Add Top 10 2025 and API Top 10 2023 Alert Tags

[kingthorin]

Overview

Update scan rules/alerts with tags for the OWASP Top 10 2025, and API Top 10 2023.

I know it's a lot. If you'd like I could break it into: Active, Passive, Other, just let me know.

[psiinon]

Checkmarx One – Scan Summary & Details – 7ce25abc-b83c-4564-a026-459f1aabd776

---

New Issues (158)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_Code_Injection	/addOns/graaljs/src/main/java/org/zaproxy/zap/extension/graaljs/PacScript.java: 107	details The application's  method receives and dynamically executes user-controlled code using eval, at line 143 of /addOns/graaljs/src/main/java/org/zapr... Attack Vector
2		Stored_XSS	/addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnhack/PlugNHackAPI.java: 300	details The method embeds untrusted data in generated output with append, at line 301 of /addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnha... Attack Vector
3		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 363	details Method at line 363 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
4		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 331	details Method at line 331 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
5		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 223	details Method at line 223 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
6		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 400	details Method at line 400 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
7		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 432	details Method at line 432 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
8		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
9		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
10		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 663	details Method at line 663 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
11		Absolute_Path_Traversal	/addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java: 111	details Method at line 111 of /addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java gets dynamic data from the getText el... Attack Vector
12		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java: 206	details Method at line 206 of /addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java gets dynamic data from the getT... Attack Vector
13		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java: 96	details Method at line 96 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java gets dynamic data from the ge... Attack Vector
14		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 297	details Method at line 297 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
15		Absolute_Path_Traversal	/addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java: 153	details Method at line 153 of /addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java gets dynamic data from the getText element. This... Attack Vector
16		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 335	details Method at line 335 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
17		Cleartext_Submission_of_Sensitive_Information	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/HttpSenderApache.java: 446	details Potentially sensitive personal information credentialsProvider, at line 446 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/cli... Attack Vector
18		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 452 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
19		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 419 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
20		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 386 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
21		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 364 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
22		Improper_Restriction_of_Stored_XXE_Ref	/addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java: 131	details The loads and parses XML using parse, at line 133 of /addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java. This XML was rece... Attack Vector
23		Improper_Restriction_of_Stored_XXE_Ref	/addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java: 78	details The loads and parses XML using unmarshal, at line 248 of /addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java. This... Attack Vector
24		SSRF	/addOns/network/src/main/java/org/apache/hc/client5/http/impl/classic/ZapInternalHttpClient.java: 188	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/apache/hc/client5/http/im... Attack Vector
25		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 47	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
26		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 53	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
27		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 56	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
28		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 46	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
29		Missing_HSTS_Header	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 986	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
30		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java: 53	details Method at line 53 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java sends user information outside the applicat... Attack Vector
31		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 201	details Method at line 201 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
32		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java: 240	details Method at line 240 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java sends user information outside the application. This ... Attack Vector
33		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 206	details Method at line 206 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
34		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 119	details Method at line 119 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
35		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 120	details Method at line 120 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
36		SSL_Verification_Bypass	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java: 197	details /addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java relies HTTPS requests, in . The x50... Attack Vector
37		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 696	details Method at line 696 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getVariableName - the ... Attack Vector
38		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 697	details Method at line 697 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getCookieName - the ra... Attack Vector
39		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 695	details Method at line 695 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getWindowHandle - the ... Attack Vector
40		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java: 257	details Method at line 257 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java obta... Attack Vector
41		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
42		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
43		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
44		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 444	details Method at line 444 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
45		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
46		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 617	details Method at line 617 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
47		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java: 169	details Method at line 169 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java obtain... Attack Vector
48		Unchecked_Input_for_Loop_Condition	/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java: 466	details Method at line 466 of /addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java obtains user ... Attack Vector
49		Unchecked_Input_for_Loop_Condition	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 971	details Method at line 971 of /addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java obtains user input from... Attack Vector
50		Use_Of_Hardcoded_Password	/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java: 178	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
51		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 68	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
52		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 65	details The application uses the hard-coded password OLD_PASSWORD for authentication purposes, either using it to verify users' identities, or to access ... Attack Vector
53		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/internal/ClientSideHandlerUnitTest.java: 64	details The application uses the hard-coded password TEST_PASSWORD for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
54		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthDiagnosticCollectorUnitTest.java: 236	details The application uses the hard-coded password ""mySuperSecretPassword"" for authentication purposes, either using it to verify users' identities, o... Attack Vector
55		Use_Of_Hardcoded_Password	/addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java: 518	details The application uses the hard-coded password PASSWORD_CREDENTIAL for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
56		Use_Of_Hardcoded_Password	/addOns/bugtracker/src/main/java/org/zaproxy/zap/extension/bugtracker/BugTrackerBugzillaParam.java: 41	details The application uses the hard-coded password CONFIG_PASSWORD_KEY for authentication purposes, either using it to verify users' identities, or to... Attack Vector
57		Use_Of_Hardcoded_Password	/addOns/network/src/main/java/org/zaproxy/addon/network/NetworkApi.java: 141	details The application uses the hard-coded password PARAM_PASSWORD for authentication purposes, either using it to verify users' identities, or to acces... Attack Vector
58		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/LegacyConnectionParamUnitTest.java: 57	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
59		Use_Of_Hardcoded_Password	/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java: 53	details The application uses the hard-coded password pass for authentication purposes, either using it to verify users' identities, or to access another r... Attack Vector
60		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/KeyStoreEntryUnitTest.java: 66	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
61		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/CertificateEntryUnitTest.java: 55	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
62		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties contains a har... Attack Vector
63		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties contains a har... Attack Vector
64		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties contains a har... Attack Vector
65		Use_Of_Hardcoded_Password_In_Config	/addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties: 107	details The configuration file /addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties contains a... Attack Vector
66		Use_Of_Hardcoded_Password_In_Config	/addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties: 357	details The configuration file /addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties contains a hardcoded p... Attack Vector
67		Use_Of_Hardcoded_Password_In_Config	/addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_hu_HU.properties: 357	details The configuration file /addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_hu_HU.properties contains a hardcoded p... Attack Vector

