ZAP Custom Reporting Plugin

[ryerson...@gmail.com]

Hello everyone,

I have started working on a custom reporting plugin for ZAP to add more specifically needs that i require. I was wondering if anyone had any requests as to what they will see?

Things already on the list are as follows

1. Custom Title
2. Short Desc
3. Date that the active scan was run (Is this stored anywhere or would this be a feature request? If not, this could be part of the context as an informational. Last scanned by active scan on)
4. Date that the report was generated on
5. ZAP version that the active scan was run on (Is this stored anywhere? If not, this could be part of the context as an informational. Last scanned by active scan on)
6. ZAP version that the report was generated on
7. Export to JSON
8. Export to PDF
9. Bootstrap enabled HTML
10. Inclusion of request header, response header
11. Inclusion of request body and response body
12. Separate or combine alerts by host

If 3 and 5 exist somewhere, could you please let me know how to retrieve them? My goal is to get this done by early next week.

Things i excluded from doing due to time constraints and limitations

1. Generate reports by context, a custom report will be generated for all alerts. Up to user to maintain one context per session if they want a report associated to that context.
2. Generate by active scan, this could be useful but currently active scan's are not stored as part of the session and i'm not sure if the alerts are associated to the active scan in any way.

Cheers, Goran.

[ryerson...@gmail.com]

I was informed that there is an alpha Custom Report tool already but it crashes for me and i prefer to start from scratch rather than fixing someone else's code :)

[ryerson...@gmail.com]

In relation to the custom report that already exists:

2016-02-09 12:19:21,372 [Thread-13] INFO  ExtensionAutoUpdate - Installing new addon customreport v1

2016-02-09 12:19:40,084 [AWT-EventQueue-0] ERROR ReportLastScan - 

java.lang.NullPointerException

at org.zaproxy.zap.extension.customreport.ReportParser.selectExpectedAlerts(ReportParser.java:70)

at org.zaproxy.zap.extension.customreport.ReportLastScan.generate(ReportLastScan.java:91)

at org.zaproxy.zap.extension.customreport.ReportLastScan.generateReport(ReportLastScan.java:243)

at org.zaproxy.zap.extension.customreport.ExtensionCustomReport.generateReport(ExtensionCustomReport.java:126)

at org.zaproxy.zap.extension.customreport.OptionDialog$2.actionPerformed(OptionDialog.java:78)

at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)

at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)

at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)

at javax.swing.DefaultButtonModel.setPressed(Unknown Source)

at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)

at java.awt.Component.processMouseEvent(Unknown Source)

at javax.swing.JComponent.processMouseEvent(Unknown Source)

at java.awt.Component.processEvent(Unknown Source)

at java.awt.Container.processEvent(Unknown Source)

at java.awt.Component.dispatchEventImpl(Unknown Source)

at java.awt.Container.dispatchEventImpl(Unknown Source)

at java.awt.Component.dispatchEvent(Unknown Source)

at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)

at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)

at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)

at java.awt.Container.dispatchEventImpl(Unknown Source)

at java.awt.Window.dispatchEventImpl(Unknown Source)

at java.awt.Component.dispatchEvent(Unknown Source)

at java.awt.EventQueue.dispatchEventImpl(Unknown Source)

at java.awt.EventQueue.access$500(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.awt.EventQueue$4.run(Unknown Source)

at java.awt.EventQueue$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.awt.EventQueue.dispatchEvent(Unknown Source)

at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.run(Unknown Source)

This is the requested log message, i'm not sure what to make of it myself but at the same time. I wouldn't mind updating the custom report tool that already exists but i'm not sure if i need permission from the original author?

[kingthorin+owaspzap]

I can't speak to the error. As far as modding the existing addon I think that's perfectly fine. The code is in the project repo so it's there for anyone to enhance.

[thc...@gmail.com]

+1 :)

Also, we already have 4 add-ons that create reports...
It's usually better to enhance the existing add-ons that create one from
scratch.

Best regards.

[thc...@gmail.com]

That error happens because the report was not successfully parsed...
You should had another stack trace in the console with the real reason
of the issue.

