Release 2.17.0$$$This is a bug fix and enhancement release.$$$$$$Alert De-duplication $$$Changes have been made in order to reduce the number of alerts which ZAP may raise that are duplicates or highly similar; more closely being aligned with the Sites Tree representation. See the Alert De-duplication blog for further details.$$$$$$Systemic Alerts $$$Alerts that are typically site-wide will now be flagged as being “Systemic” in both the ZAP Desktop UI and in reports.$$$$$$This can also significantly reduce the number of “duplicate” alerts reported.$$$$$$Insights $$$A new “Insights” tab shows key information which is not related to vulnerabilities; or potentially even related to the application in question.$$$$$$Insights tell you more about your applications; about the effectiveness of a scan; and can even stop a scan early if significant problems are identified.$$$$$$Insights are also available in all of the official ZAP reports.$$$$$$Improved Disk and Memory Space Error Handling $$$ZAP will now detect disk and memory space issues and attempt to handle them more gracefully.$$$$$$Any problems encountered will be reported via the Insights.$$$$$$Automation Disk Space Reduction $$$Active Scan Temporary HTTP Messages are no longer persisted by default when ZAP is run headless. This can significantly reduce the amount of disk space needed.$$$$$$The option is also available in the Desktop but is turned off be default; so that the user can inspect them.$$$$$$Structured Reports ISO 8601 Standard Date $$$The structured reports (JSON and XML) now have an ISO 8601 standard date field/attribute (“created”); the existing “generatedString” field will be removed in the future.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Beanutils; 1.10.1 ? 1.11.0$$$Commons Codec; 1.18.0 ? 1.20.0$$$Commons CSV; 1.12.0 ? 1.14.1$$$Commons IO; 2.18.0 ? 2.21.0$$$Commons Lang3; 2.17.0 ? 3.19.0$$$Commons Text; 1.13.0 ? 1.14.0$$$Flatlaf; 3.5.4 ? 3.7$$$Flatlaf Swingx; 3.5.4 ? 3.6.2$$$Jfreechart; 1.5.5 ? 1.5.6$$$Jgrapht Core; 0.9.0 ? 0.9.2$$$Log4j 1.2 API; 2.24.3 ? 2.25.2$$$Log4j API; 2.24.3 ? 2.25.2$$$Log4j Core; 2.24.3 ? 2.25.2$$$Log4j Jul; 2.24.3 ? 2.25.2$$$Add-Ons $$$Updated Add-Ons $$$All of the add-ons included by default have been updated since the last full release.$$$$$$New Add-Ons $$$Insights - as detailed above$$$Enhancements $$$Issue 434 : ZAP should exit when running out of memory$$$Issue 2382 : IOException - data file enlarge failed$$$Issue 3486 : Enhancement: ZAP GUI Warn User When its out of Memory$$$Issue 8904 : JSON Input Vector doesn’t handle top level primitive types$$$Issue 8910 : Sync anti-csrf token regen/use in active scanner$$$Issue 8911 : New variant: Request body with no or plain text content type$$$Issue 8919 : Avoid concurrent scan of similar pages$$$Issue 8920 : Exclude anti-csrf tokens from the active scan$$$Issue 8955 : zap.sh does not respect $JAVA_HOME$$$Issue 8982 : Include rule name in Active Scan skip tooltip$$$Issue 8992 : Allow to copy rule config fields$$$Issue 8997 : Improve support for FreeBSD$$$Issue 9044 : Implement DPI-aware divider sizing for WorkbenchPanel split panes$$$Issue 9067 : Alert tree de-duplication$$$Issue 9072 : Address log flooding when DB is full$$$Issue 9073 : Reset search field on session changes$$$Issue 9074 : Add option for temp active scan msgs persistence$$$Issue 9097 : Systemic alert support$$$Issue 9108 : Get false positive alerts from alert/view/alerts/ API endpoint$$$Issue 9113 : Adjust Alert compareTo and equals for case sensitive URI comparison$$$Issue 9117 : Record stats for authenticated ascans$$$Issue 9120 : Change policies to support statsId and readonly$$$Issue 9123 : Make script-based auth method easier to extend$$$Issue 9136 : Suppress XML prolog errors$$$Issue 9138 : Allow to lock scan policies$$$Issue 9153 : Set systemic limit default$$$Bug fixes $$$Issue 4530 : Site Tree XML POST Parameter Name Issue$$$Issue 6656 : Default Content-Type charset is not always considered$$$Issue 8327 : H

