Java heap space error on generating reports
136 views
Skip to first unread message
Bernie Jordaan
Jul 9, 2025, 9:50:00 AM7/9/25
to ZAP User Group
Good day,
I am trying to setup automated zap scans using zap automation framework with a baseline scan but encountering an error on the reporting step. This is when the report is generating in the zap logs I get the following output:
"
"
2025-07-09 05:25:22,698 [main ] INFO CommandLine - Job report started
2025-07-09 05:30:33,637 [ZAP-h2c-dispatch-2] ERROR UncaughtExceptionLogger - Exception in thread "ZAP-h2c-dispatch-2"
java.lang.OutOfMemoryError: Java heap space
at org.apache.hc.core5.util.Timeout.of(Timeout.java:108) ~[?:?]
at org.apache.hc.core5.util.Timeout.ofSeconds(Timeout.java:178) ~[?:?]
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.close(AbstractSingleCoreIOReactor.java:132) ~[?:?]
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:97) ~[?:?]
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44) ~[?:?]
at java.base/java.lang.Thread.runWith(Thread.java:1596) ~[?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?] "
I saw while spidering a lot of urls are found and some of them might be data driven content. Is there some way to specify what urls are data driven content while using automation framework?
The other weird thing I found is while viewing the output folder for the reports. I can see there were two files created an empty pdf and html file but the the reports specified are xml and pdf.
I have increased ZAP to use the max available heap size but this hasn't made a difference. I am using Zap 2.16.1
Please see attached screenshots and zap.log
Any assistance is appreciated
Regards
Bernie
Wong Ka Chon
Jul 10, 2025, 4:17:44 AM7/10/25
to ZAP User Group
Can share your code here so that we know what u doing?
Bernie Jordaan
Jul 10, 2025, 5:35:10 AM7/10/25
to zaprox...@googlegroups.com
Sure I have added automation pipeline yaml and the scripts used as part of the automation
This email message and any attachment(s) attached hereto contain information that may be privileged or confidential. It is intended only for the person to whom it is addressed. If you are not intended recipient, you are not authorised to read, print, retain, copy, reproduce, disseminate, distribute or act in reliance of this message or any part thereof. In such case, Media Prima Berhad (MPB) disclaims all liability (including but not limited to all liability for computer viruses) arising out of or in respect of this email or the information in it. Any express or implied opinion in this email are only those of the author and do not necessarily represent those of MPB. MPB is not responsible for any activity that might be considered illegal and/ or improper use of email--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/cAgxv-X57lo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/0ab9179d-f704-432c-99c6-d0f448e7006fn%40googlegroups.com.
Simon Bennetts
Jul 14, 2025, 5:52:44 AM7/14/25
to ZAP User Group
ZAP has 2 Gb available to it - is this how much you configured?
It looks like you're having problems before you get to the report: "org.openqa.selenium.WebDriverException: Cannot find firefox binary in PATH. Make sure firefox is installed. OS appears to be: Windows XP"
This means that the AJAX Spider is not working.
Also, when you get the AJAX Spider working, do check that it is crawling while authenticated (assuming thats what you want).
We have found that authenticating outside of the browser is _very_ difficult to get right.
Have a look at https://www.zaproxy.org/docs/authentication/ - note that it has changed recently, so follow it again if you havnt looked at it for a few weeks.
Cheers,
Simon
Bernie Jordaan
Jul 14, 2025, 10:36:41 AM7/14/25
to zaprox...@googlegroups.com
Yes I configured it to use 2 gig on startup see screenshot below 
On that error in the log in the stack trace about firefox it is also stating that the OS is windows server 2022 which is correct
I have tried running the scan again specifying chrome-headless for ajax spider but still seeing the exception about not being able to find firefox.
Also set a connection timeout when running zap -config network.connection.timeoutInSecs=120.
Attached logs for latest run and updated yaml
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/a2313ae3-f963-4f2a-aea3-56da95bc1171n%40googlegroups.com.
Message has been deleted
kingthorin+zap
Jul 15, 2025, 6:33:16 AM7/15/25
to ZAP User Group
"Cannot find firefox on PATH"
Simon Bennetts
Jul 15, 2025, 7:20:24 AM7/15/25
to ZAP User Group
Oh, I thought I'd replied to this thread, but I cant see it now :(
The Firefox error can be ignored - I've raised a PR to fix this: #6588
As you mentioned, the 212k URLs found by the spider could be the problem.
We do support Structural Parameters in the AF but not Data Driven Nodes, which is what you will probably need :/
We plan to support them, but no ETA yet.
You could try limiting the spider, e.g. using maxDuration, maxDepth, maxChildren.
Alternatively you could configure the DDNs using an inline script. That could be a bit tricky to get right, but we can help.
Cheers,
Simon
Simon Bennetts
Jul 16, 2025, 12:07:11 PM7/16/25
to ZAP User Group
FYI an initial DDN implementation is now being reviewed :)
Cheers,
Simon
Bernie Jordaan
Jul 16, 2025, 11:49:33 PM7/16/25
to zaprox...@googlegroups.com
That's good news, thanks for sharing!
"Alternatively you could configure the DDNs using an inline script. That could be a bit tricky to get right, but we can help." That would be great but I am not sure what details about the application I am allowed to share. However I am starting to see a pattern in some of the urls. It seems like some of the script files are spidered again but on the next iteration it is found in different directory for example https://site/dir1/script-12345.js , https://site/dir2/dir1/script-12345.js
Kind regards
"Alternatively you could configure the DDNs using an inline script. That could be a bit tricky to get right, but we can help." That would be great but I am not sure what details about the application I am allowed to share. However I am starting to see a pattern in some of the urls. It seems like some of the script files are spidered again but on the next iteration it is found in different directory for example https://site/dir1/script-12345.js , https://site/dir2/dir1/script-12345.js
Kind regards
Bernie Jordaan
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/b94303cf-fc74-41e8-8cc0-798871980d94n%40googlegroups.com.
Simon Bennetts
Jul 17, 2025, 8:12:30 AM7/17/25
to ZAP User Group
Initial support for DDNs is now available!
As mentioned before, there is no UI support yet.
But, you can configure (and test!) DDNs as normal and then use that context in a new plan :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages