ZAP Report Generation Lumping together alerts.
56 views
Skip to first unread message
Nick Hergatt
Nov 18, 2025, 10:16:38 AMNov 18
to ZAP User Group
Hello All,
I am currently running a suite of selenium tests that call ZAP to scan pages in our application. Once the test run is complete I generate reports. However all the alerts present in the scan aren't included in the report generated. And the alerts that are missing have their instance count added to what seems to be a random other alert in that severity category. Has anyone else encountered anything like this?
I am currently running a suite of selenium tests that call ZAP to scan pages in our application. Once the test run is complete I generate reports. However all the alerts present in the scan aren't included in the report generated. And the alerts that are missing have their instance count added to what seems to be a random other alert in that severity category. Has anyone else encountered anything like this?
Simon Bennetts
Nov 27, 2025, 9:47:59 AMNov 27
to ZAP User Group
Hi Nick,
What version of ZAP are you using?
Can you give an example, suitably redacted?
Also have a look at this blog post, which might explain some of the things that could be going on:
Cheers,
Simon
Nick Hergatt
Dec 1, 2025, 9:42:57 AMDec 1
to ZAP User Group
Hi Simon,
Zap Version 12.16.1
I don't think de duping is what's going on. The first image attached are all the medium level alerts from a suite of scans from within the application itself.
This image is from the generated HTML report where it seems that some of the unique alerts have had their totals lumped in with the two remaining medium alerts.
Zap Version 12.16.1
I don't think de duping is what's going on. The first image attached are all the medium level alerts from a suite of scans from within the application itself.
This image is from the generated HTML report where it seems that some of the unique alerts have had their totals lumped in with the two remaining medium alerts.
Simon Bennetts
Dec 4, 2025, 10:48:01 AMDec 4
to ZAP User Group
I've done a quick test and I get exactly the same type and number of vulnerabilities in the 2.16.1 desktop GUI as I do in the Traditional HTML report.
But I may not be doing the same things as you :)
Can you explain what you are doing in more detail?
Or can you reproduce this on a public site, like zaproxy.org ? Yes, you can crawl that one ;)
Cheers,
Simon
Nick Hergatt
Dec 4, 2025, 11:12:34 AMDec 4
to ZAP User Group
We are currently using a suite of selenium tests to navigate through our app and at important points we are using the following code to run the spider and an active scan
Once we have completed the suite of scans we use the following code to build a context from the following code
which is called in this method for generating reports.
public void testWebdriver(String currentUrl) throws Exception {
log.debug("Setting zaproxy {}:{}", ZAP_PROXY_ADDR, zapPort);
log.debug("Connecting to {}{}", appToTest, IntegrationTestConstants.link);
ApiResponse spiderResponse = clientApi.spider.scan(currentUrl, null, null, null, null);
spiderScanId = ((ApiResponseElement) spiderResponse).getValue();
while (true) {
int progress = Integer.parseInt(
((ApiResponseElement) clientApi.spider.status(spiderScanId)).getValue());
int spiderPercentageGate = 100;
if (progress >= spiderPercentageGate) break;
Thread.sleep(2000);
}
clientApi.spider.results(spiderScanId);
clientApi.pscan.setEnabled("true");
ApiResponse activeScanResult = clientApi.ascan.scan(currentUrl, "true", "false", null, null, null);
//UnComment the following loop if more than 2 tests begin to fail.
String activeScanId = ((ApiResponseElement) activeScanResult).getValue();
while (true) {
int progress = Integer.parseInt(
((ApiResponseElement) clientApi.ascan.status(activeScanId)).getValue());
int activeScanPercentageGate = 100;
if (progress >= activeScanPercentageGate) break;
Thread.sleep(2000);
}
}
log.debug("Setting zaproxy {}:{}", ZAP_PROXY_ADDR, zapPort);
log.debug("Connecting to {}{}", appToTest, IntegrationTestConstants.link);
ApiResponse spiderResponse = clientApi.spider.scan(currentUrl, null, null, null, null);
spiderScanId = ((ApiResponseElement) spiderResponse).getValue();
while (true) {
int progress = Integer.parseInt(
((ApiResponseElement) clientApi.spider.status(spiderScanId)).getValue());
int spiderPercentageGate = 100;
if (progress >= spiderPercentageGate) break;
Thread.sleep(2000);
}
clientApi.spider.results(spiderScanId);
clientApi.pscan.setEnabled("true");
ApiResponse activeScanResult = clientApi.ascan.scan(currentUrl, "true", "false", null, null, null);
//UnComment the following loop if more than 2 tests begin to fail.