If you are able to reproduce the issue you should check the output to
see what it says.

If you want to fix/improve the current code, it needs to be changed to
log the error instead of print the stack trace and not attempt to use
the Document if it failed to create it. It should also warn the user in
case of failure to create the report (instead of silently fail).

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[johanna curiel curiel]

A little old, in 2013 we explore developing an add-on to create nice reports with Birt.

This page has a lot of code details

https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT

It definitely needs some update given the latest ZAP developments but the way of programming is quite the same

cheers

Johanna

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

[ryerson...@gmail.com]

My plugin is 80% complete.

1. Done
2. Done
3. Placeholder
4. Done
5. Placeholder
6. done
   
7. Done
8. PDF Export - Working this out still to make it more user friendly
   
9. Done, but not sure where to dump boostrap folder?
10. Done, need to test this a bit more, getting null point exceptions myself sometimes
11. Done, need to test this a bit more, getting null point exceptions myself sometimes
12. Done

ZAP related things to do is

1. languages, is google translate good enough for this? :)
   
2. commenting, documentation and some more testing and putting in a bit of error handling.

Sorry, this is a little delayed, work keeping me busy! 

@thc202 i went ahead and made my own, even if it's not used. I learned a lot about how to create a plugin for ZAP.

@johanna curiel The json export is really something i needed and not just pdf, I'll look into using BIRT for creating the PDF but i found a java pdf creator api that will let me create tables, links, etc. Which is something i really want from a PDF report, the ability to go from the table of contents to the alert directly and not scroll.

I'll update this as soon as it's ready as an alpha for use.

Cheers, Goran.

[thc...@gmail.com]

Answering older questions ;)

> 3. Placeholder
> 5. Placeholder

ZAP does not save that information at the moment.

> 1. languages, is google translate good enough for this? :)

Normally, you just need to provide the default language (English). The
file(s) are then uploaded to Crowdin [1] [2] for translation into other
languages.


[1] https://crowdin.com/project/owasp-zap
[2] https://crowdin.com/project/owasp-zap-help

Best regards.

On 18/02/16 21:01, ryerson...@gmail.com wrote:
> My plugin is 80% complete.
>

> 1. Done
> 2. Done
> 3. Placeholder
> 4. Done
> 5. Placeholder
> 6. done
> 7. Done
> 8. PDF Export - Working this out still to make it more user friendly
> 9. Done, but not sure where to dump boostrap folder?
> 10. Done, need to test this a bit more, getting null point exceptions
> myself sometimes
> 11. Done, need to test this a bit more, getting null point exceptions
> myself sometimes
> 12. Done

>
> ZAP related things to do is
>

> 1. languages, is google translate good enough for this? :)
> 2. commenting, documentation and some more testing and putting in a bit

> of error handling.
>
> Sorry, this is a little delayed, work keeping me busy!
>
> @thc202 i went ahead and made my own, even if it's not used. I learned a
> lot about how to create a plugin for ZAP.
> @johanna curiel The json export is really something i needed and not
> just pdf, I'll look into using BIRT for creating the PDF but i found a
> java pdf creator api that will let me create tables, links, etc. Which
> is something i really want from a PDF report, the ability to go from the
> table of contents to the alert directly and not scroll.
>
> I'll update this as soon as it's ready as an alpha for use.
>
> Cheers, Goran.
>

[ryerson...@gmail.com]

Thank you for the help!

Two sample screenshots

http://prntscr.com/a7wwq5

http://prntscr.com/a7wwon

All the core functionality is there. making sure it is now using the Messages.properties file and trying to debug a few null pointer exceptions i'm getting. I'll try to finish the PDF as well but i wanna make sure all the rest works before i make this priority.

The fact i don't have to worry about translations is a load off my mind :)

[ryerson...@gmail.com]

I have a bug.

I compile the ant file, i compile zap, i press ctrl + L and install the add-on.

I use it once or close it and i can't open it a second time, i have to uninstall or and then reinstall. Has anyone encountered this issue before?

[kingthorin+owaspzap]

You use what once and close it?

[ryerson...@gmail.com]

The plugin i created.

