Update codebase to ZAP 2.17

addOns/accessControl/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.16.0.
+- Update minimum ZAP version to 2.17.0.
 - Maintenance changes.
 
 ## [10] - 2024-03-25

addOns/addOns.gradle.kts

@@ -174,7 +174,7 @@ subprojects {
         }
     }
 
-    val zapGav = "org.zaproxy:zap:2.16.0"
+    val zapGav = "org.zaproxy:zap:2.17.0-SNAPSHOT"
     dependencies {
         "zap"(zapGav)
     }
@@ -187,7 +187,7 @@ subprojects {
         )
 
         manifest {
-            zapVersion.set("2.16.0")
+            zapVersion.set("2.17.0")
 
             changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
             repo.set("https://github.com/zaproxy/zap-extensions/")

addOns/alertFilters/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.17.0.
 
 ## [25] - 2025-11-04
 ### Changed

addOns/alertFilters/src/main/java/org/zaproxy/zap/extension/alertFilters/ExtensionAlertFilters.java

@@ -452,7 +452,7 @@ private void updateAlert(Alert alert, AlertFilter filter) {
                     alert.getPluginId(),
                     filter.getNewRisk());
             getExtAlert().updateAlert(updAlert);
-            getExtAlert().updateAlertInTree(origAlert, updAlert);
+            getExtAlert().updateAlertInTree(updAlert);
             if (alert.getHistoryRef() != null) {
                 alert.getHistoryRef().updateAlert(updAlert);
                 if (alert.getHistoryRef().getSiteNode() != null) {
@@ -472,10 +472,7 @@ private Alert getAlert(RecordAlert recordAlert) {
         int historyId = recordAlert.getHistoryId();
         if (historyId > 0) {
             HistoryReference href = this.getExtHistory().getHistoryReference(historyId);
-            Alert alert = new Alert(recordAlert, href);
-            // TODO remove once targeting 2.17+
-            alert.setHistoryId(recordAlert.getHistoryId());
-            return alert;
+            return new Alert(recordAlert, href);
         } else {
             // Not ideal :/
             return new Alert(recordAlert);

addOns/allinonenotes/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.16.0.
+- Update minimum ZAP version to 2.17.0.
 - Maintenance changes.
 
 ### Fixed

addOns/ascanrules/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.17.0.
 - The External Redirect scan rule has been updated to account for potential false positives involving JavaScript comments.
 
 ## [75] - 2025-11-04

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java

@@ -29,7 +29,7 @@
 import java.util.List;
 import java.util.Map;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -748,7 +748,7 @@ private boolean processContexts(
                             .raise();
                 } else if (AlertThreshold.LOW.equals(this.getAlertThreshold())) {
                     HttpMessage ctx2Message = contexts.get(0).getMsg();
-                    if (StringUtils.containsIgnoreCase(
+                    if (Strings.CI.contains(
                             ctx.getMsg()
                                     .getResponseHeader()
                                     .getHeader(HttpFieldsNames.CONTENT_TYPE),

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java

@@ -35,7 +35,7 @@
 import net.htmlparser.jericho.Source;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.mozilla.javascript.CompilerEnvirons;
@@ -357,7 +357,7 @@ static String getLocationUrl(String value) {
      * @return true if it's a valid open redirect
      */
     private static boolean checkPayload(String value) {
-        if (value == null || !StringUtils.startsWithIgnoreCase(value, HttpHeader.HTTP)) {
+        if (value == null || !Strings.CI.startsWith(value, HttpHeader.HTTP)) {
             return false;
         }
 
@@ -460,7 +460,7 @@ private static RedirectType isRedirected(String payload, HttpMessage msg) {
 
         // (5) Check if redirection occurs by Javascript
         // http://code.google.com/p/html5security/wiki/RedirectionMethods
-        if (StringUtils.indexOfIgnoreCase(content, payload) != -1) {
+        if (Strings.CI.indexOf(content, payload) != -1) {
             List<Element> jsElements = htmlSrc.getAllElements(HTMLElementName.SCRIPT);
 
             for (Element el : jsElements) {
@@ -498,8 +498,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) {
     }
 
     private static boolean isPresent(Matcher matcher) {
-        return matcher.find()
-                && StringUtils.startsWithIgnoreCase(matcher.group(1), HttpHeader.HTTP);
+        return matcher.find() && Strings.CI.startsWith(matcher.group(1), HttpHeader.HTTP);
     }
 
