Download
  1. Documentation
  2. The ZAP by Checkmarx Desktop User Guide
  3. Releases
  4. Release 2.17.0

Release 2.17.0

This is a bug fix and enhancement release.

Alert De-duplication

Changes have been made in order to reduce the number of alerts which ZAP may raise that are duplicates or highly similar, more closely being aligned with the Sites Tree representation. See the Alert De-duplication blog for further details.

Systemic Alerts

Alerts that are typically site-wide will now be flagged as being “Systemic” in both the ZAP Desktop UI and in reports.

This can also significantly reduce the number of “duplicate” alerts reported.

Insights

A new “Insights” tab shows key information which is not related to vulnerabilities, or potentially even related to the application in question.

Insights tell you more about your applications, about the effectiveness of a scan, and can even stop a scan early if significant problems are identified.

Insights are also available in all of the official ZAP reports.

Improved Disk and Memory Space Error Handling

ZAP will now detect disk and memory space issues and attempt to handle them more gracefully.

Any problems encountered will be reported via the Insights.

Automation Disk Space Reduction

Active Scan Temporary HTTP Messages are no longer persisted by default when ZAP is run headless. This can significantly reduce the amount of disk space needed.

The option is also available in the Desktop but is turned off be default, so that the user can inspect them.

Structured Reports ISO 8601 Standard Date

The structured reports (JSON and XML) now have an ISO 8601 standard date field/attribute (“created”); the existing “generatedString” field will be removed in the future.

Dependency Updates

As usual the release includes dependency updates.

The following libraries were updated:

  • Commons Beanutils, 1.10.1 → 1.11.0
  • Commons Codec, 1.18.0 → 1.20.0
  • Commons CSV, 1.12.0 → 1.14.1
  • Commons IO, 2.18.0 → 2.21.0
  • Commons Lang3, 2.17.0 → 3.19.0
  • Commons Text, 1.13.0 → 1.14.0
  • Flatlaf, 3.5.4 → 3.7
  • Flatlaf Swingx, 3.5.4 → 3.6.2
  • Jfreechart, 1.5.5 → 1.5.6
  • Jgrapht Core, 0.9.0 → 0.9.2
  • Log4j 1.2 API, 2.24.3 → 2.25.2
  • Log4j API, 2.24.3 → 2.25.2
  • Log4j Core, 2.24.3 → 2.25.2
  • Log4j Jul, 2.24.3 → 2.25.2

Add-Ons

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.

New Add-Ons

  • Insights - as detailed above

Enhancements

  • Issue 434 : ZAP should exit when running out of memory
  • Issue 2382 : IOException - data file enlarge failed
  • Issue 3486 : Enhancement: ZAP GUI Warn User When its out of Memory
  • Issue 8904 : JSON Input Vector doesn’t handle top level primitive types
  • Issue 8910 : Sync anti-csrf token regen/use in active scanner
  • Issue 8911 : New variant: Request body with no or plain text content type
  • Issue 8919 : Avoid concurrent scan of similar pages
  • Issue 8920 : Exclude anti-csrf tokens from the active scan
  • Issue 8955 : zap.sh does not respect $JAVA_HOME
  • Issue 8982 : Include rule name in Active Scan skip tooltip
  • Issue 8992 : Allow to copy rule config fields
  • Issue 8997 : Improve support for FreeBSD
  • Issue 9044 : Implement DPI-aware divider sizing for WorkbenchPanel split panes
  • Issue 9067 : Alert tree de-duplication
  • Issue 9072 : Address log flooding when DB is full
  • Issue 9073 : Reset search field on session changes
  • Issue 9074 : Add option for temp active scan msgs persistence
  • Issue 9097 : Systemic alert support
  • Issue 9108 : Get false positive alerts from alert/view/alerts/ API endpoint
  • Issue 9113 : Adjust Alert compareTo and equals for case sensitive URI comparison
  • Issue 9117 : Record stats for authenticated ascans
  • Issue 9120 : Change policies to support statsId and readonly
  • Issue 9123 : Make script-based auth method easier to extend
  • Issue 9136 : Suppress XML prolog errors
  • Issue 9138 : Allow to lock scan policies
  • Issue 9153 : Set systemic limit default

Bug fixes

  • Issue 4530 : Site Tree XML POST Parameter Name Issue
  • Issue 6656 : Default Content-Type charset is not always considered
  • Issue 8327 : Handle lack of disk space better
  • Issue 8888 : Alerts Summary reports on filtered alerts. Difference between 2.15.0 & 2.16.0
  • Issue 8909 : User Defined Variant, correct bounds check
  • Issue 8934 : Error dialog re cannot snapshot session while actions running contains HTML tags
  • Issue 8969 : Align combined fields in std dialog
  • Issue 9002 : Fixed structured POST data node names
  • Issue 9003 : Correct poll header validation/usage
  • Issue 9015 : Do not warn on charset aliases
  • Issue 9075 : Guard against multipart parsing errors
  • Issue 9085 : Fix GUI exceptions while updating add-ons
  • Issue 9106 : Fix error importing context with auth script
  • Issue 9126 : Handle empty multi-part parameters
  • Issue 9127 : Do not warn on empty encoded HTTP bodies

See Also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible