[pull] main from zaproxy:main

zap/gradle/japicmp.yaml

@@ -7,6 +7,10 @@ fieldExcludes: []
 classExcludes:
   - "org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery$RPCParameter"
   - "org.parosproxy.paros.core.scanner.VariantJSONQuery$SimpleStringReader"
+  - "org.parosproxy.paros.db.RecordAlert"
+  - "org.parosproxy.paros.db.TableAlert"
+  - "org.parosproxy.paros.db.paros.ParosTableAlert"
+  - "org.zaproxy.zap.db.sql.SqlTableAlert"
 methodExcludes:
   - "org.zaproxy.zap.model.SessionStructure#addPath(org.parosproxy.paros.model.Session,org.parosproxy.paros.model.HistoryReference,org.parosproxy.paros.network.HttpMessage)"
   - "org.zaproxy.zap.model.SessionStructure#addPath(org.parosproxy.paros.model.Session,org.parosproxy.paros.model.HistoryReference,org.parosproxy.paros.network.HttpMessage,boolean)"

zap/src/main/dist/db/hsqldb.properties

@@ -8,6 +8,7 @@ alert.field.description = DESCRIPTION
 alert.field.evidence = EVIDENCE
 alert.field.historyid = HISTORYID
 alert.field.inputvector = INPUT_VECTOR
+alert.field.nodename = NODENAME
 alert.field.otherinfo = OTHERINFO
 alert.field.param = PARAM
 alert.field.pluginid = PLUGINID
@@ -26,6 +27,7 @@ alert.ps.addattack = ALTER TABLE ALERT ADD COLUMN ATTACK VARCHAR(32768) DEFAULT
 alert.ps.addcweid = ALTER TABLE ALERT ADD COLUMN CWEID INT DEFAULT -1
 alert.ps.addevidence = ALTER TABLE ALERT ADD COLUMN EVIDENCE VARCHAR(16777216) DEFAULT ''
 alert.ps.addinputvector = ALTER TABLE ALERT ADD COLUMN INPUT_VECTOR VARCHAR(256) DEFAULT ''
+alert.ps.addnodename = ALTER TABLE ALERT ADD COLUMN NODENAME VARCHAR(1048576) DEFAULT NULL
 alert.ps.addsourcehistoryid = ALTER TABLE ALERT ADD COLUMN SOURCEHISTORYID INT DEFAULT 0
 alert.ps.addsourceid = ALTER TABLE ALERT ADD COLUMN SOURCEID INT DEFAULT 0
 alert.ps.addsourceidindex = CREATE INDEX INDEX_ALERT_SOURCEID ON ALERT (SOURCEID)
@@ -35,10 +37,10 @@ alert.ps.deleteall = DELETE FROM ALERT
 alert.ps.getalertsforhistoryid = SELECT * FROM ALERT WHERE SOURCEHISTORYID = ?
 alert.ps.getalertsforsession = SELECT ALERTID FROM ALERT INNER JOIN SCAN ON ALERT.SCANID = SCAN.SCANID WHERE SESSIONID = ?
 alert.ps.getallalertids = SELECT ALERTID FROM ALERT
-alert.ps.insert = INSERT INTO ALERT (SCANID, PLUGINID, ALERT, RISK, RELIABILITY, DESCRIPTION, URI, PARAM, ATTACK, OTHERINFO, SOLUTION, REFERENCE, EVIDENCE, CWEID, WASCID, HISTORYID, SOURCEHISTORYID, SOURCEID, ALERTREF, INPUT_VECTOR) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+alert.ps.insert = INSERT INTO ALERT (SCANID, PLUGINID, ALERT, RISK, RELIABILITY, DESCRIPTION, URI, PARAM, ATTACK, OTHERINFO, SOLUTION, REFERENCE, EVIDENCE, CWEID, WASCID, HISTORYID, SOURCEHISTORYID, SOURCEID, ALERTREF, INPUT_VECTOR, NODENAME) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 alert.ps.lastinsert = CALL IDENTITY()
 alert.ps.read = SELECT TOP 1 * FROM ALERT WHERE ALERTID = ?
-alert.ps.update = UPDATE ALERT SET ALERT = ?, RISK = ?, RELIABILITY = ?, DESCRIPTION = ?, URI = ?, PARAM = ?, ATTACK = ?,OTHERINFO = ?, SOLUTION = ?, REFERENCE = ?, EVIDENCE = ?, CWEID = ?, WASCID = ?, SOURCEHISTORYID = ?, INPUT_VECTOR = ? WHERE  ALERTID = ?
+alert.ps.update = UPDATE ALERT SET ALERT = ?, RISK = ?, RELIABILITY = ?, DESCRIPTION = ?, URI = ?, PARAM = ?, ATTACK = ?,OTHERINFO = ?, SOLUTION = ?, REFERENCE = ?, EVIDENCE = ?, CWEID = ?, WASCID = ?, SOURCEHISTORYID = ?, INPUT_VECTOR = ?, NODENAME = ? WHERE  ALERTID = ?
 alert.ps.updatehistoryid = UPDATE ALERT SET HISTORYID = ?, SOURCEHISTORYID = ? WHERE ALERTID = ?
 alert.table_name = ALERT
 