     /** Visibility increased for unit testing purposes only */

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java

@@ -345,7 +345,7 @@ public byte[] decode(String value) {
                     // The last letter represents the length
                     int last = value.length() - 1;
                     if (((last + (int) value.charAt(last)) % 4) == 0) {
-                        Base64 decoder = new Base64(true);
+                        Base64 decoder = Base64.builder().setUrlSafe(true).get();
                         return decoder.decode(value.substring(0, last));
                     }
                 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java

@@ -26,7 +26,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -640,7 +640,7 @@ public void scan(HttpMessage sourceMsg, String param, String value) {
                                                         .raise();
                                             } else {
                                                 HttpMessage ctx2Message = contexts2.get(0).getMsg();
-                                                if (StringUtils.containsIgnoreCase(
+                                                if (Strings.CI.contains(
                                                         ctx.getMsg()
                                                                 .getResponseHeader()
                                                                 .getHeader(

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java

@@ -38,6 +38,7 @@
 import java.util.Map;
 import java.util.TreeSet;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.commons.text.StringEscapeUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -2517,7 +2518,7 @@ void shouldNotReportXssOutsideTagsIfNoParentTag() throws Exception {
                     @Override
                     protected Response serve(IHTTPSession session) {
                         String name = getFirstParamValue(session, "name");
-                        if (!StringUtils.containsIgnoreCase(name, "0W45pz4p")
+                        if (!Strings.CI.contains(name, "0W45pz4p")
                                 && !name.equals("%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E")) {
                             name = "something else";
                         }

addOns/ascanrulesAlpha/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.17.0.
 - Address redirections in references.
 
 ## [53] - 2025-11-04

addOns/ascanrulesBeta/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.17.0.
 
 ## [63] - 2025-11-04
 ### Added

addOns/authhelper/CHANGELOG.md

@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Handle account selection and TOTP step in Microsoft login.
 
 ### Changed
+- Update minimum ZAP version to 2.17.0.
 - Fail the Microsoft login if not able to perform all the expected steps.
 - Track GWT headers.
 - Handle additional exceptions when processing JSON authentication components.

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthHeaderTracker.java

@@ -24,7 +24,7 @@
 import java.util.Locale;
 import java.util.Map;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.network.HttpMessage;
@@ -64,11 +64,11 @@ private boolean isAuthInitiator(int initiator) {
     }
 
     private static boolean isTrackedHeader(String header) {
-        return StringUtils.containsIgnoreCase(header, "auth")
-                || StringUtils.containsIgnoreCase(header, "csrf")
+        return Strings.CI.contains(header, "auth")
+                || Strings.CI.contains(header, "csrf")
                 || (!"sec-websocket-key".equalsIgnoreCase(header)
-                        && StringUtils.containsIgnoreCase(header, "key"))
-                || StringUtils.startsWithIgnoreCase(header, "x-gwt-");
+                        && Strings.CI.contains(header, "key"))
+                || Strings.CI.contains(header, "x-gwt-");
     }
 
     @Override

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthTestDialog.java

@@ -19,9 +19,7 @@
  */
 package org.zaproxy.addon.authhelper;
 
-import java.awt.Component;
 import java.awt.Frame;
-import java.awt.GridBagConstraints;
 import java.awt.GridBagLayout;
 import java.awt.Insets;
 import java.awt.Toolkit;
@@ -337,21 +335,6 @@ private void setScriptNames() {
         }
     }
 
-    // FIXME use parent method once ZAP 2.17 is released
-    private static JPanel getSideBySidePanel(Component c1, Component c2) {
-        JPanel panel = new JPanel();
-        panel.setLayout(new GridBagLayout());
-        panel.add(
-                c1,
-                LayoutHelper.getGBC(
-                        0, 0, 1, 1.0D, 0.0D, GridBagConstraints.BOTH, new Insets(0, 0, 0, 2)));
-        panel.add(
-                c2,
-                LayoutHelper.getGBC(
-                        1, 0, 1, 0.0D, 0.0D, GridBagConstraints.BOTH, new Insets(0, 2, 0, 0)));
-        return panel;
-    }
-
     private void setMethodState() {
         boolean isBrowserAuth = isBrowserAuth();
 

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java

@@ -52,6 +52,7 @@
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -404,8 +405,8 @@ public static WebElement getPasswordField(List<WebElement> inputElements) {
     }
 
     private static boolean hasPasswordAttributes(WebElement element) {
-        return StringUtils.containsIgnoreCase(getAttribute(element, "id"), PASSWORD)
-                || StringUtils.containsIgnoreCase(getAttribute(element, "name"), PASSWORD);
+        return Strings.CI.contains(getAttribute(element, "id"), PASSWORD)
+                || Strings.CI.contains(getAttribute(element, "name"), PASSWORD);
     }
 
     /**