From: "Jonathan Armani" <jonathan@armani.tech>
Subject: Re: security/zaproxy: Update to 2.17.0
To: "Kurt Miller" <kurt@intricatesoftware.com>, ports@openbsd.org
Date: Tue, 23 Dec 2025 20:13:09 +0100

ok @armani, two small optionnal comments/questions

- is it safe to update the arguments while iterating over them?
- Would't it be clearer to use ZAPDIR=${HOME}/.ZAP?

Thanks !

On Tue, Dec 23, 2025, at 19:12, Kurt Miller wrote:
> On Dec 23, 2025, at 8:12AM, Jonathan Armani <jonathan@armani.tech> wrote:
>> 
>> Hi Kurt,
>> 
>> Works fine on amd64 and diff looks ok, some comments:
>> 
>> - Shouldn't it be ulimit -d instead of ulimit -m ? Wouldn't it be enough to always pick 1/2 datasize ?
>
> Yes on both.
>
>> - font are really pixelated, I raised that in my last mail: Dawt.useSystemAAFontSettings=on in launch script or should it be left as a user config to set in _JAVA_OPTIONS ? Maybe there is others options as well to improve these ?
>
> OK but lets use JDK_JAVA_OPTIONS and only if not set by user.
>
> Updated diff with those two changes, plus I moved away from sed
> on the --jvmdebug parsing and added some missing quoting on JMEM
> needed if .ZAP_JVM.properties had more then one argument in it.
>
> Thanks for the review. Look ok now?
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/zaproxy/Makefile,v
> diff -u -p -u -r1.14 Makefile
> --- Makefile	27 Sep 2023 16:34:38 -0000	1.14
> +++ Makefile	23 Dec 2025 18:04:12 -0000
> @@ -1,12 +1,12 @@
>  COMMENT =		web application security tool
> 
> -VERSION =		2.11.1
> +VERSION =		2.17.0
>  DISTNAME =		ZAP_${VERSION}_Linux
>  PKGNAME =		zaproxy-${VERSION}
> 
>  CATEGORIES =		security
> 
> -HOMEPAGE =		https://www.owasp.org/index.php/ZAP
> +HOMEPAGE =		https://www.zaproxy.org/
> 
>  # Apache v2.0 License
>  PERMIT_PACKAGE =	Yes
> @@ -14,7 +14,7 @@ PERMIT_PACKAGE =	Yes
>  SITES =	https://github.com/zaproxy/zaproxy/releases/download/v${VERSION}/
> 
>  MODULES =               java
> -MODJAVA_VER =           1.8+
> +MODJAVA_VER =           17+
> 
>  RUN_DEPENDS =		java/javaPathHelper
> 
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/zaproxy/distinfo,v
> diff -u -p -u -r1.6 distinfo
> --- distinfo	11 Dec 2021 10:09:54 -0000	1.6
> +++ distinfo	23 Dec 2025 18:04:12 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (ZAP_2.11.1_Linux.tar.gz) = X4Nmblhj9PlOrFg5QvHE4V+cx7cwfQW8bOZUUmXGOCw=
> -SIZE (ZAP_2.11.1_Linux.tar.gz) = 194801121
> +SHA256 (ZAP_2.17.0_Linux.tar.gz) = 7+eZqqNifbaDtD8AycIQrqC3XADMjwoPBDTRK7Pd3lo=
> +SIZE (ZAP_2.17.0_Linux.tar.gz) = 243895361
> Index: files/zaproxy.sh
> ===================================================================
> RCS file: /cvs/ports/security/zaproxy/files/zaproxy.sh,v
> diff -u -p -u -r1.1.1.1 zaproxy.sh
> --- files/zaproxy.sh	7 Dec 2015 06:32:09 -0000	1.1.1.1
> +++ files/zaproxy.sh	23 Dec 2025 18:04:12 -0000