zap/src/main/dist/db/mysql.properties

@@ -26,6 +26,7 @@ alert.ps.addattack = ALTER TABLE ALERT ADD COLUMN ATTACK VARCHAR(32768) DEFAULT
 alert.ps.addcweid = ALTER TABLE ALERT ADD COLUMN CWEID INT DEFAULT -1
 alert.ps.addevidence = ALTER TABLE ALERT ADD COLUMN EVIDENCE VARCHAR(16777216) DEFAULT ''
 alert.ps.addinputvector = ALTER TABLE ALERT ADD COLUMN INPUT_VECTOR VARCHAR(256) DEFAULT ''
+alert.ps.addnodename = ALTER TABLE ALERT ADD COLUMN NODENAME VARCHAR(1048576) DEFAULT NULL
 alert.ps.addsourcehistoryid = ALTER TABLE ALERT ADD COLUMN SOURCEHISTORYID INT DEFAULT 0
 alert.ps.addsourceid = ALTER TABLE ALERT ADD COLUMN SOURCEID INT DEFAULT 0
 alert.ps.addsourceidindex = CREATE INDEX INDEX_ALERT_SOURCEID ON ALERT (SOURCEID)
@@ -35,10 +36,10 @@ alert.ps.deleteall = DELETE FROM ALERT
 alert.ps.getalertsforhistoryid = SELECT * FROM ALERT WHERE SOURCEHISTORYID = ?
 alert.ps.getalertsforsession = SELECT ALERTID FROM ALERT INNER JOIN SCAN ON ALERT.SCANID = SCAN.SCANID WHERE SESSIONID = ?
 alert.ps.getallalertids = SELECT ALERTID FROM ALERT
-alert.ps.insert = INSERT INTO ALERT (SCANID, PLUGINID, ALERT, RISK, RELIABILITY, DESCRIPTION, URI, PARAM, ATTACK, OTHERINFO, SOLUTION, REFERENCE, EVIDENCE, CWEID, WASCID, HISTORYID, SOURCEHISTORYID, SOURCEID, ALERTREF, INPUT_VECTOR) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+alert.ps.insert = INSERT INTO ALERT (SCANID, PLUGINID, ALERT, RISK, RELIABILITY, DESCRIPTION, URI, PARAM, ATTACK, OTHERINFO, SOLUTION, REFERENCE, EVIDENCE, CWEID, WASCID, HISTORYID, SOURCEHISTORYID, SOURCEID, ALERTREF, INPUT_VECTOR, NODENAME) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 alert.ps.lastinsert = SELECT LAST_INSERT_ID()
 alert.ps.read = SELECT * FROM ALERT WHERE ALERTID = ? LIMIT 1
-alert.ps.update = UPDATE ALERT SET ALERT = ?, RISK = ?, RELIABILITY = ?, DESCRIPTION = ?, URI = ?, PARAM = ?, ATTACK = ?,OTHERINFO = ?, SOLUTION = ?, REFERENCE = ?, EVIDENCE = ?, CWEID = ?, WASCID = ?, SOURCEHISTORYID = ?, INPUT_VECTOR = ? WHERE  ALERTID = ?
+alert.ps.update = UPDATE ALERT SET ALERT = ?, RISK = ?, RELIABILITY = ?, DESCRIPTION = ?, URI = ?, PARAM = ?, ATTACK = ?,OTHERINFO = ?, SOLUTION = ?, REFERENCE = ?, EVIDENCE = ?, CWEID = ?, WASCID = ?, SOURCEHISTORYID = ?, INPUT_VECTOR = ?, NODENAME = ? WHERE  ALERTID = ?
 alert.ps.updatehistoryid = UPDATE ALERT SET HISTORYID = ?, SOURCEHISTORYID = ? WHERE ALERTID = ?
 alert.table_name = ALERT
 

