Systemic alerts limit not working for some reported findings

33 views
Skip to first unread message

SimsHere

unread,
Feb 16, 2026, 2:27:32 AM (2 days ago) Feb 16
to ZAP User Group
Hi Team,

We have set the Systemic limit to 5 (Options --> Alerts --> Systemic Limit:5).

We found that for issues like "Content Security Policy (CSP) Header Not Set", only 5 instances were reported which is as expected.

But for some of the issues, more that 5 findings got reported. For example:
Insufficient Site Isolation Against Spectre Vulnerability reported --> 15 instances were reported.

How can we set limit to 5 for such findings?

Thanks,
Kamalpreet


SimsHere

unread,
Feb 16, 2026, 3:20:46 AM (2 days ago) Feb 16
to ZAP User Group
Please note that Insufficient Site Isolation Against Spectre Vulnerability reported has been reported as systemic finding.

Simon Bennetts

unread,
Feb 16, 2026, 9:30:27 AM (2 days ago) Feb 16
to ZAP User Group
There are actually 3 different variants of that alert, so you are probably getting 5 of each:

Cheers,

Simon

SimsHere

unread,
Feb 17, 2026, 12:32:34 AM (yesterday) Feb 17
to ZAP User Group
Thanks Simon.

Yes, there are different issues for 90004-1, 90004-2, 1-90004

Thanks,
Kamalpreet

SimsHere

unread,
Feb 17, 2026, 3:06:56 AM (yesterday) Feb 17
to ZAP User Group
Hi Simon,

There is a discrepancy in reports generation (Both json and html) and in ZAP UI reported issues.

1. The json report provides "alertRef" for each "alert", whereas it should be part of "instances" as "alertRef" may be different for each instance. Because "alertRef" is present on alert level, there is no reported instance reported with alertRef 90004-2, where as in ZAP UI, there are 5 instances with alertRef" 90004-2.

2. "name" can be common for plugin 90004: Insufficient Site Isolation Against Spectre Vulnerability. But "alert" should be based on "alertRef" and specific to each instance. For example, for "alertRef: 90004-1", "alert: Cross-Origin-Resource-Policy Header Missing or Invalid" as mentioned in https://www.zaproxy.org/docs/alerts/90004-1/.


  {
          "pluginid": "90004",
          "alertRef": "90004-1",
          "alert": "Insufficient Site Isolation Against Spectre Vulnerability",
          "name": "Insufficient Site Isolation Against Spectre Vulnerability",
          "riskcode": "1",
          "confidence": "2",
          "riskdesc": "Low (Medium)",
          "desc": "<p>Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.</p>",
          "instances": [
            {
              "id": "47",
              "uri": "http://<masked>/WebGoat/login",
              "nodeName": "<masked>/WebGoat/login",
              "method": "GET",
              "param": "Cross-Origin-Resource-Policy",
              "attack": "",
              "evidence": "",
              "otherinfo": "",
              "request-header": "G..",
              "request-body": "",
              "response-header": ".."
            },
            {
             "id": "87",
              "uri": "http://<masked>/WebGoat/service/labels.mvc",
              "nodeName": "http://<masked>/WebGoat/service/labels.mvc",
              "method": "GET",
              "param": "Cross-Origin-Resource-Policy",
              "attack": "",
              "evidence": "",
              "otherinfo": "",
              "request-header": "...",
              "request-body": "",
              "request-body": "",
              "response-header": ".."
            }

            ..

          "count": "15",
          "systemic": true,
          "solution": "<..",
          "otherinfo": "",
          "reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy</p>",
          "cweid": "693",
          "wascid": "14",
          "sourceid": "10",
          "tags": [
            {
              "tag": "OWASP_2017_A03",
              "link": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html"
            },
            {
              "tag": "OWASP_2021_A04",
              "link": "https://owasp.org/Top10/A04_2021-Insecure_Design/"
            },
            {
              "tag": "CWE-693",
              "link": "https://cwe.mitre.org/data/definitions/693.html"
            },
            {
              "tag": "POLICY_QA_STD",
              "link": ""
            },
            {
              "tag": "POLICY_PENTEST",
              "link": ""
            },
            {
              "tag": "SYSTEMIC",
              "link": "https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic"
            }
          ]
        },

As we generate ZAP reports in our own dashboard based on json reports, this discrepancy loses information about alertRef and alert title.

Thanks,
Kamalpreet

Simon Bennetts

unread,
4:50 AM (3 hours ago) 4:50 AM
to ZAP User Group
Hi Kamalpreet,

We have released a new version of the pscanrulesBeta add-on which means those 3 alerts will all have different names.
I think this should fix the problem you've just reported.
Please update it and see if it now works for you.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages