Update codebase to ZAP 2.16

Change all add-ons and `testutils` to use 2.16 (SNAPSHOT).
Update code accordingly (e.g. address deprecations).

Signed-off-by: thc202 <thc202@gmail.com>

addOns/accessControl/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 
 ## [10] - 2024-03-25

addOns/addOns.gradle.kts

@@ -161,7 +161,7 @@ subprojects {
         }
     }
 
-    val zapGav = "org.zaproxy:zap:2.15.0"
+    val zapGav = "org.zaproxy:zap:2.16.0-SNAPSHOT"
     dependencies {
         "zap"(zapGav)
     }
@@ -174,7 +174,7 @@ subprojects {
         )
 
         manifest {
-            zapVersion.set("2.15.0")
+            zapVersion.set("2.16.0")
 
             changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
             repo.set("https://github.com/zaproxy/zap-extensions/")

addOns/alertFilters/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - Fields with default or missing values are omitted for the `alertFilter` job in saved Automation Framework plans.
 - Depend on Passive Scanner add-on (Issue 7959).
 

addOns/allinonenotes/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 
 ### Fixed

addOns/ascanrules/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
     - Hidden File Finder
     - User Agent Fuzzer

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java

@@ -62,7 +62,7 @@ public class RemoteCodeExecutionCve20121823ScanRule extends AbstractAppPlugin
 
     /** a random string (which remains constant across multiple runs, as long as Zap is not */
     static final String RANDOM_STRING =
-            RandomStringUtils.random(20, "abcdefghijklmnopqrstuvwxyz0123456789");
+            RandomStringUtils.secure().next(20, "abcdefghijklmnopqrstuvwxyz0123456789");
 
     private static final String ATTACK_PARAM =
             "?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input";

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java

@@ -498,9 +498,10 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
                         // a potential SQL injection causing payload.
                         HttpMessage msgParseDelay = getNewMsg();
                         String parseDelayCheckParameter =
-                                RandomStringUtils.random(
-                                        newTimeBasedInjectionValue.length(),
-                                        RANDOM_PARAMETER_CHARS);
+                                RandomStringUtils.secure()
+                                        .next(
+                                                newTimeBasedInjectionValue.length(),
+                                                RANDOM_PARAMETER_CHARS);
                         setParameter(msgParseDelay, paramName, parseDelayCheckParameter);
                         sendAndReceive(msgParseDelay);
                         countTimeBasedRequests++;

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java

@@ -215,7 +215,8 @@ private void efficientScan(HttpMessage msg, String paramName, String value) {
             alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
         }
 
-        String referenceValue = RandomStringUtils.random(errorPolyglots[0].length(), alphabet);
+        String referenceValue =
+                RandomStringUtils.secure().next(errorPolyglots[0].length(), alphabet);
         HttpMessage refMsg = getNewMsg();
         setParameter(refMsg, paramName, referenceValue);
         try {

addOns/ascanrulesAlpha/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 
 ## [48] - 2024-09-02

addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java

@@ -242,7 +242,8 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) {
             // to see if a placebo attack has the same effect
             // the parameter will be the same length as the actual attack, but will contain purely
             // alphanumeric characters
-            String placeboAttack = RandomStringUtils.randomAlphanumeric(errorAttack.length());
+            String placeboAttack =
+                    RandomStringUtils.secure().nextAlphanumeric(errorAttack.length());
             HttpMessage placeboAttackMsg = getNewMsg();
             this.setParameter(placeboAttackMsg, paramname, placeboAttack);
             sendAndReceive(placeboAttackMsg);
@@ -286,7 +287,7 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) {
             // in output substantially DIFFERENT to the original
             // get a random parameter value the same length as the original!
             String randomparameterAttack =
-                    RandomStringUtils.random(paramvalue.length(), RANDOM_PARAMETER_CHARS);
+                    RandomStringUtils.secure().next(paramvalue.length(), RANDOM_PARAMETER_CHARS);
             LOGGER.debug("The random parameter chosen was [{}]", randomparameterAttack);
 