Release 2.16.1$$$This is a bug fix release; along with some minor enhancements.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.16.0.$$$$$$The enhancements include:$$$$$$Use Main Output Tab for Scripts $$$The Script Console no longer includes its own “Script Output” panel. Instead it uses the main Output tab.$$$$$$Support Sub-tabs in Output Tab $$$The Output tab now supports sub-tabs. The Script Console add-on will add one tab for each script that generates any output; making it much easier to see where output messages come from.$$$$$$API Support for Plugable Authentication and Session Management $$$The API now supports plugable Authentication and Session Management methods; which means you can configure modern options like Browser Based Authentication.$$$$$$Authentication Enhancements $$$Many enhancements have been made to ensure ZAP handles authentication more easily and effectively; including support for TOTP.$$$$$$Windows Native Decorations Support $$$ZAP now supports Native Decorations on Windows systems; providing a more unified and visually pleasing experience.$$$$$$AJAX Spider URL Count $$$The AJAX Spider no longer counts URLs that are out of scope. This may affect any tests you have in place.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Beanutils; 1.9.4 ? 1.10.1$$$Commons Codec; 1.17.1 ? 1.18.0$$$Commons Logging; 1.3.4 ? 1.3.5$$$Commons Text; 1.12.0 ? 1.13.0$$$log4j-1.2-api; 2.24.2 ? 2.24.3$$$log4j-api; 2.24.2 ? 2.24.3$$$log4j-core; 2.24.2 ? 2.24.3$$$log4j-jul; 2.24.2 ? 2.24.3$$$Rsyntaxtextarea; 3.5.3 ? 3.6.0$$$Enhancements $$$Issue 8843 : Support CakePHP CSRF Token name$$$Issue 8868 : Adjust Footer Status Icons Label$$$Issue 8872 : Tag verification requests$$$Issue 8879 : Look and feel: Use native decorations on Windows$$$Issue 8885 : Allow API access to dynamically added Authn & Session Mgmt Method Types$$$Issue 8886 : Provide DB details and notify close$$$Issue 8892 : Add TOTP to credentials$$$Bug fixes $$$Issue 8760 : Links are unreadable in the Flat Darcula theme$$$Issue 8819 : Fix error when no Java version is found in zap.sh$$$Issue 8862 : Fix alert editing through the GUI

Release 2.16.1$$$This is a bug fix release; along with some minor enhancements.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.16.0.$$$$$$The enhancements include:$$$$$$Use Main Output Tab for Scripts $$$The Script Console no longer includes its own “Script Output” panel. Instead it uses the main Output tab.$$$$$$Support Sub-tabs in Output Tab $$$The Output tab now supports sub-tabs. The Script Console add-on will add one tab for each script that generates any output; making it much easier to see where output messages come from.$$$$$$API Support for Plugable Authentication and Session Management $$$The API now supports plugable Authentication and Session Management methods; which means you can configure modern options like Browser Based Authentication.$$$$$$Authentication Enhancements $$$Many enhancements have been made to ensure ZAP handles authentication more easily and effectively; including support for TOTP.$$$$$$Windows Native Decorations Support $$$ZAP now supports Native Decorations on Windows systems; providing a more unified and visually pleasing experience.$$$$$$AJAX Spider URL Count $$$The AJAX Spider no longer counts URLs that are out of scope. This may affect any tests you have in place.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Beanutils; 1.9.4 ? 1.10.1$$$Commons Codec; 1.17.1 ? 1.18.0$$$Commons Logging; 1.3.4 ? 1.3.5$$$Commons Text; 1.12.0 ? 1.13.0$$$log4j-1.2-api; 2.24.2 ? 2.24.3$$$log4j-api; 2.24.2 ? 2.24.3$$$log4j-core; 2.24.2 ? 2.24.3$$$log4j-jul; 2.24.2 ? 2.24.3$$$Rsyntaxtextarea; 3.5.3 ? 3.6.0$$$Enhancements $$$Issue 8843 : Support CakePHP CSRF Token name$$$Issue 8868 : Adjust Footer Status Icons Label$$$Issue 8872 : Tag verification requests$$$Issue 8879 : Look and feel: Use native decorations on Windows$$$Issue 8885 : Allow API access to dynamically added Authn & Session Mgmt Method Types$$$Issue 8886 : Provide DB details and notify close$$$Issue 8892 : Add TOTP to credentials$$$Bug fixes $$$Issue 8760 : Links are unreadable in the Flat Darcula theme$$$Issue 8819 : Fix error when no Java version is found in zap.sh$$$Issue 8862 : Fix alert editing through the GUI

Release 2.16.0$$$This is a bug fix and enhancement release. Look out for new Blog Posts and Videos which will cover some of these new features in much more depth in the coming days and weeks.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.15.0.$$$$$$Some of the more significant enhancements include:$$$$$$Update to a Minimum of Java 17 $$$ZAP now requires a minimum of Java 17 to run. This allows us to use more modern Java features in the ZAP codebase.$$$$$$As a result of this move scripts which use the Nashorn JavaScript engine may no longer work; this is because the engine is no longer present in Java 17. Any scripts configured to use Nashorn will automatically be changed to use the Graal.js JavaScript engine. However you may still need to migrate these scripts; see the Migration Guide from Nashorn to GraalJS.