I go to menu, click on the menu item and the plugin starts. After it finishes, nothing happens when i click on the menu item again. There is no error message, no exception is thrown.

[ryerson...@gmail.com]

One additional question:

menuExportReport = new ZapMenuItem("what goes here, where do i define it?");

Thanks!

[thc...@gmail.com]

Looks nice :)

You could try post the stack trace of the exceptions ;)

Best regards.

[thc...@gmail.com]

https://groups.google.com/d/msg/zaproxy-develop/2qpDnTfH164/UGf4s1QTDAAJ


P.S. I'll update the JavaDoc of the constructor.

Best regards.

On 27/02/16 00:29, ryerson...@gmail.com wrote:
> One additional question:
>

> menuExportReport = new ZapMenuItem("*what goes here, where do i define
> it?*");
>
> Thanks!

[thc...@gmail.com]

Some questions:

Are all add-on components (extension, files...) correctly declared in
the ZapAddOn.xml file?

Is the add-on shown as installed in the "Manage Add-ons" dialogue and
the extension (or extensions) being loaded after opening ZAP a second time?

Best regards.

[ryerson...@gmail.com]

Are all add-on components (extension, files...) correctly declared in 
the ZapAddOn.xml file? 

I think so, i just copy pasted and modified the example provided. 

<zapaddon>

<name>exportReport</name>

<version>1</version>

<status>alpha</status>

<description>New report module that allows users to customize content and the type of report.</description>

<author>Goran Sarenkapa</author>

<url></url>

<changes>First version</changes>

<extensions>

<extension>org.zaproxy.zap.extension.exportReport.ExtensionExportReport</extension>

</extensions>

<ascanrules/>

<pscanrules/>

<filters/>

<files>

<file>images/open.png</file>

</files>

<not-before-version>2.4.0</not-before-version>

<not-from-version></not-from-version>

</zapaddon>

Is the add-on shown as installed in the "Manage Add-ons" dialogue and 
the extension (or extensions) being loaded after opening ZAP a second time? 

Yes it shows in the "Manage Add-ons second on the second time but it disappears from the Report Menu as an option!

Report

• Export to HTML. . .
• Export to XML. . .
• Export Report. . . (missing on opening ZAP a second time)

[ryerson...@gmail.com]

Also a little bit of a cosmetic question but the workflow is paging, so you go through each page till you hit the finish button.

Option 1) Right now the workflow is

Source -> Destination -> Alerts - > Details -> Finish and save report to specified params in Destination

Destination is this step: http://prnt.sc/a8vx24 Here you can specify the filename, type and the directory where you want to save it.

Option 2) On the other hand, i also changed the workflow a little to be

Source --> Alerts - > Details -> Finish and open FileChooser then save report: http://prnt.sc/a8vx3o

This is a trivial thing but i was wondering which you felt was better from a UI point of view. I was leaning towards Option 2, easier to maintain down the line in the event of new additions as well. I'm also delaying the release a little bit till i get the previous mentioned bug resolved and I decided to try and generate a google doc report as well (not sure if anyone else did this) which can be shared into drive :)

Right now, the goal is 6 different report export types. I got 3 working without any bugs. PDF, Google DOC and Bootstrap are having some issues to resolve still.

Cheers!

[ryerson...@gmail.com]

Also related to my issue with my menu item disappearing, I managed to find this error:

17720 [SwingWorker-pool-1-thread-1] INFO org.parosproxy.paros.extension.ExtensionLoader  - ExtensionHook is null for "org.zaproxy.zap.extension.exportReport.ExtensionExportReport" the hooked objects will not be automatically removed.

[thc...@gmail.com]

You need to/should call the base method when overriding
ExtensionAdaptor.hook(ExtensionHook).

Best regards.

[thc...@gmail.com]

Yeah, option 2 seems better.

Best regards.