More results are available on the CxOne platform

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[kingthorin]

I'll add a full set of tags to httpsinfo in another PR.

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[kingthorin]

Validation script, I'm sure this could be cleaner but I largely just trusted Cursor with it. (Download the spreadsheet as csv)

Validation Script (python)

#!/usr/bin/env python3
"""
Compare OWASP mapping CSV rows to scan-rule Java (and selected scripts) per add-on.

CommandInjectionTimingScanRule does not list OWASP_2025/API tags inline; it uses
  alertTags.putAll(CommandInjectionScanRule.ALERT_TAGS)
plus CommonAlertTag.TEST_TIMING. For CSV tag comparison, OWASP_2025_* and
API_2023_* are taken from CommandInjectionScanRule.java.
"""
from __future__ import annotations

import argparse
import csv
import re
import sys
from collections.abc import Callable
from dataclasses import dataclass
from pathlib import Path

# Class -> delegate ScanRule whose ALERT_TAGS are merged (same package).
MERGE_ALERT_TAGS_FROM: dict[str, str] = {
    "CommandInjectionTimingScanRule": "CommandInjectionScanRule",
}


def _notes(row: list[str]) -> str:
    return row[9].lower() if len(row) > 9 else ""


def _cls(row: list[str]) -> str:
    c = row[1].strip()
    if c.startswith("(") and c.endswith(")"):
        return c[1:-1]
    return c


def _csv_release_core(status: str) -> bool:
    if "add-on" in status or "Alpha" in status or "Beta" in status:
        return False
    return status.startswith("Release")


@dataclass(frozen=True)
class AddonSpec:
    """addOns/{name}/..."""

    name: str
    # Path under repo to directory containing listed globs
    java_dir: str
    globs: tuple[str, ...]
    # CSV data row (full row list) -> include
    csv_row_ok: Callable[[list[str]], bool]


def row_active_release(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return row[3] == "Active" and _csv_release_core(row[4])


def row_passive_release(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return row[3] == "Passive" and _csv_release_core(row[4])


def row_active_beta(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return row[3] == "Active" and "Beta" in row[4] and "add-on" not in row[4]


def row_passive_beta(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return row[3] == "Passive" and "Beta" in row[4] and "add-on" not in row[4]


def row_passive_alpha(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return row[3] == "Passive" and "Alpha" in row[4] and "add-on" not in row[4]


def row_soap(row: list[str]) -> bool:
    return "soap add-on" in _notes(row)


def row_sqliplugin(row: list[str]) -> bool:
    return "sqliplugin" in _notes(row)


def row_access_control(row: list[str]) -> bool:
    return "accesscontrol" in _notes(row).replace(" ", "")


def row_retire(row: list[str]) -> bool:
    if len(row) < 5:
        return False
    return "retire" in _notes(row) and "add-on" in row[4]


def row_graphql(row: list[str]) -> bool:
    return _cls(row) in {
        "GraphQlParser",
        "GraphQlFingerprinter",
        "GraphQlCycleDetector",
    }


# java_dir is relative to repo root (use / for Path joining)
ADDONS: dict[str, AddonSpec] = {
    "accessControl": AddonSpec(
        "accessControl",
        "addOns/accessControl/src/main/java/org/zaproxy/zap/extension/accessControl",
        ("AccessControlAlertsProcessor.java",),
        row_access_control,
    ),
    "ascanrules": AddonSpec(
        "ascanrules",
        "addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules",
        ("*ScanRule.java",),
        row_active_release,
    ),
    "ascanrulesBeta": AddonSpec(
        "ascanrulesBeta",
        "addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta",
        ("*ScanRule.java",),
        row_active_beta,
    ),
    "graphql": AddonSpec(
        "graphql",
        "addOns/graphql/src/main/java/org/zaproxy/addon/graphql",
        (
            "GraphQlParser.java",
            "GraphQlFingerprinter.java",
            "GraphQlCycleDetector.java",
        ),
        row_graphql,
    ),
    "pscanrules": AddonSpec(
        "pscanrules",
        "addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules",
        ("*ScanRule.java",),
        row_passive_release,
    ),
    "pscanrulesAlpha": AddonSpec(
        "pscanrulesAlpha",
        "addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha",
        ("*ScanRule.java", "Base64Disclosure.java"),
        row_passive_alpha,
    ),
    "pscanrulesBeta": AddonSpec(
        "pscanrulesBeta",
        "addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta",
        ("*ScanRule.java",),
        row_passive_beta,
    ),
    "retire": AddonSpec(
        "retire",
        "addOns/retire/src/main/java/org/zaproxy/addon/retire",
        ("*ScanRule.java",),
        row_retire,
    ),
    "soap": AddonSpec(
        "soap",
        "addOns/soap/src/main/java/org/zaproxy/zap/extension/soap",
        ("*ScanRule.java",),
        row_soap,
    ),
    "sqliplugin": AddonSpec(
        "sqliplugin",
        "addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin",
        ("*ScanRule.java",),
        row_sqliplugin,
    ),
}


def load_csv_classes(csv_path: Path, spec: AddonSpec) -> dict[str, dict]:
    raw = csv_path.read_text(encoding="utf-8").replace("\r\n", "\n").replace("\r", "\n")
    lines = raw.split("\n")
    start = next(i for i, ln in enumerate(lines) if ln.startswith("Buffer Overflow,"))
    rows = list(csv.reader(lines[start:]))
    out: dict[str, dict] = {}
    for row in rows:
        if len(row) < 9:
            continue
        name = row[0]
        cls = _cls(row)
        if not row[1].strip() or row[1].strip() == "Class Name":
            continue
        if not spec.csv_row_ok(row):
            continue
        if cls in ("ActiveScriptScanRule", "PassiveScriptScanRule"):
            continue
        out[cls] = {
            "rule": name,
            "2025": row[6].strip(),
            "api": row[8].strip(),
            "notes": row[9].strip() if len(row) > 9 else "",
        }
    return out


def collect_java_files(repo: Path, spec: AddonSpec) -> dict[str, Path]:
    root = repo / spec.java_dir
    if not root.is_dir():
        raise FileNotFoundError(f"Java root not found: {root}")
    files: dict[str, Path] = {}
    for pattern in spec.globs:
        for p in root.glob(pattern):
            files[p.stem] = p
    return files


def tags_in_java(text: str) -> tuple[set[str], set[str]]:
    owasp = set(re.findall(r"CommonAlertTag\.(OWASP_2025_[A-Z0-9_]+)", text))
    api = set(re.findall(r"CommonAlertTag\.(API_2023_[A-Z0-9_]+)", text))
    return owasp, api