> @@ -1,41 +1,62 @@
>  #!/bin/sh
> 
>  DIRBASEZAP=${TRUEPREFIX}/share/zaproxy/
> -ZAP=${DIRBASEZAP}zap-${VERSION}.jar
> -
> +ZAPJAR=${DIRBASEZAP}zap-${VERSION}.jar
> +ZAPDIR=~/.ZAP
>  JAVA_CMD=$(javaPathHelper -c zaproxy)
> 
> -JVMPROPS="~/.ZAP/.ZAP_JVM.properties" 
> -if [ -f $JVMPROPS ]; then
> +export 
> JDK_JAVA_OPTIONS=${JDK_JAVA_OPTIONS:--Dawt.useSystemAAFontSettings=on}
> +
> +for arg do
> +    case $arg in
> +        -Xmx*)
> +            # Overridden by the user
> +            JMEM=$arg
> +            ;;
> +        --jvmdebug*)
> +            JAVADEBUGPORT=${arg#--jvmdebug}
> +            JAVADEBUGPORT=${JAVADEBUGPORT#=}
> +
> +            if [ -z "$JAVADEBUGPORT" ]; then
> +                JAVADEBUGPORT=1044
> +            fi
> +
> +            
> JAVADEBUG="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=127.0.0.1:$JAVADEBUGPORT"
> +            ;;
> +        -dir)
> +            shift
> +            ZAPDIR=$1
> +            ;;
> +        *)
> +            # Put the (possibly modified) argument back at the end
> +            # of the list of arguments and shift off the first item.
> +            set -- "$@" "$arg"
> +    esac
> +    shift
> +done
> +
> +JVMPROPS="${ZAPDIR}/.ZAP_JVM.properties" 
> +
> +if [ -z "$JMEM" -a -f $JVMPROPS ]; then
>    # Local jvm properties file present
> -  JMEM=$(head -1 $JVMPROPS)
> -else
> -  MEM=$(($(ulimit -m )/1024 ))
> +  JMEM="$(head -1 $JVMPROPS)"
> +  if [ ! -z "$JMEM" ]; then
> +    echo "Read custom JVM args from $JVMPROPS"
> +  fi
>  fi
> 
> -if [ ! -z $JMEM ]; then
> -  echo "Using jvm memory setting from " ~/.ZAP_JVM.properties
> -elif [ -z $MEM ]; then
> -  echo "Failed to obtain current memory, using jvm default memory settings"
> -else
> -  echo "Available memory: " $MEM "MB"
> -  if [ $MEM -gt 1500 ]; then
> -    JMEM="-Xmx512m"
> -  else
> -    if [ $MEM -gt 900 ] ; then
> -      JMEM="-Xmx256m"
> -    else
> -      if [ $MEM -gt 512 ] ; then
> -        JMEM="-Xmx128m"
> -      fi
> -    fi
> -  fi
> +if [ -z "$JMEM" ]; then
> +  # Default java memory setting
> +  # 1/2 of the datasize ulimit
> +  JMEM="-Xmx$(($(ulimit -d)/1024/2 ))m"
>  fi
> 
> -if [ -n "$JMEM" ]
> +echo "Using JVM args: $JMEM"
> +
> +if [ -n "$JAVADEBUG" ]
>  then
> -  echo "Setting jvm heap size: $JMEM"
> +  echo "Setting debug: $JAVADEBUG"
>  fi
> 
>  cd ${DIRBASEZAP}
> -exec ${JAVA_CMD} ${JMEM} -jar "${ZAP}" -dir ~/.ZAP/ -installdir 
> ${DIRBASEZAP} "$@"
> +exec ${JAVA_CMD} ${JMEM} ${JAVADEBUG} -jar "${ZAPJAR}" -dir ${ZAPDIR} 
> -installdir ${DIRBASEZAP} "$@"
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/zaproxy/pkg/PLIST,v
> diff -u -p -u -r1.7 PLIST
> --- pkg/PLIST	11 Mar 2022 19:54:10 -0000	1.7
> +++ pkg/PLIST	23 Dec 2025 18:04:12 -0000
> @@ -53,87 +53,38 @@ share/zaproxy/lang/Messages_ur_PK.proper
>  share/zaproxy/lang/Messages_vi_VN.properties
>  share/zaproxy/lang/Messages_yo_NG.properties
>  share/zaproxy/lang/Messages_zh_CN.properties
> -share/zaproxy/lang/vulnerabilities.xml
> -share/zaproxy/lang/vulnerabilities_ar_SA.xml
> -share/zaproxy/lang/vulnerabilities_az_AZ.xml
> -share/zaproxy/lang/vulnerabilities_bn_BD.xml
> -share/zaproxy/lang/vulnerabilities_bs_BA.xml
> -share/zaproxy/lang/vulnerabilities_ceb_PH.xml
> -share/zaproxy/lang/vulnerabilities_da_DK.xml
> -share/zaproxy/lang/vulnerabilities_de_DE.xml
> -share/zaproxy/lang/vulnerabilities_el_GR.xml
> -share/zaproxy/lang/vulnerabilities_es_ES.xml
> -share/zaproxy/lang/vulnerabilities_fa_IR.xml
> -share/zaproxy/lang/vulnerabilities_fil_PH.xml
> -share/zaproxy/lang/vulnerabilities_fr_FR.xml
> -share/zaproxy/lang/vulnerabilities_ha_HG.xml
> -share/zaproxy/lang/vulnerabilities_he_IL.xml
> -share/zaproxy/lang/vulnerabilities_hi_IN.xml
> -share/zaproxy/lang/vulnerabilities_hr_HR.xml
> -share/zaproxy/lang/vulnerabilities_hu_HU.xml
> -share/zaproxy/lang/vulnerabilities_id_ID.xml
> -share/zaproxy/lang/vulnerabilities_it_IT.xml
> -share/zaproxy/lang/vulnerabilities_ja_JP.xml
> -share/zaproxy/lang/vulnerabilities_ko_KR.xml
> -share/zaproxy/lang/vulnerabilities_mk_MK.xml
> -share/zaproxy/lang/vulnerabilities_ms_MY.xml
> -share/zaproxy/lang/vulnerabilities_nb_NO.xml
> -share/zaproxy/lang/vulnerabilities_nl_NL.xml
> -share/zaproxy/lang/vulnerabilities_pcm_NG.xml
> -share/zaproxy/lang/vulnerabilities_pl_PL.xml
> -share/zaproxy/lang/vulnerabilities_pt_BR.xml
> -share/zaproxy/lang/vulnerabilities_pt_PT.xml
> -share/zaproxy/lang/vulnerabilities_ro_RO.xml
> -share/zaproxy/lang/vulnerabilities_ru_RU.xml
> -share/zaproxy/lang/vulnerabilities_si_LK.xml
> -share/zaproxy/lang/vulnerabilities_sk_SK.xml
> -share/zaproxy/lang/vulnerabilities_sl_SI.xml
> -share/zaproxy/lang/vulnerabilities_sq_AL.xml
> -share/zaproxy/lang/vulnerabilities_sr_CS.xml
> -share/zaproxy/lang/vulnerabilities_sr_SP.xml
> -share/zaproxy/lang/vulnerabilities_tr_TR.xml
> -share/zaproxy/lang/vulnerabilities_uk_UA.xml
> -share/zaproxy/lang/vulnerabilities_ur_PK.xml
> -share/zaproxy/lang/vulnerabilities_vi_VN.xml
> -share/zaproxy/lang/vulnerabilities_yo_NG.xml
> -share/zaproxy/lang/vulnerabilities_zh_CN.xml
> +share/zaproxy/lang/Messages_zh_TW.properties
>  share/zaproxy/lib/
> -share/zaproxy/lib/bcmail-jdk15on-1.68.jar
> -share/zaproxy/lib/bcpkix-jdk15on-1.68.jar
> -share/zaproxy/lib/bcprov-jdk15on-1.68.jar
> -share/zaproxy/lib/commons-beanutils-1.9.4.jar
> -share/zaproxy/lib/commons-codec-1.15.jar
> +share/zaproxy/lib/commons-beanutils-1.11.0.jar
> +share/zaproxy/lib/commons-codec-1.20.0.jar
>  share/zaproxy/lib/commons-collections-3.2.2.jar
>  share/zaproxy/lib/commons-configuration-1.10.jar
> -share/zaproxy/lib/commons-csv-1.8.jar
> -share/zaproxy/lib/commons-digester-2.1.jar
> +share/zaproxy/lib/commons-csv-1.14.1.jar
>  share/zaproxy/lib/commons-httpclient-3.1.jar