On 28/02/16 06:05, ryerson...@gmail.com wrote:
> Also a little bit of a cosmetic question but the workflow is paging, so
> you go through each page till you hit the finish button.
>

> *Option 1) *Right now the workflow is

>
> Source -> Destination -> Alerts - > Details -> Finish and save report to
> specified params in Destination
>
> Destination is this step: http://prnt.sc/a8vx24 Here you can specify the
> filename, type and the directory where you want to save it.
>
>
>

> *Option 2)* On the other hand, i also changed the workflow a little to be

>
> Source --> Alerts - > Details -> Finish and open FileChooser then save
> report: http://prnt.sc/a8vx3o
>
>
> This is a trivial thing but i was wondering which you felt was better

> from a UI point of view. I was leaning towards *Option 2, *easier to

> maintain down the line in the event of new additions as well. I'm also
> delaying the release a little bit till i get the previous mentioned bug
> resolved and I decided to try and generate a google doc report as well
> (not sure if anyone else did this) which can be shared into drive :)
>
> Right now, the goal is 6 different report export types. I got 3 working
> without any bugs. PDF, Google DOC and Bootstrap are having some issues
> to resolve still.
>
> Cheers!
>

[thc...@gmail.com]

OK.

In which method (and how) are you adding the menu item?

Best regards.

On 27/02/16 20:27, ryerson...@gmail.com wrote:
> *Are all add-on components (extension, files...) correctly declared in
> the ZapAddOn.xml file? *

>
> I think so, i just copy pasted and modified the example provided.
>
> |
> <zapaddon>
> <name>exportReport</name>
> <version>1</version>
> <status>alpha</status>
> <description>New report module that allows users to customize content
> and the type of report.</description>
> <author>Goran Sarenkapa</author>
> <url></url>
> <changes>First version</changes>
> <extensions>
> <extension>org.zaproxy.zap.extension.exportReport.ExtensionExportReport</extension>
> </extensions>
> <ascanrules/>
> <pscanrules/>
> <filters/>
> <files>
> <file>images/open.png</file>
> </files>
> <not-before-version>2.4.0</not-before-version>
> <not-from-version></not-from-version>
> </zapaddon>
> |
>
>

> *Is the add-on shown as installed in the "Manage Add-ons" dialogue and

> the extension (or extensions) being loaded after opening ZAP a second

> time? *

> Yes it shows in the "Manage Add-ons second on the second time but it
> disappears from the Report Menu as an option!
>
> Report
>

> * Export to HTML. . .
> * Export to XML. . .
> * Export Report. . . (missing on opening ZAP a second time)

[ryerson...@gmail.com]

The class is here: http://pastebin.com/Bd1juB79 (available for 24 hours for download)

I add it all under the "Report" Menu as an item. It breaks on 2nd attempt of use and has to be reinstalled. I can post some of the other classes as well if that will help. Thanks for taking a look :)

I really should create a Git Profile so i can just upload what i have so far even if it's a little buggy. I'm getting a little overzealous with this, i keep adding onto the requirements like a google doc export. I'll probably finish the current stuff and add the rest to a to do list for the future.

[ryerson...@gmail.com]

@thc202 Hi, i have attached the java file where the hooks are. Thank you for taking a look :)

To anyone interested. There is also an attached output.html which shows the redone report. If there is anything else you'd like to see in it please let me know. The sample shows everything but you can also include or exclude by risk severity (High, Medium, Low, Info) as well as details (cweid, wasid, description, otherinfo, solution, reference, request and response bodies and headers). If there is anything else you'd like to see in the include or exclusion let me know.

For now, i'm not going to remove individual Alerts, it's a todo. The code is already there for it.

[ryerson...@gmail.com]

8. Export to PDF on hold and adding an Export to Google Docs instead.

Reasoning: More useful in a group environment, can add fields such as suggestions, comments, etc which other's can view and edit on a shared drive to track issues :)

[thc...@gmail.com]

Hi.

I did take a look and save the code provided yesterday, the one with 24h
limit ;)

I fail to see any problem with the code provided, the menu should not
stop working when accessing it a 2nd time... although it really depends
on what the class FrameExportReport is doing.

Is the dialogue/frame calling the method (directly or indirectly)
ExtensionExportReport.emitFrame() in all cases?
For example, when the dialogue is closed? (i.e. through the window
decoration as opposed to the custom buttons.)



