Merge pull request #5918 from kingthorin/rpt-html-seq

reports: HTML add sequence support
zaproxy · Nov 21, 2024 · 8b0294c · 8b0294c
2 parents 2575559 + aa256a9
commit 8b0294c
Show file tree

Hide file tree

Showing 20 changed files with 1,629 additions and 811 deletions.
diff --git a/addOns/reports/CHANGELOG.md b/addOns/reports/CHANGELOG.md
@@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Added
 - Stats counter to the main toolbar button (Issue 8375).
-- Sequence data to JSON reports.
+- Sequence data to JSON & HTML reports.
 
 ### Changed
 - Update automation job help.

diff --git a/addOns/reports/reports.gradle.kts b/addOns/reports/reports.gradle.kts
@@ -76,6 +76,7 @@ spotless {
             fileTree(projectDir) {
                 include("src/**/*.html")
                 exclude("src/main/zapHomeFiles/reports/risk-confidence-html/report.html")
+                exclude("src/main/zapHomeFiles/reports/traditional-html*/report.html")
                 exclude("src/test/**/*.html")
             },
         )

diff --git a/...ports/resources/common/images/report-traditional-html-plus-sequence-details.png b/...ports/resources/common/images/report-traditional-html-plus-sequence-details.png
diff --git a/...on/reports/resources/common/images/report-traditional-html-sequence-details.png b/...on/reports/resources/common/images/report-traditional-html-sequence-details.png
diff --git a/...on/reports/resources/common/images/report-traditional-html-sequence-summary.png b/...on/reports/resources/common/images/report-traditional-html-sequence-summary.png
diff --git a/...ahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-html-plus.html b/...ahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-html-plus.html
@@ -41,8 +41,23 @@ <H3>Sections</H3>
 			<td>Parameters</td>
 			<td>params</td>
 		</tr>
+		<tr>
+			<td>Sequence Details</td>
+			<td>sequencedetails</td>
+		</tr>
 	</table>
 
+	<H3>Sequence Support</H3>
+
+	If "Sequence Details" are included in the report. Both a summary
+	section and details section will be included.
+	<p></p>
+	<img alt="Traditional HTML Plus - Sequences Summary"
+		src="../../common/images/report-traditional-html-sequence-summary.png">
+	<p></p>
+	<img alt="Traditional HTML OPlus - Sequences Details"
+		src="../../common/images/report-traditional-html-plus-sequence-details.png">
+
 	<H3>Themes</H3>
 
 	<table>

diff --git a/...n/javahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-html.html b/...n/javahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-html.html
@@ -25,6 +25,10 @@ <H3>Sections</H3>
 			<td>Alert Details</td>
 			<td>alertdetails</td>
 		</tr>
+		<tr>
+			<td>Sequence Details</td>
+			<td>sequencedetails</td>
+		</tr>
 	</table>
 
 	<H3>Screenshot</H3>
@@ -33,6 +37,17 @@ <H3>Screenshot</H3>
 	<img alt="Traditional HTML"
 		src="../../common/images/report-traditional-html.png">
 
+	<H3>Sequence Support</H3>
+
+	If "Sequence Details" are included in the report. Both a summary
+	section and details section will be included.
+	<p></p>
+	<img alt="Traditional HTML - Sequences Summary"
+		src="../../common/images/report-traditional-html-sequence-summary.png">
+	<p></p>
+	<img alt="Traditional HTML - Sequences Details"
+		src="../../common/images/report-traditional-html-sequence-details.png">
+
 </BODY>
 </HTML>
 
diff --git a/...ahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-json-plus.html b/...ahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-json-plus.html
@@ -83,6 +83,66 @@ <H4>About riskdesc</H4>
 