zap/src/main/dist/db/mysql.schema

@@ -44,6 +44,7 @@ CREATE TABLE `ALERT` (
   `SOURCEID` int(11) DEFAULT '0',
   `ALERTREF` varchar(256) DEFAULT '''',
   `INPUT_VECTOR` varchar(256) DEFAULT '',
+  `NODENAME` longtext,
   PRIMARY KEY (`ALERTID`),
   KEY `ALERT_INDEX` (`SOURCEHISTORYID`)
 ) ENGINE=InnoDB AUTO_INCREMENT=9436 DEFAULT CHARSET=latin1;

zap/src/main/dist/lang/Messages_ja_JP.properties

@@ -1930,7 +1930,7 @@ manReq.checkBox.fixLength = Content-Length \u3092\u66f4\u65b0
 manReq.checkBox.followRedirect = \u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3092\u8ffd\u8de1
 manReq.checkBox.useCSRF = Anti-CSRF\u30c8\u30fc\u30af\u30f3\u3092\u518d\u751f\u6210
 manReq.checkBox.useCookies = Cookie\u3092\u53d7\u3051\u5165\u308c\u308b
-manReq.checkBox.useSession = \u73fe\u5728\u306e\u8ffd\u8de1\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u4f7f\u7528\u3059\u308b
+manReq.checkBox.useSession = \u73fe\u5728\u306e\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u4f7f\u7528
 manReq.dialog.title = \u624b\u52d5\u30ea\u30af\u30a8\u30b9\u30c8\u30a8\u30c7\u30a3\u30bf\u30fc
 manReq.display.above = \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u524d\u306b\u8868\u793a
 manReq.display.sidebyside = \u30ea\u30af\u30a8\u30b9\u30c8\u3068\u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u4e26\u3079\u3066\u8868\u793a

zap/src/main/java/org/parosproxy/paros/core/scanner/Alert.java

@@ -68,6 +68,7 @@
 // ZAP: 2023/01/10 Tidy up logger.
 // ZAP: 2023/09/12 Add NUMBER_RISKS convenience constant.
 // ZAP: 2023/11/14 When setting CWE also add a CWE alert tag with an appropriate URL.
+// ZAP: 2025/10/01 Added support for nodeName.
 package org.parosproxy.paros.core.scanner;
 
 import java.net.URL;
@@ -76,6 +77,7 @@
 import java.util.Map;
 import javax.swing.ImageIcon;
 import org.apache.commons.httpclient.URI;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -227,6 +229,7 @@ public static Source getSource(int id) {
     private URI msgUri = null;
     private Source source = Source.UNKNOWN;
     private String alertRef = "";
+    private String nodeName;
     private Map<String, String> tags = Collections.emptyMap();
 
     public Alert(int pluginId) {
@@ -289,6 +292,7 @@ private void init(RecordAlert recordAlert, HistoryReference ref) {
         if (alertRef != null) {
             this.setAlertRef(alertRef);
         }
+        this.setNodeName(recordAlert.getNodeName());
     }
 
     public Alert(RecordAlert recordAlert, HistoryReference ref) {
@@ -438,6 +442,14 @@ public void setMessage(HttpMessage message) {
 
     @Override
     public int compareTo(Alert alert2) {
+        if (alert2 == null) {
+            return 1;
+        }
+
+        if (this.alertId == alert2.getAlertId()) {
+            return 0;
+        }
+
         if (risk < alert2.risk) {
             return -1;
         } else if (risk > alert2.risk) {
@@ -471,8 +483,11 @@ public int compareTo(Alert alert2) {
             return result;
         }
 
-        // ZAP: changed to compare the field uri with alert2.uri
-        result = uri.compareToIgnoreCase(alert2.uri);
+        if (StringUtils.isNotBlank(nodeName) && StringUtils.isNotBlank(alert2.nodeName)) {
+            result = nodeName.compareToIgnoreCase(alert2.nodeName);
+        } else {
+            result = uri.compareToIgnoreCase(alert2.uri);
+        }
         if (result != 0) {
             return result;
         }
@@ -483,11 +498,6 @@ public int compareTo(Alert alert2) {
             return result;
         }
 
-        result = otherInfo.compareToIgnoreCase(alert2.otherInfo);
-        if (result != 0) {
-            return result;
-        }
-
         result = compareStrings(evidence, alert2.evidence);
         if (result != 0) {
             return result;
@@ -530,6 +540,10 @@ public boolean equals(Object obj) {
         }
 