             HttpMessage randomParamMsg1 = getNewMsg();

addOns/ascanrulesBeta/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - The following scan rules now use more specific CWE IDs:
     - Proxy Disclosure (Issue 8713)
     - Possible Username Enumeration (Issue 8715)

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java

@@ -461,9 +461,7 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
             }
             String filename = originalMessage.getRequestHeader().getURI().getName();
 
-            String randomfilename =
-                    RandomStringUtils.random(
-                            filename.length(), "abcdefghijklmnopqrstuvwxyz0123456789");
+            String randomfilename = random(filename.length());
             String randomfilepath = temppath.substring(0, slashposition) + "/" + randomfilename;
 
             LOGGER.debug("Trying non-existent file: {}", randomfilepath);
@@ -506,10 +504,7 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
                 // If the parent folder name is really short a collision is likely
                 // Default to a reasonable length, which may have the inverse effect but we'll
                 // chance it
-                String randomparentfoldername =
-                        RandomStringUtils.random(
-                                Math.max(parentfoldername.length(), 4),
-                                "abcdefghijklmnopqrstuvwxyz0123456789");
+                String randomparentfoldername = random(Math.max(parentfoldername.length(), 4));
 
                 // replace the parent folder name with the random one, and build it back into a
                 // string
@@ -808,6 +803,10 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
         }
     }
 
+    private static String random(int count) {
+        return RandomStringUtils.secure().next(count, "abcdefghijklmnopqrstuvwxyz0123456789");
+    }
+
     private static void setMessageCookies(HttpMessage newMsg, HttpMessage originalMsg) {
         try {
             newMsg.setCookieParams(originalMsg.getCookieParams());

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CorsScanRule.java

@@ -49,7 +49,7 @@
  */
 public class CorsScanRule extends AbstractAppPlugin implements CommonActiveScanRuleInfo {
     private static final Logger LOGGER = LogManager.getLogger(CorsScanRule.class);
-    private static final String RANDOM_NAME = RandomStringUtils.random(8, true, true);
+    private static final String RANDOM_NAME = RandomStringUtils.secure().next(8, true, true);
     private static final Map<String, String> ALERT_TAGS;
 
     static {

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java

@@ -364,8 +364,8 @@ private void testTraceOrTrack(String method) throws Exception {
         // TRACE is supported in 1.0. TRACK is presumably the same, since it is
         // a alias for TRACE. Typical Microsoft.
         msg.getRequestHeader().setVersion(HttpRequestHeader.HTTP10);
-        String randomcookiename = RandomStringUtils.randomAlphanumeric(15);
-        String randomcookievalue = RandomStringUtils.randomAlphanumeric(40);
+        String randomcookiename = randomAlphanumeric(15);
+        String randomcookievalue = randomAlphanumeric(40);
         TreeSet<HtmlParameter> cookies = msg.getCookieParams();
         cookies.add(
                 new HtmlParameter(HtmlParameter.Type.cookie, randomcookiename, randomcookievalue));
@@ -539,10 +539,10 @@ private void testHttpMethod(String httpMethod) throws Exception {
 
         if (httpMethod.equals(HttpRequestHeader.PUT)
                 || httpMethod.equals(HttpRequestHeader.PATCH)) {
-            String randomKey = RandomStringUtils.randomAlphanumeric(15);
-            String randomValue = RandomStringUtils.randomAlphanumeric(15);
+            String randomKey = randomAlphanumeric(15);
+            String randomValue = randomAlphanumeric(15);
             String randomResource =
-                    RandomStringUtils.random(10, "abcdefghijklmnopqrstuvwxyz0123456789");
+                    RandomStringUtils.secure().next(10, "abcdefghijklmnopqrstuvwxyz0123456789");
             String requestBody = '"' + randomKey + "\":\"" + randomValue + '"';
             String newURI = msg.getRequestHeader().getURI().toString();
             if (newURI.endsWith("/")) {
@@ -637,4 +637,8 @@ private void testHttpMethod(String httpMethod) throws Exception {
         } catch (Exception e) {
         }
     }
+
+    private static String randomAlphanumeric(int count) {
+        return RandomStringUtils.secure().nextAlphanumeric(count);
+    }
 }