Report looks good :)


Best regards.

On 01/03/16 19:52, ryerson...@gmail.com wrote:
> @thc202 Hi, i have attached the java file where the hooks are. Thank you

> for taking a look *:)*

>
> To anyone interested. There is also an attached output.html which shows
> the redone report. If there is anything else you'd like to see in it
> please let me know. The sample shows everything but you can also include
> or exclude by risk severity (High, Medium, Low, Info) as well as details
> (cweid, wasid, description, otherinfo, solution, reference, request and
> response bodies and headers). If there is anything else you'd like to
> see in the include or exclusion let me know.
>
> For now, i'm not going to remove individual Alerts, it's a todo. The
> code is already there for it.
>

[ryerson...@gmail.com]

I hate posting code when it is not complete but let me trim it out and i'll post a working sample to illustrate the issue. :)

[ryerson...@gmail.com]

Here it a link to the GitHub Repo. I should have done this sooner, easier to track my own issues as well.

The only error i get is:

3012 [ZAP-BootstrapGUI] ERROR org.parosproxy.paros.extension.ExtensionLoader  -
java.lang.NullPointerException
 at org.zaproxy.zap.extension.exportReport.ExtensionExportReport.getDescription(ExtensionExportReport.java:160)
 at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:660)
 at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:536)
 at org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:57)
 at org.parosproxy.paros.control.Control.init(Control.java:114)
 at org.parosproxy.paros.control.Control.initSingletonWithView(Control.java:286)
 at org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:200)
 at org.zaproxy.zap.GuiBootstrap.access$1(GuiBootstrap.java:199)
 at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:144)
 at java.lang.Thread.run(Unknown Source)

The thing to note is the getDescription(), attempts to get the value from a textfield/textarea. This happens to all of the components on the first panel. So i suspect the issue has to do with the FrameExportReport.java class and how i initialize the panels, something there ZAP doesn't like. I'm not sure what you mean by directly or indirectly.

There are only two ways to end the program, press the X in the top right corner or proceed to the end and attempt to save a file. I have no handling for the X case other than the system default and Finish goes to emit frame! I should add the emit to the X close operation but i haven't since i was just using Finish to go to the end.

[thc...@gmail.com]

Cloned your repo :)

Regarding the error, the method getDescription() overrides the one
defined by the ExtensionAdaptor class, that's called when the extension
is initialised during the startup process (it leads to a NPE because the
sourceCode was not yet initialised, which does not have to).
Best to use another name for that method ;)

I should have noticed that in the code provided before, but deleted that
code to remove the compilation errors... :/

> I'm not sure what you mean by directly or indirectly.

If it was being called in all cases, like in the finish and a
hypothetical cancel buttons.

With the NPE fixed the menu item works fine, consecutive invocations of
the menu show always the dialogue (as long it's closed using next/finish
buttons).

Best regards.

On 03/03/16 19:47, ryerson...@gmail.com wrote:
> Here it a link to the GitHub Repo

> <https://github.com/JordanGS/workspace/tree/master/zap-extensions/src/org/zaproxy/zap/extension/exportReport>.

> I should have done this sooner, easier to track my own issues as well.
>
> The only error i get is:
>
> |
> 3012[ZAP-BootstrapGUI]ERROR
> org.parosproxy.paros.extension.ExtensionLoader -
> java.lang.NullPointerException
> at
> org.zaproxy.zap.extension.exportReport.ExtensionExportReport.getDescription(ExtensionExportReport.java:160)
> at
> org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(ExtensionLoader.java:660)
> at
> org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(ExtensionLoader.java:536)
> at
> org.parosproxy.paros.control.AbstractControl.loadExtension(AbstractControl.java:57)
> at org.parosproxy.paros.control.Control.init(Control.java:114)
> at
> org.parosproxy.paros.control.Control.initSingletonWithView(Control.java:286)
> at
> org.zaproxy.zap.GuiBootstrap.initControlAndPostViewInit(GuiBootstrap.java:200)
> at org.zaproxy.zap.GuiBootstrap.access$1(GuiBootstrap.java:199)
> at org.zaproxy.zap.GuiBootstrap$2.run(GuiBootstrap.java:144)
> at java.lang.Thread.run(UnknownSource)
> |
>
>

> The thing to note is the *getDescription()*, attempts to get the value
> from a *textfield/textarea*. This happens to all of the components on

> the first panel. So i suspect the issue has to do with

> the* FrameExportReport.java *class and how i initialize the panels,

> something there ZAP doesn't like. I'm not sure what you mean by directly
> or indirectly.
>

> There are only two ways to end the program, press the *X *in the top

> right corner or proceed to the end and attempt to save a file. I have no

> handling for the *X* case other than the system default and
> *Finish* goes to emit frame! I should add the emit to the *X* close

[ryerson...@gmail.com]

@thc202 WOW! Thank you :) I honestly, never would have thought of that., i wish i didn't have to rename it but oh well! Time to wrap up with documentation and testing!

[ryerson...@gmail.com]

I'm actually a little bit confused now, unexpected side effect is that my lists are getting re-populated twice and not just one time. This isn't an issue when it's a stand alone but when run as a plugin it happens. Why would ZAP maintain the old list but re-add the elements. I fixed it by adding a clear before adding elements to the list. But confused why it would keep the old data yet still append.

[ryerson...@gmail.com]

Testing my report content, i found a bug with one of the built in ZAP methods. Unless there is an issue with my implementation.

 SiteMap siteMap = Model.getSingleton().getSession().getSiteTree();
 SiteNode root = (SiteNode) siteMap.getRoot();
 int siteNumber = root.getChildCount();
 
 for (int i = 0; i < siteNumber; i++) {
 SiteNode site = (SiteNode) root.getChildAt(i);
 String siteName = ScanPanel.cleanSiteName(site, true);
 String[] hostAndPort = siteName.split(":");
 boolean isSSL = (site.getNodeName().startsWith("https"));


 List<Alert> alerts = site.getAlerts();
 Alerts a = new Alerts();
 String temp = "";
 for (Alert alert : alerts) {

The issue is that List<Alert> alerts = site.getAlerts(); does NOT retrieve all of the alerts, when i print them out and iterate through there are some missing. I managed to trace it down in this example I am looking at Path Traversal, high level alert. There are 14 in total but the method only retrieve's 10. The 4 missing have an Attack parameter of \

Can you please link me the package that generates the default xml/html code, i would very much like to look at it and compare.

[ryerson...@gmail.com]

Ahh, i understand now! This was the bug from before that got fixed in the custom version you were kind enough to send me, but was never officially rolled out! :) Would it be too much trouble to ask if you could tell me how to apply the fix so myself?

Cheers Goran

[ryerson...@gmail.com]

Hey THC202, it's ready for an alpha, maybe even beta. I've held back the bootstrap, pdf and google doc exports so i can spend some more time optimizing and formatting and i'll release them as a 2.0 in a month, when you guys release the next version of ZAP. Hopefully, i'll get some feedback and/or change requests.

For an alpha, i think it's good. I'll upload to my repo tomorrow but if you can give me access so i can add it to the alpha zap repo that'd be great! Only thing i'm unsure of is how to add multi language support.

Cheers Goran.

[thc...@gmail.com]

Hi.

Right, the method initializeLists() ends up being called each time the
dialogue is shown, so the strings are added each time as well.

I'd move the call to initializeLists() to another method, maybe
"initView(ViewDelegate)"?
Or, just add a flag to control and prevent a second initialisation.

Best regards.

[thc...@gmail.com]

It will require different changes to fix that from/for an add-on, but
it's feasible, even if done with reflection...

How are you obtaining the alerts?


btw, the core the changes are at:
https://github.com/thc202/zaproxy/commit/49eeeac3869cf3f2315ec877bbdba47d163013cc

Best regards.

[thc...@gmail.com]

Great! :)

The normal process is to open a pull request against the alpha branch of
zap-extensions repo.

Multi language support for the report (i.e. to create reports in
different languages than ZAP is running)?

Best regards.

[thc...@gmail.com]

The previous post already shows how you are obtaining the alerts :)

I'll take a closer look and propose a fix for that, later today.

Best regards.

[ryerson...@gmail.com]

I meant the Messages.properties file, what should i do to prepare that for different languages?

Thank you! The custom version you provided has the fix :) and it's a 2.5 milestone for you guys anyways, so it's not a big deal just waiting for the official fix if it's too much work.

[ryerson...@gmail.com]

FYI: New issue reported https://github.com/zaproxy/zaproxy/issues/2316

The JSON library we are using doesn't have much functionality outside of a simpleJSON Object.

[thc...@gmail.com]

Hi.

I think nothing, the Messages.properties file is enough. It ends up in
Crowdin for translation and the translations, once available, are then
added to zap-extensions repo.
Also, ZAP core already takes care to load the correct file for the
language selected by the user.


OK, I'll take a look at it and let you know.

Best regards.

[thc...@gmail.com]

Added some questions :)

Best regards.

[JordanGS]

@thx202 Thank you for all the help. =D 

I created the pull request for the plugin called Export Report, current version 1.0. It's a stable release with XHTML, XML and JSON exports. Version 2.0 will include Bootstrap, PDF and Google Doc Exports. They are in different stages, and will update as i make progress.

Bootstrap - 1.0 Strict Compliance issue to resolve.

PDF - formatting/style issue to resolve

Google Doc - Trying to figure out the best way to go about this one still.

[Ncoder]

Hi Goran,

The format looks great, will this extend an API support ? Currently there is only the basic HTML report that is available via the API call.

On Friday, February 5, 2016 at 11:49:30 AM UTC-8, ryerson...@gmail.com wrote:

Hello everyone,

I have started working on a custom reporting plugin for ZAP to add more specifically needs that i require. I was wondering if anyone had any requests as to what they will see?

Things already on the list are as follows

1. Custom Title
2. Short Desc
3. Date that the active scan was run (Is this stored anywhere or would this be a feature request? If not, this could be part of the context as an informational. Last scanned by active scan on)
4. Date that the report was generated on
5. ZAP version that the active scan was run on (Is this stored anywhere? If not, this could be part of the context as an informational. Last scanned by active scan on)
6. ZAP version that the report was generated on
7. Export to JSON
8. Export to PDF
9. Bootstrap enabled HTML
10. Inclusion of request header, response header
11. Inclusion of request body and response body
12. Separate or combine alerts by host

If 3 and 5 exist somewhere, could you please let me know how to retrieve them? My goal is to get this done by early next week.

Things i excluded from doing due to time constraints and limitations

1. Generate reports by context, a custom report will be generated for all alerts. Up to user to maintain one context per session if they want a report associated to that context.
2. Generate by active scan, this could be useful but currently active scan's are not stored as part of the session and i'm not sure if the alerts are associated to the active scan in any way.

Cheers, Goran.

[JordanGS]

I changed accounts, sorry if that confuses anyone. Had to organize my emails better and associations better :)

@Ncoder    
Hi mate, thank you for the interest!

The format looks great, will this extend an API support ? Currently there is only the basic HTML report that is available via the API call.

Can you be a little more specific, I'm not entirely sure what you mean by "extend an API support".

I built it as a ZAP extension/plugin, so once installed and downloaded, it will appear under the "Report" menu as a new option called "Export Report..." Right now it supports exports of XHTML, XML and JSON formats with various ways to customize the content of the report. This version and functionality will be available as soon as the pull request is approved. They are very busy with the 2.5.0 release of ZAP so just be patient or feel free to compile a version using my github share.

V2.0 will be released in 2 months time and will include a bootstrap html export, pdf and hopefully a google docs export as well as any bug fixes or enhancement requests people would like to see. I'm not working on this full time so it's taking me a bit longer.

You can also view current milestones, enhancement ideas, issues or source code on my git.

I hope that answers your question :)but let me know if you have any, and don't hesitate to share any feedback :)

Cheers Goran.

[JordanGS]

Hi, sorry to bother you guys!

I was just wondering if anyone had a chance to take a look at the pull request :) Thank you!

Cheers, Goran.