZAP.</description>
 	<!-- set global properties for this build -->
 	<property name="src" location="../src" />
-	<property name="src.version" value="1.7" />
+	<property name="src.version" value="1.8" />
 	<property name="build" location="build" />
 	<property name="build.lib.dir" location="lib" />
 	<property name="dist" location="zap" />
@@ -28,8 +28,8 @@
 	<property name="app.executable" value="${app.bundle}/Contents/MacOS/OWASP ZAP.sh" />
 	<property name="app.java" value="${app.bundle}/Contents/Java" />
 	<!--This version downloaded from http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html -->
-	<property name="app.jrearchive" value="jre-8u121-macosx-x64.tar.gz" />
-	<property name="app.jredir" value="jre1.8.0_121.jre" />
+	<property name="app.jrearchive" value="jre-8u152-macosx-x64.tar.gz" />
+	<property name="app.jredir" value="jre1.8.0_152.jre" />
 	<property name="app.plugins" value="${app.bundle}/Contents/PlugIns" />
 
 	<!-- Detect Operating system (Though only the Mac check is used, the other OS checks might be useful for future purposes -->
@@ -92,15 +92,9 @@
 	<target name="compile" depends="init" description="Compile the source ">
 		<echo message="Compiling the source..." />
 
-		<!-- Compile with debug information if the property "javac.debug" is set to true -->
-		<local name="debug" />
-		<condition property="debug" value="true" else="false">
-			<istrue value="${javac.debug}" />
-		</condition>
-
 		<!-- Compile the java code from ${src} into ${build} -->
 		<!--javac srcdir="${src}" destdir="${build}" classpath="zap.jar"/-->
-		<javac srcdir="${src}" destdir="${build}" source="${src.version}" target="${src.version}" includeantruntime="false" debug="${debug}" encoding="UTF-8">
+		<javac srcdir="${src}" destdir="${build}" source="${src.version}" target="${src.version}" includeantruntime="false" debug="true" encoding="UTF-8">
 			<compilerarg value="-Xlint:all"/>
 			<compilerarg value="-Xlint:-options"/> <!-- Otherwise fails with Java 8 -->
 			<compilerarg value="-Werror"/>
@@ -112,7 +106,7 @@
 		</javac>
 
 		<!-- Compile the java test code from ${test.src} into ${test.build} -->
-		<javac srcdir="${test.src}" destdir="${test.build}" source="${src.version}" target="${src.version}" includeantruntime="false" debug="${debug}" encoding="UTF-8">
+		<javac srcdir="${test.src}" destdir="${test.build}" source="${src.version}" target="${src.version}" includeantruntime="false" debug="true" encoding="UTF-8">
 			<compilerarg value="-Xlint:all"/>
 			<compilerarg value="-Xlint:-options"/> <!-- Otherwise fails with Java 8 -->
 			<compilerarg value="-Werror"/>
@@ -391,7 +385,7 @@
 	</target>
 
 
-	<target name="deploy-release-addons">
+	<target name="deploy-release-addons" depends="generate-help-jars">
 		<delete includeEmptyDirs="false">
 			<fileset dir="${src}/plugin" includes="*.zap" />
 		</delete>
@@ -401,7 +395,7 @@
 		<!--ant antfile="${zap.extensions.alpha.dir}/build/build.xml" target="deploy-release" inheritAll="false"/-->
 	</target>
 
-	<target name="deploy-weekly-addons">
+	<target name="deploy-weekly-addons" depends="generate-help-jars">
 		<delete includeEmptyDirs="false">
 			<fileset dir="${src}/plugin" includes="*.zap" />
 		</delete>
@@ -410,7 +404,7 @@
 		<ant antfile="${zap.extensions.alpha.dir}/build/build.xml" target="deploy-weekly" inheritAll="false"/>
 	</target>
 
-	<target name="deploy-all-addons">
+	<target name="deploy-all-addons" depends="generate-help-jars">
 		<delete includeEmptyDirs="false">
 			<fileset dir="${src}/plugin" includes="*.zap" />
 		</delete>
@@ -531,6 +525,12 @@
 			<data src="debian/zap" type="file">
 				<mapper type="perm" strip="1" prefix="/usr/bin" filemode="755"/>
 			</data>
+			<data src="debian/owasp-zap.desktop" type="file">
+				<mapper type="perm" strip="1" prefix="/usr/share/applications" filemode="644"/>
+			</data>
+			<data src="debian/zapicon.png" type="file">
+				<mapper type="perm" strip="1" prefix="/usr/share/icons/" filemode="644"/>
+			</data>
 			<!-- soft link /usr/bin/owasp-zap to /usr/bin/zap (requires jdeb 1.4 or so..) -->
 			<link name="/usr/bin/owasp-zap" target="/usr/bin/zap"/>
 		</deb>
@@ -547,6 +547,9 @@
 		<!-- Pull down the latest JRE in zap-libs-->
 		<get src="https://github.com/zaproxy/zap-libs/raw/master/files/jre/${app.jrearchive}" 
 			dest="${mac-skeleton}/${app.name}/Contents/PlugIns/${app.jrearchive}"/>
+
+		<!-- Make sure we have the latest icons -->
+		<copy file="${src}/resource/ZAP.icns" tofile="${mac-skeleton}/${app.name}/Contents/Resources/ZAP.icns"/>
 
 		<!-- New Mac housekeeping procedure, so that you don't delete your entire /Applications directory -->
 		<delete dir="${dist-mac}" includeEmptyDirs="true" followsymlinks="false" removeNotFollowedSymlinks="true" />
@@ -598,7 +601,7 @@
 					<arg value="-format" />
 					<arg value="UDBZ" />
 					<arg value="-megabytes" />
-					<arg value="300" />
+					<arg value="800" />
 					<arg value="-srcfolder" />
 					<arg file="${dist-mac}" />
 					<arg value="-volname" />
@@ -619,9 +622,6 @@
 				-->
 			</else>
 		</if>
-
-		<!-- New Mac housekeeping procedure, so that you don't delete your entire /Applications directory -->
-		<delete dir="${dist-mac}" includeEmptyDirs="true" followsymlinks="false" removeNotFollowedSymlinks="true" />
 	</target>
 
 	<!-- Package a date-stamped build -->
@@ -680,9 +680,6 @@
 		<property name="version" value="D-${yyyymmdd}" />
 		<echo message="Version is ${version}" />
 
-		<antcall target="generate-help-jars" />
-		<!-- Set to compile with debug information -->
-		<property name="javac.debug" value="true" />
 		<antcall target="dist" />
 		<!-- Overwrite the standard README with the weekly one -->
 		<delete file="${dist}/README" />

build/debian/control/control

@@ -5,6 +5,6 @@ Architecture: all
 Maintainer: Simon Bennetts <psiinon@gmail.com>
 Section: net
 Priority: extra
-Depends: openjdk-7-jre
+Depends: java8-runtime
 Homepage: https://github.com/zaproxy/zaproxy
 Description: OWASP Zed Attack Proxy -an easy to use tool for finding vulnerabilities in web applications.

build/debian/owasp-zap.desktop

@@ -0,0 +1,9 @@
+#!/usr/bin/env xdg-open
+[Desktop Entry]
+Version=1.0
+Type=Application
+Terminal=false
+TryExec=/usr/bin/zap
+Exec=/usr/bin/zap
+Name=OWASP ZAP
+Icon=/usr/share/icons/zapicon.png

build/docker/Dockerfile-bare

@@ -0,0 +1,37 @@
+# This dockerfile builds the zap stable release
+FROM alpine as builder
+
+WORKDIR /zap
+
+RUN apk add --no-cache curl wget xmlstarlet unzip
+
+# Download and expand the latest stable release 
+RUN curl -s https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions.xml | xmlstarlet sel -t -v //url |grep -i Linux | wget --content-disposition -i - -O - | tar zxv && \
+    mv ZAP*/* . &&  \
+    rm -R ZAP* 
+
+FROM openjdk:8-jdk-alpine
+LABEL maintainer="psiinon@gmail.com"
+
+WORKDIR /zap
+COPY --from=builder /zap .
+COPY policies /home/zap/.ZAP/policies/
+
+RUN echo "http://dl-3.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories &&\
+    apk add --update --no-cache bash netcat-openbsd && \
+    adduser -h /home/zap -s /bin/bash zap -D zap && \
+    rm -rf /var/cache/apk/* && \
+    chown zap /zap && \
+    chgrp zap /zap && \
+    chown -R zap:zap /zap && \
+    chown -R zap:zap /home/zap/.ZAP/
+
+#Change to the zap user so things get done as the right person (apart from copy)
+USER zap
+
+ENV PATH $JAVA_HOME/bin:/zap/:$PATH
+ENV ZAP_PATH /zap/zap.sh
+ENV HOME /home/zap/
+ENV ZAP_PORT 8080
+
+HEALTHCHECK --retries=15 --interval=5s CMD nc -vz 127.0.0.1 $ZAP_PORT

build/docker/Dockerfile-live

@@ -1,6 +1,6 @@
 # This dockerfile builds a 'live' zap docker image using the latest files in the repos
 FROM ubuntu:16.04
-MAINTAINER Simon Bennetts "psiinon@gmail.com"
+LABEL maintainer="psiinon@gmail.com"
 
 RUN apt-get update && apt-get install -q -y --fix-missing \
 	make \
@@ -15,8 +15,6 @@ RUN apt-get update && apt-get install -q -y --fix-missing \
 	xmlstarlet \
 	unzip \
 	git \
-	x11vnc \
-	xvfb \
 	openbox \
 	xterm \
 	net-tools \
@@ -28,13 +26,10 @@ RUN apt-get update && apt-get install -q -y --fix-missing \
 	x11vnc && \
 	apt-get clean && \
 	rm -rf /var/lib/apt/lists/*  && \
-
-	pip install --upgrade pip && \
+
 	gem install zapr && \
-	pip install zapcli && \
-	# Install latest dev version of the python API
-	pip install https://github.com/zaproxy/zap-api-python/releases/download/0.0.9.dev1/python-owasp-zap-v2.4-0.0.9.dev1.tar.gz && \
-	useradd -d /home/zap -m -s /bin/bash zap && \ 
+	pip install --upgrade pip zapcli python-owasp-zap-v2.4 && \
+	useradd -d /home/zap -m -s /bin/bash zap && \
 	echo zap:zap | chpasswd && \
 	mkdir /zap  && \
 	chown zap /zap && \
@@ -54,11 +49,11 @@ ENV JAVA_HOME /usr/lib/jvm/java-8-openjdk-amd64/
 ENV PATH $JAVA_HOME/bin:/zap/:$PATH
 
 # Pull the ZAP repos
-RUN git clone https://github.com/zaproxy/zaproxy.git && \
-	git clone https://github.com/zaproxy/zap-extensions.git && \
-	git clone --branch beta https://github.com/zaproxy/zap-extensions.git zap-extensions_beta && \
-	git clone --branch alpha https://github.com/zaproxy/zap-extensions.git zap-extensions_alpha && \
-	git clone https://github.com/zaproxy/zap-core-help.git && \
+RUN git clone --depth 1 https://github.com/zaproxy/zaproxy.git && \
+	git clone --depth 1 https://github.com/zaproxy/zap-extensions.git && \
+	git clone --branch beta --depth 1 https://github.com/zaproxy/zap-extensions.git zap-extensions_beta && \
+	git clone --branch alpha --depth 1 https://github.com/zaproxy/zap-extensions.git zap-extensions_alpha && \
+	git clone --depth 1 https://github.com/zaproxy/zap-core-help.git && \
 	# Download the webdrivers
 	cd zap-extensions_beta && \
 	ant -f build/build.xml download-webdrivers && \
@@ -67,16 +62,22 @@ RUN git clone https://github.com/zaproxy/zaproxy.git && \
 	ant -f build/build.xml deploy-weekly-addons && \
 	ant -f build/build.xml day-stamped-release && \
 	cp -R /zap-src/zaproxy/build/zap/* /zap/ && \
-	rm -rf /zap-src/*
-
+	rm -rf /zap-src/* && \
+	cd /zap/ && \
+	curl -s -L https://bitbucket.org/meszarv/webswing/downloads/webswing-2.3-distribution.zip > webswing.zip && \
+	unzip webswing.zip && \
+	rm webswing.zip && \
+	touch AcceptedLicense
+
 ENV ZAP_PATH /zap/zap.sh
 # Default port for use with zapcli
 ENV ZAP_PORT 8080
 ENV HOME /home/zap/
 
-COPY zap-x.sh zap-baseline.py zap-webswing.sh /zap/ 
-COPY webswing.config /zap/webswing-2.3/ 
+COPY zap* /zap/
+COPY webswing.config /zap/webswing-2.3/
 COPY policies /home/zap/.ZAP_D/policies/
+COPY scripts /home/zap/.ZAP_D/scripts/
 COPY .xinitrc /home/zap/
 
 #Copy doesn't respect USER directives so we need to chown and to do that we need to be root
@@ -91,7 +92,8 @@ RUN chown zap:zap /zap/zap-x.sh && \
 	chmod a+x /home/zap/.xinitrc && \
 	chmod +x /zap/zap.sh && \
 	rm -rf /zap-src
-	
+
 WORKDIR /zap
-	
+
 USER zap
+HEALTHCHECK --retries=5 --interval=5s CMD zap-cli status