reports: Support nodeNames and systemic counts

Signed-off-by: Simon Bennetts <[email protected]>

Author: psiinon

addOns/reports/CHANGELOG.md

@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Update dependencies.
+- All reports to support nodeNAme and systemic counts.
 
 ## [0.41.0] - 2025-09-04
 ### Changed

addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportHelper.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.addon.reports;
 
+import java.lang.reflect.Method;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.ArrayList;
@@ -302,4 +303,64 @@ public static HttpMessage getHttpMessage(int id) {
         }
         return null;
     }
+
+    /**
+     * Returns the nodeName for the alert. This will only work from ZAP 2.17 onwards, it is not
+     * available in earlier versions.
+     */
+    public static String getNodeName(Alert alert) {
+        if (alert == null) {
+            return null;
+        }
+        try {
+            Method method = alert.getClass().getMethod("getNodeName");
+            Object ret = method.invoke(alert);
+            if (ret != null && ret instanceof String str) {
+                return str;
+            }
+        } catch (Exception e) {
+            // Ignore
+        }
+        return null;
+    }
+
+    /**
+     * Returns whether the alert node is systemic. This will only work from ZAP 2.17 onwards, it is
+     * not available in earlier versions.
+     */
+    public static boolean isSystemic(AlertNode node) {
+        if (node == null) {
+            return false;
+        }
+        try {
+            Method method = node.getClass().getMethod("isSystemic");
+            Object ret = method.invoke(node);
+            if (ret != null && ret instanceof Boolean bool) {
+                return bool;
+            }
+        } catch (Exception e) {
+            // Ignore
+        }
+        return false;
+    }
+
+    /**
+     * Returns whether the alert is systemic. This will only work from ZAP 2.17 onwards, it is not
+     * available in earlier versions.
+     */
+    public static boolean isSystemic(Alert alert) {
+        if (alert == null) {
+            return false;
+        }
+        try {
+            Method method = alert.getClass().getMethod("isSystemic");
+            Object ret = method.invoke(alert);
+            if (ret != null && ret instanceof Boolean bool) {
+                return bool;
+            }
+        } catch (Exception e) {
+            // Ignore
+        }
+        return false;
+    }
 }

addOns/reports/src/main/resources/org/zaproxy/addon/reports/resources/Messages.properties

@@ -95,6 +95,7 @@ reports.report.alerts.detail.description = Description
 reports.report.alerts.detail.evidence = Evidence
 reports.report.alerts.detail.instances = Instances
 reports.report.alerts.detail.method = Method
+reports.report.alerts.detail.nodename = Node Name
 reports.report.alerts.detail.otherinfo = Other Info
 reports.report.alerts.detail.param = Parameter
 reports.report.alerts.detail.pluginid = Plugin Id
@@ -113,6 +114,7 @@ reports.report.alerts.list = Alerts
 reports.report.alerts.list.name = Name
 reports.report.alerts.list.numinstances = Number of Instances
 reports.report.alerts.list.risklevel = Risk Level
+reports.report.alerts.list.systemic = Systemic
 reports.report.alerts.summary = Summary of Alerts
 reports.report.alerts.summary.numalerts = Number of Alerts
 reports.report.alerts.summary.risklevel = Risk Level