> -share/zaproxy/lib/commons-io-2.11.0.jar
> -share/zaproxy/lib/commons-jxpath-1.3.jar
> +share/zaproxy/lib/commons-io-2.21.0.jar
>  share/zaproxy/lib/commons-lang-2.6.jar
> -share/zaproxy/lib/commons-lang3-3.12.0.jar
> -share/zaproxy/lib/commons-logging-1.2.jar
> -share/zaproxy/lib/commons-text-1.9.jar
> -share/zaproxy/lib/commons-validator-1.7.jar
> +share/zaproxy/lib/commons-lang3-3.19.0.jar
> +share/zaproxy/lib/commons-logging-1.3.5.jar
> +share/zaproxy/lib/commons-text-1.14.0.jar
>  share/zaproxy/lib/ezmorph-1.0.6.jar
> -share/zaproxy/lib/flatlaf-1.6.jar
> +share/zaproxy/lib/flatlaf-3.7.jar
> +share/zaproxy/lib/flatlaf-swingx-3.7.jar
>  share/zaproxy/lib/harlib-1.1.3.jar
> -share/zaproxy/lib/hsqldb-2.5.2.jar
> -share/zaproxy/lib/ice4j-3.0-24-g34c2ce5.jar
> +share/zaproxy/lib/hsqldb-2.7.4.jar
>  share/zaproxy/lib/jackson-core-asl-1.9.13.jar
> -share/zaproxy/lib/java-semver-0.9.0.jar
> +share/zaproxy/lib/java-semver-0.10.2.jar
>  share/zaproxy/lib/javahelp-2.0.05.jar
>  share/zaproxy/lib/jericho-html-3.4.jar
> -share/zaproxy/lib/jfreechart-1.5.3.jar
> -share/zaproxy/lib/jgrapht-core-0.9.0.jar
> +share/zaproxy/lib/jfreechart-1.5.6.jar
> +share/zaproxy/lib/jgrapht-core-0.9.2.jar
>  share/zaproxy/lib/json-lib-2.4-jdk15.jar
> -share/zaproxy/lib/log4j-1.2-api-2.15.0.jar
> -share/zaproxy/lib/log4j-api-2.15.0.jar
> -share/zaproxy/lib/log4j-core-2.15.0.jar
> -share/zaproxy/lib/rsyntaxtextarea-3.1.3.jar
> -share/zaproxy/lib/sqlite-jdbc-3.36.0.1.jar
> +share/zaproxy/lib/log4j-1.2-api-2.25.2.jar
> +share/zaproxy/lib/log4j-api-2.25.2.jar
> +share/zaproxy/lib/log4j-core-2.25.2.jar
> +share/zaproxy/lib/log4j-jul-2.25.2.jar
> +share/zaproxy/lib/rsyntaxtextarea-3.6.0.jar
>  share/zaproxy/lib/swingx-all-1.6.5-1.jar
> -share/zaproxy/lib/xom-1.3.7.jar
> +share/zaproxy/lib/xom-1.3.9.jar
>  share/zaproxy/license/
>  share/zaproxy/license/ApacheLicense-2.0.txt
>  share/zaproxy/license/COPYING
> @@ -147,82 +98,59 @@ share/zaproxy/license/hypersonic_lic.txt
>  share/zaproxy/license/lgpl-3.0.txt
>  share/zaproxy/plugin/
>  share/zaproxy/plugin/Readme.txt
> -share/zaproxy/plugin/alertFilters-release-13.zap
> -share/zaproxy/plugin/ascanrules-release-43.zap
> -share/zaproxy/plugin/automation-alpha-0.9.0.zap
> -share/zaproxy/plugin/bruteforce-beta-11.zap
> -share/zaproxy/plugin/callhome-alpha-0.0.3.zap
> -share/zaproxy/plugin/commonlib-release-1.6.0.zap
> -share/zaproxy/plugin/diff-beta-11.zap
> -share/zaproxy/plugin/directorylistv1-release-5.zap
> -share/zaproxy/plugin/domxss-beta-12.zap
> -share/zaproxy/plugin/encoder-beta-0.6.0.zap
> -share/zaproxy/plugin/formhandler-beta-4.zap
> -share/zaproxy/plugin/fuzz-beta-13.5.0.zap
> -share/zaproxy/plugin/gettingStarted-release-13.zap
> -share/zaproxy/plugin/graaljs-alpha-0.2.0.zap
> -share/zaproxy/plugin/graphql-alpha-0.7.0.zap
> -share/zaproxy/plugin/help-release-14.zap