         Alert item = (Alert) obj;
+        if (this.alertId == item.getAlertId()) {
+            return true;
+        }
+
         if (risk != item.risk) {
             return false;
         }
@@ -548,7 +562,11 @@ public boolean equals(Object obj) {
         if (!method.equalsIgnoreCase(item.method)) {
             return false;
         }
-        if (!uri.equalsIgnoreCase(item.uri)) {
+        if (nodeName != null && item.nodeName != null) {
+            if (!nodeName.equals(item.nodeName)) {
+                return false;
+            }
+        } else if (!uri.equalsIgnoreCase(item.uri)) {
             return false;
         }
         if (!param.equalsIgnoreCase(item.param)) {
@@ -591,7 +609,11 @@ public int hashCode() {
         result = prime * result + pluginId;
         result = prime * result + alertRef.hashCode();
         result = prime * result + method.hashCode();
-        result = prime * result + uri.hashCode();
+        if (nodeName != null) {
+            result = prime * result + nodeName.hashCode();
+        } else {
+            result = prime * result + uri.hashCode();
+        }
         result = prime * result + ((attack == null) ? 0 : attack.hashCode());
         return result;
     }
@@ -603,6 +625,7 @@ public int hashCode() {
      */
     public Alert newInstance() {
         Alert item = new Alert(this.pluginId);
+        item.setAlertId(alertId);
         item.setHistoryId(historyId);
         item.setRiskConfidence(this.risk, this.confidence);
         item.setName(this.name);
@@ -621,6 +644,7 @@ public Alert newInstance() {
         item.setWascId(this.wascId);
         item.setSource(this.source);
         item.setTags(this.tags);
+        item.setNodeName(this.nodeName);
         return item;
     }
 
@@ -1048,6 +1072,24 @@ public void setAlertRef(String alertRef) {
         this.alertRef = alertRef;
     }
 
+    /**
+     * Get the node name.
+     *
+     * @since 2.17.0
+     */
+    public String getNodeName() {
+        return nodeName;
+    }
+
+    /**
+     * Set the node name
+     *
+     * @since 2.17.0
+     */
+    public void setNodeName(String nodeName) {
+        this.nodeName = nodeName;
+    }
+
     /**
      * Returns a new alert builder.
      *

zap/src/main/java/org/parosproxy/paros/db/RecordAlert.java

@@ -29,6 +29,7 @@
 // ZAP: 2020/11/03 Add alertRef field.
 // ZAP: 2021/04/30 Add input vector to Alert
 // ZAP: 2022/02/03 Removed deprecated getReliability() and setReliability()
+// ZAP: 2025/10/01 Added support for nodeName.
 package org.parosproxy.paros.db;
 
 public class RecordAlert {
@@ -56,6 +57,7 @@ public class RecordAlert {
     private int sourceHistoryId = 0;
     private int sourceId = 0;
     private String alertRef = "";
+    private String nodeName;
 
     public RecordAlert() {}
 
@@ -80,7 +82,8 @@ public RecordAlert(
             int sourceHistoryId,
             int sourceId,
             String alertRef,
-            String inputVector) {
+            String inputVector,
+            String nodeName) {
         setAlertId(alertId);
         setScanId(scanId);
         setPluginId(pluginId);
@@ -102,6 +105,7 @@ public RecordAlert(
         setWascId(wascId);
         setSourceId(sourceId);
         setAlertRef(alertRef);
+        setNodeName(nodeName);
     }
 
     /**
@@ -381,4 +385,22 @@ public String getAlertRef() {
     public void setAlertRef(String alertRef) {
         this.alertRef = alertRef;
     }
+
+    /**
+     * Gets the node name, which is a normalised version of the URL.
+     *
+     * @since 2.17.0
+     */
+    public String getNodeName() {
+        return nodeName;
+    }
+
+    /**
+     * Sets the node name, which is a normalised version of the URL.
+     *
+     * @since 2.17.0
+     */
+    public void setNodeName(String nodeName) {
+        this.nodeName = nodeName;
+    }
 }

zap/src/main/java/org/parosproxy/paros/db/TableAlert.java

@@ -52,7 +52,8 @@ RecordAlert write(
             int sourceHistoryId,
             int sourceId,
             String alertRef,
-            String inputVector)
+            String inputVector,
+            String nodeName)
             throws DatabaseException;
 
     Vector<Integer> getAlertListBySession(long sessionId) throws DatabaseException;
@@ -77,7 +78,8 @@ void update(
             int cweId,
             int wascId,
             int sourceHistoryId,
-            String inputVector)
+            String inputVector,
+            String nodeName)
             throws DatabaseException;
 
     void updateHistoryIds(int alertId, int historyId, int sourceHistoryId) throws DatabaseException;