addOns/reports/src/main/zapHomeFiles/reports/modern/report.html

@@ -205,7 +205,12 @@ <h3 th:text="#{report.alerts.list}">Alerts</h3>
 										Name</a></td>
 								<td align="center" th:class="${'risk-' + alert.risk}"
 									th:text="${helper.getRiskString(alert.risk)}">Risk</td>
-								<td align="center" th:text="${alert.childCount}">Count</td>
+								<th:block th:if="${helper.isSystemic(alert)}">
+									<td align="center" th:text="#{report.alerts.list.systemic}">Systemic</td>
+								</th:block>
+								<th:block th:unless="${helper.isSystemic(alert)}">
+									<td align="center" th:text="${alert.childCount}">Count</td>
+								</th:block>
 							</tr>
 						</table>
 					</div>
@@ -437,6 +442,15 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 										<td width="80%"><a th:href="${instance.userObject.uri}"
 											th:text="${instance.userObject.uri}" href="url.html">URL</a></td>
 									</tr>
+									<th:block
+										th:if="${helper.getNodeName(instance.userObject) != null}">
+										<tr>
+											<td th:text="#{report.alerts.detail.nodename}" width="20%"
+												class="indent2">Node Name</td>
+											<td th:text="${helper.getNodeName(instance.userObject)}"
+												width="80%">Node Name</td>
+										</tr>
+									</th:block>
 									<tr>
 										<td th:text="#{report.alerts.detail.method}" width="20%"
 											class="indent2">Method</td>
@@ -543,7 +557,12 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 								</th:block>
 								<tr>
 									<td th:text="#{report.alerts.detail.instances}" width="20%">Instances</td>
-									<td th:text="${alert.childCount}" width="80%">Instances</td>
+									<th:block th:if="${helper.isSystemic(alert)}">
+										<td th:text="#{report.alerts.list.systemic}" width="80%">Systemic</td>
+									</th:block>
+									<th:block th:unless="${helper.isSystemic(alert)}">
+										<td th:text="${alert.childCount}" width="80%">Instances</td>
+									</th:block>
 								</tr>
 								<tr>
 									<td th:text="#{report.alerts.detail.solution}" width="20%">Solution</td>

addOns/reports/src/main/zapHomeFiles/reports/traditional-html-plus/report.html

@@ -199,7 +199,12 @@ <h3 th:text="#{report.alerts.list}">Alerts</h3>
 					th:text="${alert.nodeName}" href="#plugin-pluginId">Alert Name</a></td>
 				<td align="center" th:class="${'risk-' + alert.risk}"
 					th:text="${helper.getRiskString(alert.risk)}">Risk</td>
+				<th:block th:if="${helper.isSystemic(alert)}">
+				<td align="center" th:text="#{report.alerts.list.systemic}">Systemic</td>
+				</th:block>
+				<th:block th:unless="${helper.isSystemic(alert)}">
 				<td align="center" th:text="${alert.childCount}">Count</td>
+				</th:block>
 			</tr>
 		</table>
 		<div class="spacer-lg"></div>
@@ -410,6 +415,11 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 						<td width="80%"><a th:href="${instance.userObject.uri}"
 							th:text="${instance.userObject.uri}" href="url.html">URL</a></td>
 					</tr>
+					<th:block th:if="${helper.getNodeName(instance.userObject) != null}"><tr>
+						<td th:text="#{report.alerts.detail.nodename}" width="20%"
+							class="indent2">Node Name</td>
+						<td th:text="${helper.getNodeName(instance.userObject)}" width="80%">Node Name</td>
+					</tr></th:block>
 					<tr>
 						<td th:text="#{report.alerts.detail.method}" width="20%"
 							class="indent2">Method</td>
@@ -518,7 +528,12 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 				</th:block>
 				<tr>
 					<td th:text="#{report.alerts.detail.instances}" width="20%">Instances</td>
+					<th:block th:if="${helper.isSystemic(alert)}">
+					<td th:text="#{report.alerts.list.systemic}" width="80%">Systemic</td>
+					</th:block>
+					<th:block th:unless="${helper.isSystemic(alert)}">
 					<td th:text="${alert.childCount}" width="80%">Instances</td>
+					</th:block>
 				</tr>
 				<tr>
 					<td th:text="#{report.alerts.detail.solution}" width="20%">Solution</td>

addOns/reports/src/main/zapHomeFiles/reports/traditional-html/report.html

@@ -324,7 +324,12 @@ <h3 th:text="#{report.alerts.list}">Alerts</h3>
 					th:text="${alert.nodeName}" href="#oluginId">Alert Name</a></td>
 				<td align="center" th:class="${'risk-' + alert.risk}"
 					th:text="${helper.getRiskString(alert.risk)}">Risk</td>
+				<th:block th:if="${helper.isSystemic(alert)}">
+				<td align="center" th:text="#{report.alerts.list.systemic}">Systemic</td>
+				</th:block>
+				<th:block th:unless="${helper.isSystemic(alert)}">
 				<td align="center" th:text="${alert.childCount}">Count</td>
+				</th:block>
 			</tr>
 		</table>
 		<div class="spacer-lg"></div>
@@ -359,6 +364,11 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 						<td width="80%"><a th:href="${instance.userObject.uri}"
 							th:text="${instance.userObject.uri}" href="url.html">URL</a></td>
 					</tr>
+					<th:block th:if="${helper.getNodeName(instance.userObject) != null}"><tr>
+						<td th:text="#{report.alerts.detail.nodename}" width="20%"
+							class="indent2">Node Name</td>
+						<td th:text="${helper.getNodeName(instance.userObject)}" width="80%">Node Name</td>
+					</tr></th:block>
 					<tr>
 						<td th:text="#{report.alerts.detail.method}" width="20%"
 							class="indent2">Method</td>
@@ -388,7 +398,12 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 				</th:block>
 				<tr>
 					<td th:text="#{report.alerts.detail.instances}" width="20%">Instances</td>
+					<th:block th:if="${helper.isSystemic(alert)}">
+					<td th:text="#{report.alerts.list.systemic}" width="80%">Systemic</td>
+					</th:block>
+					<th:block th:unless="${helper.isSystemic(alert)}">
 					<td th:text="${alert.childCount}" width="80%">Instances</td>
+					</th:block>
 				</tr>
 				<tr>
 					<td th:text="#{report.alerts.detail.solution}" width="20%">Solution</td>

addOns/reports/src/main/zapHomeFiles/reports/traditional-json-plus/report.json

@@ -23,6 +23,7 @@
                         {
                             "id": "[(${instance.alertId})]",
                             "uri": "[(${helper.legacyEscapeText(instance.uri, true)})]",
+							[#th:block th:if="${helper.getNodeName(instance) != null}"]"nodeName": "[(${helper.legacyEscapeText(helper.getNodeName(instance))})]",[/th:block]
                             "method": "[(${helper.legacyEscapeText(instance.method, true)})]",
                             "param": "[(${helper.legacyEscapeTextAlertParam(instance, true)})]",
                             "attack": "[(${helper.legacyEscapeText(instance.attack, true)})]",
@@ -35,6 +36,7 @@
                         }[/th:block]
                     ],
                     "count": "[(${instances.size})]",
+					"systemic": "[(${helper.isSystemic(alert)})]",
                     "solution": "[(${helper.legacyEscapeParagraph(alert.solution, true)})]",
                     "otherinfo": "[(${helper.legacyEscapeParagraph(alert.otherinfo, true)})]",
                     "reference": "[(${helper.legacyEscapeParagraph(alert.reference, true)})]",

addOns/reports/src/main/zapHomeFiles/reports/traditional-json/report.json

@@ -23,6 +23,7 @@
 						{
 							"id": "[(${instance.alertId})]",
 							"uri": "[(${helper.legacyEscapeText(instance.uri, true)})]",
+							[#th:block th:if="${helper.getNodeName(instance) != null}"]"nodeName": "[(${helper.legacyEscapeText(helper.getNodeName(instance))})]",[/th:block]
 							"method": "[(${helper.legacyEscapeText(instance.method, true)})]",
 							"param": "[(${helper.legacyEscapeTextAlertParam(instance, true)})]",
 							"attack": "[(${helper.legacyEscapeText(instance.attack, true)})]",
@@ -31,6 +32,7 @@
 						}[/th:block]
 					],
 					"count": "[(${instances.size})]",
+					"systemic": "[(${helper.isSystemic(alert)})]",
 					"solution": "[(${helper.legacyEscapeParagraph(alert.solution, true)})]",
 					"otherinfo": "[(${helper.legacyEscapeParagraph(alert.otherinfo, true)})]",
 					"reference": "[(${helper.legacyEscapeParagraph(alert.reference, true)})]",

addOns/reports/src/main/zapHomeFiles/reports/traditional-md/report.md

@@ -16,7 +16,7 @@ ZAP by [Checkmarx](https://checkmarx.com/).
 