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java

@@ -256,8 +256,8 @@ public void scan() {
             tracemsg.setRequestHeader(traceRequestHeader);
             // create a random cookie, and set it up, so we can detect if the TRACE is enabled (in
             // which case, it should echo it back in the response)
-            String randomcookiename = RandomStringUtils.randomAlphanumeric(15);
-            String randomcookievalue = RandomStringUtils.randomAlphanumeric(40);
+            String randomcookiename = randomAlphanumeric(15);
+            String randomcookievalue = randomAlphanumeric(40);
             TreeSet<HtmlParameter> cookies = tracemsg.getCookieParams();
             cookies.add(
                     new HtmlParameter(
@@ -391,7 +391,7 @@ public void scan() {
                 int step2numberOfNodesForMethod = 0;
                 String[] nodeServersForMethod = new String[MAX_FORWARDS_MAXIMUM + 2];
                 String previousServerDetails =
-                        RandomStringUtils.random(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
+                        RandomStringUtils.secure().next(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
                 int previousResponseStatusCode = 0;
                 int responseStatusCode = 0;
                 boolean httpHandled =
@@ -454,8 +454,8 @@ public void scan() {
 
                     // create a random cookie, and set it up, so we can detect if the TRACE is
                     // enabled (in which case, it should echo it back in the response)
-                    String randomcookiename2 = RandomStringUtils.randomAlphanumeric(15);
-                    String randomcookievalue2 = RandomStringUtils.randomAlphanumeric(40);
+                    String randomcookiename2 = randomAlphanumeric(15);
+                    String randomcookievalue2 = randomAlphanumeric(40);
                     TreeSet<HtmlParameter> cookies2 = mfMethodMsg.getCookieParams();
                     cookies2.add(
                             new HtmlParameter(
@@ -579,7 +579,7 @@ public void scan() {
             //	  yes, I know TRACK requests should *not* be cached, but not all servers are
             // compliant.
             String randompiece =
-                    RandomStringUtils.random(5, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
+                    RandomStringUtils.secure().next(5, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
             trackRequestHeader.setURI(
                     new URI(
                             trackURI.getScheme()
@@ -765,6 +765,10 @@ public void scan() {
         }
     }
 
+    private static String randomAlphanumeric(int count) {
+        return RandomStringUtils.secure().nextAlphanumeric(count);
+    }
+
     private static String getPath(URI uri) {
         String path = uri.getEscapedPath();
         if (path != null) {

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java

@@ -164,11 +164,11 @@ public class RelativePathConfusionScanRule extends AbstractAppPlugin
      * same URL (in Attack mode, for instance) yielding new vulnerabilities via different random
      * file paths.
      */
-    private static final String RANDOM_ATTACK_PATH =
-            "/"
-                    + RandomStringUtils.random(5, RANDOM_PARAMETER_CHARS)
-                    + "/"
-                    + RandomStringUtils.random(5, RANDOM_PARAMETER_CHARS);
+    private static final String RANDOM_ATTACK_PATH = "/" + random(5) + "/" + random(5);
+
+    private static String random(int count) {
+        return RandomStringUtils.secure().next(count, RANDOM_PARAMETER_CHARS);
+    }
 
     private static final Map<String, String> ALERT_TAGS;
 

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java

@@ -51,7 +51,7 @@ public class SourceCodeDisclosureFileInclusionScanRule extends AbstractAppParamP
 
     // use a random file name which is very unlikely to exist
     private static final String NON_EXISTANT_FILENAME =
-            RandomStringUtils.random(38, "abcdefghijklmnopqrstuvwxyz");
+            RandomStringUtils.secure().next(38, "abcdefghijklmnopqrstuvwxyz");
 
     // the prefixes to try for source file inclusion
     private String[] LOCAL_SOURCE_FILE_TARGET_PREFIXES = {

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java

@@ -395,7 +395,8 @@ public void scan() {
 
                 // get a random user name the same length as the original!
                 String invalidUsername =
-                        RandomStringUtils.randomAlphabetic(currentHtmlParameter.getValue().length())
+                        RandomStringUtils.secure()
+                                .nextAlphabetic(currentHtmlParameter.getValue().length())
                                 .toLowerCase(Locale.ROOT);
 
                 LOGGER.debug("The invalid username chosen was [{}]", invalidUsername);

addOns/authhelper/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - Depend on Passive Scanner add-on (Issue 7959).
 - Address deprecation warnings with newer Selenium version (4.27).
 

addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/SessionDetectionScanRuleUnitTest.java

@@ -46,8 +46,8 @@
 import org.zaproxy.addon.authhelper.HeaderBasedSessionManagementMethodType.HeaderBasedSessionManagementMethod;
 import org.zaproxy.zap.authentication.AuthenticationMethod;
 import org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy;
+import org.zaproxy.zap.extension.pscan.PassiveScanActions;
 import org.zaproxy.zap.extension.pscan.PassiveScanData;
-import org.zaproxy.zap.extension.pscan.PassiveScanTaskHelper;
 import org.zaproxy.zap.model.Context;
 import org.zaproxy.zap.network.HttpRequestBody;
 import org.zaproxy.zap.network.HttpResponseBody;
@@ -113,10 +113,9 @@ void shouldSetHeaderBasedSessionManagment() throws Exception {
         AuthUtils.recordSessionToken(
                 new SessionToken(SessionToken.HEADER_SOURCE, "Authorization", token));
         PassiveScanData helper = mock(PassiveScanData.class);
-        PassiveScanTaskHelper taskHelper = mock(PassiveScanTaskHelper.class);
         SessionDetectionScanRule rule = this.createScanner();
         rule.setHelper(helper);
-        rule.setTaskHelper(taskHelper);
+        rule.setPassiveScanActions(mock(PassiveScanActions.class));
 
         // When
         rule.scanHttpResponseReceive(msg, 1, null);
@@ -168,10 +167,9 @@ void shouldCacheSessionToken() throws Exception {
         AuthUtils.recordSessionToken(
                 new SessionToken(SessionToken.HEADER_SOURCE, "Authorization", token));
         PassiveScanData helper = mock(PassiveScanData.class);
-        PassiveScanTaskHelper taskHelper = mock(PassiveScanTaskHelper.class);
         SessionDetectionScanRule rule = this.createScanner();
         rule.setHelper(helper);
-        rule.setTaskHelper(taskHelper);
+        rule.setPassiveScanActions(mock(PassiveScanActions.class));
 
         // When
         rule.scanHttpResponseReceive(msg, 1, null);

addOns/authstats/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 
 ## [2] - 2021-10-07

addOns/automation/CHANGELOG.md

@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Add exitStatus job (Issue #6928)
 
 ### Changed
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 - Updated automation framework documentation and templates for `activeScan` job to reflect changes to the default value of threadPerHost parameter
 - Update help for the "requestor" job.

addOns/automation/src/test/java/org/zaproxy/addon/automation/ExtentionAutomationUnitTest.java

@@ -1159,7 +1159,7 @@ protected void addTests(Object testsObj, AutomationProgress progress) {
         @Override
         public void logTestsToProgress(AutomationProgress progress) {
             if (testsAdded && testsLogError) {
-                testsLoggedString = RandomStringUtils.randomAlphanumeric(20);
+                testsLoggedString = RandomStringUtils.secure().nextAlphanumeric(20);
                 progress.error(testsLoggedString);
             }
         }

addOns/beanshell/CHANGELOG.md

@@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Maintenance changes.
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 - Dependency updates.
 
 ## [7] - 2021-10-07

addOns/browserView/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 
 ## [6] - 2023-03-13
 ### Added

addOns/bruteforce/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.16.0.
 
 ## [16] - 2024-05-07
 ### Added

addOns/bugtracker/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 - Maintenance changes.
 
 ### Fixed

addOns/callgraph/CHANGELOG.md

@@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Maintenance changes.
-- Update minimum ZAP version to 2.15.0.
+- Update minimum ZAP version to 2.16.0.
 
 ## [5] - 2021-10-07
 ### Added