 </pre>
 
+	The report can also include details of Sequences and related active
+	scanning results, for example:
+
+	<pre>
+    "sequences": [
+      {
+        "name": "Seq name",
+        "steps": [
+          {
+            "step": "1",
+            "pass": "true",
+            "resultDetails": "Pass",
+            "alertIds": [],
+            "original": {
+              "uri": "https://www.example.com/step1",
+              "method": "GET",
+              "request-header": "GET https://www.example.com/step1 HTTP/1.1\r\nhost: www.example.com\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\r\npragma: no-cache\r\ncache-control: no-cache\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "request-body": "\\x0000\\x0013",
+              "response-header": "HTTP/1.0 0\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "response-body": "\\x0000\\x0013"
+            },
+            "replay": {
+              "uri": "https://www.example.com/step1",
+              "method": "GET",
+              "request-header": "GET https://www.example.com/step1 HTTP/1.1\r\nhost: www.example.com\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\r\npragma: no-cache\r\ncache-control: no-cache\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "request-body": "\\x0000\\x0013",
+              "response-header": "HTTP/1.0 0\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "response-body": "\\x0000\\x0013"
+            }
+          },
+          {
+            "step": "2",
+            "pass": "false",
+            "resultDetails": "Fail",
+            "alertIds": [
+              2,
+              4
+            ],
+            "original": {
+              "uri": "https://www.example.com/step2",
+              "method": "GET",
+              "request-header": "GET https://www.example.com/step2 HTTP/1.1\r\nhost: www.example.com\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\r\npragma: no-cache\r\ncache-control: no-cache\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "request-body": "\\x0000\\x0013",
+              "response-header": "HTTP/1.0 0\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "response-body": "\\x0000\\x0013"
+            },
+            "replay": {
+              "uri": "https://www.example.com/step2",
+              "method": "GET",
+              "request-header": "GET https://www.example.com/step2 HTTP/1.1\r\nhost: www.example.com\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\r\npragma: no-cache\r\ncache-control: no-cache\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "request-body": "\\x0000\\x0013",
+              "response-header": "HTTP/1.0 0\r\nTest: Foo-Header\\x0000\\x0013\r\n\r\n",
+              "response-body": "\\x0000\\x0013"
+            }
+          }
+        ]
+      }
+    ]
+</pre>
+
 </BODY>
 </HTML>
 
diff --git a/...n/javahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-json.html b/...n/javahelp/org/zaproxy/addon/reports/resources/help/contents/report-traditional-json.html
@@ -61,6 +61,49 @@ <H4>About riskdesc</H4>
 
 </pre>
 
+	The report can also include details of Sequences and related active
+	scanning results, for example:
+
+	<pre>
+    "sequences": [
+      {
+        "name": "Seq name",
+        "steps": [
+          {
+            "step": "1",
+            "pass": "true",
+            "resultDetails": "Pass",
+            "alertIds": [],
+            "original": {
+              "uri": "https://www.example.com/step1",
+              "method": "GET"
+            },
+            "replay": {
+              "uri": "https://www.example.com/step1",
+              "method": "GET"
+            }
+          },
+          {
+            "step": "2",
+            "pass": "false",
+            "resultDetails": "Fail",
+            "alertIds": [
+              2,
+              4
+            ],
+            "original": {
+              "uri": "https://www.example.com/step2",
+              "method": "GET"
+            },
+            "replay": {
+              "uri": "https://www.example.com/step2",
+              "method": "GET"
+            }
+          }
+        ]
+      }
+    ]
+</pre>
 </BODY>
 </HTML>
 
diff --git a/addOns/reports/src/main/resources/org/zaproxy/addon/reports/resources/Messages.properties b/addOns/reports/src/main/resources/org/zaproxy/addon/reports/resources/Messages.properties
@@ -132,6 +132,24 @@ reports.report.risk.1 = Low
 reports.report.risk.2 = Medium
 reports.report.risk.3 = High
 
+reports.report.sequences.details.name = Sequence Details
+reports.report.sequences.details.note = With the associated active scan results.
+reports.report.sequences.list.name = Name
+reports.report.sequences.step.alerts = Alerts:
+reports.report.sequences.step.label = Step
+reports.report.sequences.step.original = Original
+reports.report.sequences.step.replay = Replay
+reports.report.sequences.step.req.body = Request Body
+reports.report.sequences.step.req.header = Request Header
+reports.report.sequences.step.request = Request
+reports.report.sequences.step.resp.body = Response Body
+reports.report.sequences.step.resp.header = Response Header
+reports.report.sequences.step.response = Response
+reports.report.sequences.step.result = Result:
+reports.report.sequences.step.showhide = Show / Hide Request & Response
+reports.report.sequences.summary.name = Summary of Sequences
+reports.report.sequences.summary.note = For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
+
 reports.report.site = Site: {0}
 reports.report.sites = Sites: {0}
 reports.report.sites.title = Sites

diff --git a/addOns/reports/src/main/zapHomeFiles/reports/traditional-html-plus/Messages.properties b/addOns/reports/src/main/zapHomeFiles/reports/traditional-html-plus/Messages.properties
@@ -17,6 +17,7 @@ report.template.section.chart = Chart
 report.template.section.instancecount = Instance Count
 report.template.section.params = Parameters
 report.template.section.passingrules = Passing Rules
+report.template.section.sequencedetails = Sequence Details
 report.template.section.statistics = Statistics
 report.template.stats.auth = Authentication Statistics
 report.template.stats.auth.none = No Authentication Statistics Found