def effective_tags_for_rule(cls: str, files: dict[str, Path]) -> tuple[set[str], set[str]]:
    paths: list[Path] = []
    if cls in MERGE_ALERT_TAGS_FROM:
        dep = MERGE_ALERT_TAGS_FROM[cls]
        if dep not in files:
            raise KeyError(f"delegate {dep}.java not found for {cls}")
        paths.append(files[dep])
    if cls not in files:
        raise KeyError(cls)
    paths.append(files[cls])
    o: set[str] = set()
    a: set[str] = set()
    for p in paths:
        t = p.read_text(encoding="utf-8")
        o2, a2 = tags_in_java(t)
        o |= o2
        a |= a2
    return o, a


def parse_csv_tags(cell: str) -> set[str]:
    if not cell or cell in ("-", "—"):
        return set()
    parts = re.split(r",\s*", cell)
    return {p.strip() for p in parts if p.strip() and not p.startswith("[")}


def main() -> None:
    parser = argparse.ArgumentParser(
        description="Compare OWASP mapping CSV to an add-on's Java alert tags.",
    )
    parser.add_argument("csv", type=Path, help="Path to mapping CSV")
    parser.add_argument("repo", type=Path, help="zap-extensions repository root")
    parser.add_argument(
        "addon",
        choices=sorted(ADDONS.keys()),
        help="Add-on id (see choices)",
    )
    args = parser.parse_args()
    spec = ADDONS[args.addon]

    if not args.csv.is_file():
        print(f"error: CSV not found: {args.csv}", file=sys.stderr)
        sys.exit(2)

    csv_map = load_csv_classes(args.csv, spec)
    try:
        files = collect_java_files(args.repo, spec)
    except FileNotFoundError as e:
        print(f"error: {e}", file=sys.stderr)
        sys.exit(2)

    for cls in sorted(set(files) - set(csv_map)):
        print(f"EXTRA (code, not in CSV filter): {cls}")
    for cls in sorted(set(csv_map) - set(files)):
        print(f"MISSING (CSV row, no java): {cls}")

    for cls, _path in sorted(files.items()):
        if cls not in csv_map:
            continue
        try:
            c25, c_api = effective_tags_for_rule(cls, files)
        except KeyError as e:
            print(f"ERROR {cls}: {e}")
            continue
        row = csv_map[cls]
        e25 = parse_csv_tags(row["2025"])
        e_api = parse_csv_tags(row["api"])
        if c25 != e25:
            src = f"+{MERGE_ALERT_TAGS_FROM[cls]}" if cls in MERGE_ALERT_TAGS_FROM else ""
            print(f"MISMATCH 2025 {cls}{src}: csv={sorted(e25)} code={sorted(c25)}")
        if c_api != e_api:
            src = f"+{MERGE_ALERT_TAGS_FROM[cls]}" if cls in MERGE_ALERT_TAGS_FROM else ""
            print(f"MISMATCH API {cls}{src}: csv={sorted(e_api)} code={sorted(c_api)}")


if __name__ == "__main__":
    main()

Usage example:
python3 path/to/check_csv.py "$HOME/Downloads/2026 Updated Rule OWASP Mappings - Sheet1.csv" . ascanrulesBeta

[psiinon]

Now has conflicts.

[kingthorin]

Ok, I'll tackle that in a bit

[kingthorin]

Deconflicted.

[thc202]

Running the script I get some mismatches (I double checked with the original doc that they are correct).

MISMATCH API SOAPActionSpoofingActiveScanRule: csv=['API_2023_API5_BROKEN_FLA'] code=['API_2023_API10_UNSAFE_CONSUMPTION']
MISMATCH 2025 UsernameEnumerationScanRule: csv=['OWASP_2025_A07_AUTH_FAIL'] code=['OWASP_2025_A02_SEC_MISCONFIG']

I don't know if these are the only ones (edit: double checked and these are the only mismatches).

[thc202]

These were not included in the original doc, on purpose?

10103 - ImageLocationScanRule
40026 - DomXssScanRule

[kingthorin]

DOM and ILS were just missed in the original.

[kingthorin]

Thanks, I'll check the misses. I thought I had it down to zero but it was a hectic day and I may have lost track of something. I'll recheck them all.

[thc202]

These ones are missing from the PR:

40015 - LdapInjectionScanRule
40024 - SqlInjectionSqLiteTimingScanRule
40039 - WebCacheDeceptionScanRule

[kingthorin]

All addressed, as discussed on slack.

[thc202]

Thank you!