> -share/zaproxy/plugin/hud-beta-0.13.0.zap
> -share/zaproxy/plugin/importurls-beta-8.zap
> -share/zaproxy/plugin/invoke-beta-11.zap
> -share/zaproxy/plugin/network-alpha-0.0.1.zap
> -share/zaproxy/plugin/oast-alpha-0.6.0.zap
> -share/zaproxy/plugin/onlineMenu-release-9.zap
> -share/zaproxy/plugin/openapi-beta-24.zap
> -share/zaproxy/plugin/pscanrules-release-37.zap
> -share/zaproxy/plugin/quickstart-release-32.zap
> -share/zaproxy/plugin/replacer-beta-9.zap
> -share/zaproxy/plugin/reports-release-0.10.0.zap
> -share/zaproxy/plugin/retest-alpha-0.2.0.zap
> -share/zaproxy/plugin/retire-release-0.9.0.zap
> -share/zaproxy/plugin/reveal-release-4.zap
> -share/zaproxy/plugin/saverawmessage-release-6.zap
> -share/zaproxy/plugin/savexmlmessage-alpha-0.2.0.zap
> -share/zaproxy/plugin/scripts-beta-29.zap
> -share/zaproxy/plugin/selenium-release-15.5.1.zap
> -share/zaproxy/plugin/soap-alpha-12.zap
> -share/zaproxy/plugin/spiderAjax-release-23.7.0.zap
> -share/zaproxy/plugin/tips-beta-9.zap
> -share/zaproxy/plugin/webdriverlinux-release-33.zap
> -share/zaproxy/plugin/websocket-release-24.zap
> -share/zaproxy/plugin/zest-beta-35.zap
> -share/zaproxy/scripts/
> -share/zaproxy/scripts/templates/
> -share/zaproxy/scripts/templates/active/
> -share/zaproxy/scripts/templates/active/Active default template.js
> -share/zaproxy/scripts/templates/authentication/
> -share/zaproxy/scripts/templates/authentication/Authentication default 
> template.js
> -share/zaproxy/scripts/templates/authentication/BodgeIt Store 
> Authentication.js
> -share/zaproxy/scripts/templates/authentication/Simple Form-Based 
> Authentication.js
> -share/zaproxy/scripts/templates/authentication/Wordpress 
> Authentication.js
> -share/zaproxy/scripts/templates/httpsender/
> -share/zaproxy/scripts/templates/httpsender/AddZapHeader.js
> -share/zaproxy/scripts/templates/httpsender/HttpSender default 
> template.js
> -share/zaproxy/scripts/templates/passive/
> -share/zaproxy/scripts/templates/passive/Passive default template.js
> -share/zaproxy/scripts/templates/proxy/
> -share/zaproxy/scripts/templates/proxy/Proxy default template.js
> -share/zaproxy/scripts/templates/session/
> -share/zaproxy/scripts/templates/session/Juice Shop Session 
> Management.js
> -share/zaproxy/scripts/templates/session/Session Management default 
> template.js
> -share/zaproxy/scripts/templates/standalone/
> -share/zaproxy/scripts/templates/standalone/Loop through history 
> table.js
> -share/zaproxy/scripts/templates/standalone/Standalone default 
> template.js
> -share/zaproxy/scripts/templates/standalone/Traverse sites tree.js
> -share/zaproxy/scripts/templates/targeted/
> -share/zaproxy/scripts/templates/targeted/Find HTML comments.js
> -share/zaproxy/scripts/templates/targeted/Targeted default template.js
> -share/zaproxy/scripts/templates/variant/
> -share/zaproxy/scripts/templates/variant/Input Vector default 
> template.js
> -share/zaproxy/scripts/templates/variant/Site modifying JSON example.js
> +share/zaproxy/plugin/alertFilters-release-26.zap
> +share/zaproxy/plugin/ascanrules-release-78.zap
> +share/zaproxy/plugin/authhelper-beta-0.34.0.zap
> +share/zaproxy/plugin/automation-beta-0.58.0.zap
> +share/zaproxy/plugin/bruteforce-beta-20.zap
> +share/zaproxy/plugin/callhome-release-0.20.0.zap
> +share/zaproxy/plugin/client-alpha-0.20.0.zap
> +share/zaproxy/plugin/commonlib-release-1.39.0.zap
> +share/zaproxy/plugin/database-alpha-0.9.0.zap
> +share/zaproxy/plugin/diff-beta-18.zap
> +share/zaproxy/plugin/directorylistv1-release-9.zap
> +share/zaproxy/plugin/domxss-release-23.zap
> +share/zaproxy/plugin/encoder-release-1.8.0.zap
> +share/zaproxy/plugin/exim-beta-0.16.0.zap
> +share/zaproxy/plugin/formhandler-beta-6.8.0.zap
> +share/zaproxy/plugin/fuzz-beta-13.16.0.zap
> +share/zaproxy/plugin/gettingStarted-release-20.zap
> +share/zaproxy/plugin/graaljs-alpha-0.12.0.zap
> +share/zaproxy/plugin/graphql-alpha-0.29.0.zap
> +share/zaproxy/plugin/help-release-22.zap
> +share/zaproxy/plugin/hud-beta-0.19.0.zap
> +share/zaproxy/plugin/insights-alpha-0.0.1.zap
> +share/zaproxy/plugin/invoke-beta-17.zap
> +share/zaproxy/plugin/network-beta-0.25.0.zap
> +share/zaproxy/plugin/oast-beta-0.24.0.zap
> +share/zaproxy/plugin/onlineMenu-release-15.zap
> +share/zaproxy/plugin/openapi-beta-48.zap
> +share/zaproxy/plugin/postman-alpha-0.9.0.zap
> +share/zaproxy/plugin/pscan-alpha-0.6.0.zap
> +share/zaproxy/plugin/pscanrules-release-70.zap
> +share/zaproxy/plugin/quickstart-release-53.zap
> +share/zaproxy/plugin/replacer-release-21.zap
> +share/zaproxy/plugin/reports-release-0.43.0.zap
> +share/zaproxy/plugin/requester-beta-7.9.0.zap
> +share/zaproxy/plugin/retest-alpha-0.11.0.zap
> +share/zaproxy/plugin/retire-release-0.52.0.zap
> +share/zaproxy/plugin/reveal-release-10.zap
> +share/zaproxy/plugin/scanpolicies-alpha-0.7.0.zap
> +share/zaproxy/plugin/scripts-release-45.17.0.zap
> +share/zaproxy/plugin/selenium-release-15.43.0.zap
> +share/zaproxy/plugin/sequence-beta-9.zap
> +share/zaproxy/plugin/soap-beta-29.zap
> +share/zaproxy/plugin/spider-release-0.18.0.zap
> +share/zaproxy/plugin/spiderAjax-release-23.29.0.zap
> +share/zaproxy/plugin/tips-beta-16.zap
> +share/zaproxy/plugin/webdriverlinux-release-169.zap
> +share/zaproxy/plugin/websocket-release-35.zap
> +share/zaproxy/plugin/zest-beta-48.11.0.zap
>  share/zaproxy/xml/
> -share/zaproxy/xml/common-user-agents.txt
>  share/zaproxy/xml/config.xml
>  share/zaproxy/xml/drivers.dtd
> -share/zaproxy/xml/drivers.xml
>  share/zaproxy/xml/reportCompare.xsl
>  share/zaproxy/zap-${VERSION}.jar
> -share/zaproxy/zap.bat
> +@comment share/zaproxy/zap.bat
>  share/zaproxy/zap.ico
> -share/zaproxy/zap.sh
> +@comment share/zaproxy/zap.sh