 | [(#{report.alerts.list.name})] | [(#{report.alerts.list.risklevel})] | [(#{report.alerts.list.numinstances})] |
 | --- | --- | --- |
-[#th:block th:each="alert: ${alertTree.children}"]| [(${alert.nodeName})] | [(${helper.getRiskString(alert.risk)})] | [(${alert.childCount})] |
+[#th:block th:each="alert: ${alertTree.children}"]| [(${alert.nodeName})] | [(${helper.getRiskString(alert.risk)})] | [#th:block th:if="${helper.isSystemic(alert)}"][(#{report.alerts.list.systemic})][/th:block][#th:block th:unless="${helper.isSystemic(alert)}"][(${alert.childCount})][/th:block] |
 [/th:block]
 [/th:block]
 
@@ -38,13 +38,15 @@ ZAP by [Checkmarx](https://checkmarx.com/).
 [(${alert.userObject.description})]
 [#th:block th:each="instance: ${alert.children}"]
 * [(#{report.alerts.detail.url})]: [(${#strings.replace(#uris.escapePath(instance.userObject.uri), ')', '&29')})]
+[#th:block th:if="${helper.getNodeName(instance.userObject) != null}"]  * [(#{report.alerts.detail.nodename})]: `[(${helper.getNodeName(instance.userObject)})]`[/th:block]
   * [(#{report.alerts.detail.method})]: `[(${instance.userObject.method})]`
   * [(#{report.alerts.detail.param})]: `[(${instance.userObject.param})]`
   * [(#{report.alerts.detail.attack})]: `[(${instance.userObject.attack})]`
   * [(#{report.alerts.detail.evidence})]: `[(${instance.userObject.evidence})]`
   * [(#{report.alerts.detail.otherinfo})]: `[(${instance.userObject.otherinfo})]`
 [/th:block]
-[(#{report.alerts.detail.instances})]: [(${alert.childCount})]
+[#th:block th:if="${helper.isSystemic(alert)}"][(#{report.alerts.detail.instances})]: [(#{report.alerts.list.systemic})][/th:block]
+[#th:block th:unless="${helper.isSystemic(alert)}"][(#{report.alerts.detail.instances})]: [(${alert.childCount})][/th:block]
 
 ### [(#{report.alerts.detail.solution})]
 

addOns/reports/src/main/zapHomeFiles/reports/traditional-pdf/report.html

@@ -186,7 +186,12 @@ <h3 th:text="#{report.alerts.list}">Alerts</h3>
 						Name</a></td>
 				<td align="center" th:class="${'risk-' + alert.risk}"
 					th:text="${helper.getRiskString(alert.risk)}">Risk</td>
-				<td align="center" th:text="${alert.childCount}">Count</td>
+				<th:block th:if="${helper.isSystemic(alert)}">
+					<td align="center" th:text="#{report.alerts.list.systemic}">Systemic</td>
+				</th:block>
+				<th:block th:unless="${helper.isSystemic(alert)}">
+					<td align="center" th:text="${alert.childCount}">Count</td>
+				</th:block>
 			</tr>
 		</table>
 		<div class="spacer-lg"></div>
@@ -223,6 +228,15 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 							th:text="${helper.escapeXml(instance.userObject.uri)}"
 							href="url.html">URL</a></td>
 					</tr>
+					<th:block
+						th:if="${helper.getNodeName(instance.userObject) != null}">
+						<tr>
+							<td th:text="#{report.alerts.detail.nodename}" width="20%"
+								class="indent2">Node Name</td>
+							<td th:text="${helper.getNodeName(instance.userObject)}"
+								width="80%">Node Name</td>
+						</tr>
+					</th:block>
 					<tr>
 						<td th:text="#{report.alerts.detail.method}" width="20%"
 							class="indent2">Method</td>
@@ -249,7 +263,12 @@ <h3 th:text="#{report.alerts.detail}">Alert Detail</h3>
 				</th:block>
 				<tr>
 					<td th:text="#{report.alerts.detail.instances}" width="20%">Instances</td>
-					<td th:text="${alert.childCount}" width="80%">Instances</td>
+					<th:block th:if="${helper.isSystemic(alert)}">
+						<td th:text="#{report.alerts.list.systemic}" width="80%">Systemic</td>
+					</th:block>
+					<th:block th:unless="${helper.isSystemic(alert)}">
+						<td th:text="${alert.childCount}" width="80%">Instances</td>
+					</th:block>
 				</tr>
 				<tr>
 					<td th:text="#{report.alerts.detail.solution}" width="20%">Solution</td>