Incomplete report for template Risk and Confidence HTML

[GunoH]

Describe the bug

When generating a report using the template Risk and Confidence HTML, with all Sections enabled, the generated report does not show any details of the alerts found:

The generated report files are a lot smaller than they used to be (with earlier versions, when the details were included).

Using ZAP 2.14.0, Report Generation plugin 0.31.0.

Reverting to plugin versions bundled with 2.14.0 (by removing the ~/.ZAP/plugin; this reverts Report Generation to 0.26.0) resolves the issue, but as soon as I upgrade plugins to the latest versions, the issue is back.

Steps to reproduce the behavior

1. Update to Report Generation 0.31.0
2. Perform active scan
3. Generate report (Risk and Confidence HTML) with all sections enabled.

Expected behavior

The generated report contains alert details, such as http requests and responses.

Software versions

ZAP
Version: 2.14.0

Installed Add-ons: [[id=alertFilters, version=20.0.0],
[id=ascanrules, version=65.0.0], [id=authhelper,
version=0.12.0], [id=automation, version=0.39.0],
[id=bruteforce, version=15.0.0], [id=callhome,
version=0.11.0], [id=commonlib, version=1.24.0],
[id=database, version=0.3.0], [id=diff, version=14.0.0],
[id=directorylistv1, version=7.0.0], [id=domxss,
version=18.0.0], [id=encoder, version=1.4.0], [id=exim,
version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz,
version=13.12.0], [id=gettingStarted, version=16.0.0],
[id=graaljs, version=0.6.0], [id=graphql, version=0.23.0],
[id=help, version=17.0.0], [id=hud, version=0.18.0],
[id=invoke, version=14.0.0], [id=network, version=0.15.0],
[id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0],
[id=openapi, version=39.0.0], [id=postman, version=0.3.0],
[id=pscanrules, version=57.0.0], [id=quickstart,
version=46.0.0], [id=replacer, version=16.0.0], [id=reports,
version=0.31.0], [id=requester, version=7.5.0], [id=retest,
version=0.8.0], [id=retire, version=0.34.0], [id=reveal,
version=7.0.0], [id=scripts, version=45.2.0], [id=selenium,
version=15.22.0], [id=soap, version=22.0.0], [id=spider,
version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips,
version=12.0.0], [id=webdriverlinux, version=81.0.0],
[id=websocket, version=30.0.0], [id=zest, version=44.0.0]]

Operating System: Linux
Architecture: amd64
Java Version: Debian 21.0.2
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /home/username/.ZAP/
ZAP Installation Directory: /usr/share/zaproxy/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• Yes

[thc202]

I'm seeing the alert details with latest version. Could you provide more details on how to reproduce that?

[GunoH]

I'm seeing the alert details with latest version. Could you provide more details on how to reproduce that?

I'll see if I can provide some more details.

In the mean time, I've found that the Report Generation plugin might not be the one to blame here, as generating the report with 0.26.0 from a session that was persisted with 0.31.0 installed also results in the details missing from the report.

[edit]
... and now I've also reproduced it 'from scratch' (so including the active scan) with 0.26.0.

[thc202]

Please use the ZAP User Group for questions: https://groups.google.com/g/zaproxy-users

[GunoH]

Update:
Other templates, such as Modern HTML Report with themes and options, do include the details (that one is actually 150 mb) where Risk and Confidence HTML does not (39 kb).

I still have to find the time to come up with a way to reproduce the issue without disclosing too much of our company data. That might take some more days.

[thc202]

The problem is not with the reports but alerts raised on temporary messages, which get removed when the session is closed.

[thc202]

If you can use a weekly and enable debug log for org.zaproxy.zap.extension.alert.ExtensionAlert it would provide the necessary details.

[GunoH]

If you can use a weekly and enable debug log for org.zaproxy.zap.extension.alert.ExtensionAlert it would provide the necessary details.

Did that. The issue persisted. Got a couple of hundred log lines from that class, all about alerts that it found.
Some errors/warnings that were also there:

NullPointerException (60+ times):

2024-04-30 16:26:10,391 [ZAP-IO-Server-1-3] ERROR MainServerHandler - An error occurred while notifying a handler:
java.lang.NullPointerException: Cannot invoke "org.parosproxy.paros.core.scanner.Variant.decodeResponseBody(org.parosproxy.paros.network.HttpMessage)" because "this.variant" is null
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.decodeResponseBody(AbstractAppParamPlugin.java:142) ~[zap-D-2024-04-29.jar:D-2024-04-29]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:319) ~[zap-D-2024-04-29.jar:D-2024-04-29]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:253) ~[zap-D-2024-04-29.jar:D-2024-04-29]
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:226) ~[zap-D-2024-04-29.jar:D-2024-04-29]
        at org.zaproxy.zap.extension.domxss.DomXssScanRule.access$000(DomXssScanRule.java:71) ~[?:?]
        at org.zaproxy.zap.extension.domxss.DomXssScanRule$1.handleMessage(DomXssScanRule.java:236) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) ~[?:?]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?]
        at java.lang.Thread.run(Thread.java:1583) [?:?]

On a couple of occasions, the host under test failed to respond, apparently:

2024-04-30 17:41:42,495 [ZAP-ActiveScanner-0] WARN  ParameterTamperScanRule - <host> failed to respond
org.apache.hc.core5.http.NoHttpResponseException: <host> failed to respond
        at org.apache.hc.core5.http.impl.io.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:301) ~[?:?]
        at org.zaproxy.addon.network.internal.client.apachev5.ZapHttpRequestExecutor.execute(ZapHttpRequestExecutor.java:78) ~[?:?]
        at org.apache.hc.core5.http.impl.io.HttpRequestExecutor.execute(HttpRequestExecutor.java:218) ~[?:?]
        at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager$InternalConnectionEndpoint.execute(PoolingHttpClientConnectionManager.java:712) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.execute(InternalExecRuntime.java:216) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.MainClientExec.execute(MainClientExec.java:116) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:188) ~[?:?]

A few read timeouts:

2024-04-30 21:37:06,742 [ZAP-ActiveScanner-0] WARN  UserAgentScanRule - Read timed out
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Read timed out
        at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
        at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
        at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:346) ~[?:?]
        at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:796) ~[?:?]
        at java.net.Socket$SocketInputStream.read(Socket.java:1099) ~[?:?]
        at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:149) ~[?:?]
        at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:280) ~[?:?]
        at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:247) ~[?:?]
        at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:54) ~[?:?]

Other than that, I didn't see anything interesting in the logs.

Support info:

ZAP
Version: D-2024-04-29

Installed Add-ons: [[id=accessControl, version=11.0.0],
[id=alertFilters, version=21.0.0], [id=ascanrules,
version=66.0.0], [id=ascanrulesBeta, version=54.0.0],
[id=authhelper, version=0.13.0], [id=automation,
version=0.40.0], [id=bruteforce, version=16.0.0],
[id=callhome, version=0.12.0], [id=commonlib,
version=1.25.0], [id=coreLang, version=16.0.0],
[id=database, version=0.4.0], [id=diff, version=15.0.0],
[id=directorylistv1, version=8.0.0], [id=domxss,
version=19.0.0], [id=encoder, version=1.5.0], [id=exim,
version=0.9.0], [id=formhandler, version=6.6.0], [id=fuzz,
version=13.13.0], [id=gettingStarted, version=17.0.0],
[id=graaljs, version=0.7.0], [id=graphql, version=0.24.0],
[id=help, version=18.0.0], [id=hud, version=0.19.0],
[id=invoke, version=15.0.0], [id=network, version=0.16.0],
[id=oast, version=0.18.0], [id=onlineMenu, version=13.0.0],
[id=openapi, version=40.0.0], [id=plugnhack,
version=14.0.0], [id=postman, version=0.4.0],
[id=pscanrules, version=58.0.0], [id=pscanrulesBeta,
version=38.0.0], [id=quickstart, version=47.0.0],
[id=replacer, version=17.0.0], [id=reports, version=0.32.0],
[id=requester, version=7.6.0], [id=retest, version=0.9.0],
[id=retire, version=0.35.0], [id=reveal, version=8.0.0],
[id=scripts, version=45.3.0], [id=selenium,
version=15.23.0], [id=sequence, version=8.0.0], [id=soap,
version=23.0.0], [id=spider, version=0.11.0],
[id=spiderAjax, version=23.19.0], [id=tips, version=13.0.0],
[id=webdriverlinux, version=82.0.0], [id=webdrivermacos,
version=82.0.0], [id=webdriverwindows, version=82.0.0],
[id=websocket, version=31.0.0], [id=zest, version=45.0.0]]

Operating System: Linux
Architecture: amd64
CPU Cores: 1
Max Memory: 1 GB
Java Version: Debian 21.0.2
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /home/username/.ZAP_D/
ZAP Installation Directory: /home/username/ZAP_D-2024-04-29/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

[thc202]

No debug entries with Attempting to create an alert...?

[GunoH]

Nope, no such entries.

$ grep -i extensionalert .ZAP_D/zap.log | wc -l
371
$ grep -i attempting .ZAP_D/zap.log | wc -l
0

[GunoH]

Reproduced the issue using Juice Shop application (running on the local host):

1. Navigate to Juice Shop landing page, using ZAP as proxy.
2. Remove any non-local hosts from Sites tree.
3. Run Active Scan with default settings.
4. Generate 'Risk and confidence HTML' report with default settings.

[kingthorin]

Can you persist/save the session zip it up and attach it here?

[thc202]

A reopened session does not reproduce the issue though.

[kingthorin]

Oh okay, disregard.