String activeScanId = ((ApiResponseElement) activeScanResult).getValue();
while (true) {
int progress = Integer.parseInt(
((ApiResponseElement) clientApi.ascan.status(activeScanId)).getValue());
int activeScanPercentageGate = 100;
if (progress >= activeScanPercentageGate) break;
Thread.sleep(2000);
}
}
Once we have completed the suite of scans we use the following code to build a context from the following code
private void buildContext() throws ClientApiException {
ApiResponse spiderResponse = clientApi.spider.allUrls();
List<ApiResponse> responseUrls = ((ApiResponseList) spiderResponse).getItems();
for (ApiResponse apiResponse : responseUrls) {
String url = ((ApiResponseElement) apiResponse).getValue();
clientApi.context.includeInContext(contextName, url + "*");
}
}
ApiResponse spiderResponse = clientApi.spider.allUrls();
List<ApiResponse> responseUrls = ((ApiResponseList) spiderResponse).getItems();
for (ApiResponse apiResponse : responseUrls) {
String url = ((ApiResponseElement) apiResponse).getValue();
clientApi.context.includeInContext(contextName, url + "*");
}
}
public void reports() throws ClientApiException, IOException, TransformerException {
checkScanStatus();
buildContext();
List<ZapAlert> falsePositives = getUnmarkedFalsePositives();
updateFalsePositives(falsePositives);
clientApi.reports.generate(contextName,
"traditional-html",
null,
null,
contextName,
null,
null,
null,
null,
contextName,
null,
TARGET_OUTPUT_DIR,
"true");
clientApi.reports.generate(contextName,
"traditional-xml",
null,
null,
contextName,
null,
null,
null,
null,
contextName,
null,
TARGET_OUTPUT_DIR,
"true");
xmlToCsv();
}
The xmlToCsv method converts the xml report into a csv for our reporting and updating false positives calls the API to ensure anything zap is being a bit overzealous about is marked appropriately. checkScanStatus();
buildContext();
List<ZapAlert> falsePositives = getUnmarkedFalsePositives();
updateFalsePositives(falsePositives);
clientApi.reports.generate(contextName,
"traditional-html",
null,
null,
contextName,
null,
null,
null,
null,
contextName,
null,
TARGET_OUTPUT_DIR,
"true");
clientApi.reports.generate(contextName,
"traditional-xml",
null,
null,
contextName,
null,
null,
null,
null,
contextName,
null,
TARGET_OUTPUT_DIR,
"true");
xmlToCsv();
}
Simon Bennetts
Dec 5, 2025, 11:34:58 AMDec 5
to ZAP User Group
I cant see anything obvious in your script which could cause this problem.
Adding all of the URLs the spider finds is not really recommended, as you could end up with a huge number of URLs in there.
You only need to add on regex per host, e.g. "https://www.example.com.*"
The clientApi.core.hosts() call should give you those.
Unfortunately we will not be able to do anything unless we can recreate this problem.
If you can work out a way to reproduce it in a way you can share with us then let us know.
Cheers,
Simon
Nick Hergatt
Dec 5, 2025, 11:38:55 AMDec 5
to ZAP User Group
Thanks for the optimizations. I'm going to try making those changes to see if it makes a difference. if it doesn't I'll whip up a script to scan zaproxy.org and see if I can reproduce!
Nick Hergatt
Dec 8, 2025, 5:39:12 PM (12 days ago) Dec 8
to ZAP User Group
Hey Simon,
Wanted to give you a huge thank you. It was in fact the way I was adding URL's to the tree. Using the hosts method fixed the problems and the reports now generate Perfectly!
Wanted to give you a huge thank you. It was in fact the way I was adding URL's to the tree. Using the hosts method fixed the problems and the reports now generate Perfectly!
Simon Bennetts
Dec 10, 2025, 1:00:27 PM (10 days ago) Dec 10
to ZAP User Group
Great - thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages