Reports: XML template fixes

addOns/reports/CHANGELOG.md

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Include all relevant alerts in XML report templates (Issue 6627).
+- Made XML reports more backwards compatible and fixed issue with generating it via the API.
 
 ## [0.3.0] - 2021-05-06
 ### Added

addOns/reports/src/main/java/org/zaproxy/addon/reports/ExtensionReports.java

@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.Writer;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -50,6 +51,9 @@
 import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.extension.ExtensionAdaptor;
 import org.parosproxy.paros.extension.ExtensionHook;
+import org.parosproxy.paros.model.Model;
+import org.parosproxy.paros.model.SiteMap;
+import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.thymeleaf.TemplateEngine;
 import org.thymeleaf.context.Context;
@@ -174,6 +178,20 @@ protected AlertNode cloneAlertNode(AlertNode alertNode) {
         return clone;
     }
 
+    public static List<String> getSites() {
+        List<String> list = new ArrayList<>();
+        SiteMap siteMap = Model.getSingleton().getSession().getSiteTree();
+        SiteNode root = siteMap.getRoot();
+        if (root.getChildCount() > 0) {
+            SiteNode child = (SiteNode) root.getFirstChild();
+            while (child != null) {
+                list.add(child.getName());
+                child = (SiteNode) root.getChildAfter(child);
+            }
+        }
+        return list;
+    }
+
     public static boolean isIncluded(ReportData reportData, AlertNode alertNode) {
         Alert alert = alertNode.getUserObject();
         if (alert == null) {
@@ -219,20 +237,26 @@ public static boolean isIncluded(ReportData reportData, AlertNode alertNode) {
         return true;
     }
 
-    public AlertNode getFilteredAlertTree(ReportData reportData) {
-
-        AlertNode root = null;
-
+    private AlertNode getRootAlertNode()
+            throws NoSuchMethodException, SecurityException, IllegalAccessException,
+                    IllegalArgumentException, InvocationTargetException {
         ExtensionAlert extAlert =
                 Control.getSingleton().getExtensionLoader().getExtension(ExtensionAlert.class);
 
-        try {
-            Method treeModelMethod = extAlert.getClass().getDeclaredMethod("getTreeModel");
-            treeModelMethod.setAccessible(true);
+        Method treeModelMethod = extAlert.getClass().getDeclaredMethod("getTreeModel");
+        treeModelMethod.setAccessible(true);
+
+        DefaultTreeModel treeModel = (DefaultTreeModel) treeModelMethod.invoke(extAlert);
+
+        return (AlertNode) treeModel.getRoot();
+    }
 
-            DefaultTreeModel treeModel = (DefaultTreeModel) treeModelMethod.invoke(extAlert);
+    public AlertNode getFilteredAlertTree(ReportData reportData) {
+
+        AlertNode root = null;
 
-            root = (AlertNode) treeModel.getRoot();
+        try {
+            root = getRootAlertNode();
 
             AlertNode filteredRoot = cloneAlertNode(root);
             AlertNode child;

addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java

@@ -28,8 +28,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.stream.Collectors;
-import java.util.stream.IntStream;
 import javax.swing.BoxLayout;
 import javax.swing.DefaultListCellRenderer;
 import javax.swing.DefaultListModel;
@@ -48,8 +46,6 @@
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.model.Model;
-import org.parosproxy.paros.model.SiteMap;
-import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.zap.extension.alert.AlertNode;
 import org.zaproxy.zap.model.Context;
@@ -103,7 +99,6 @@ public class ReportDialog extends StandardFieldsDialog {
     private ExtensionReports extension = null;
     private JButton[] extraButtons = null;
     private DefaultListModel<Context> contextsModel;
-    private DefaultListModel<String> sitesModel;
 
     private JList<Context> contextsSelector;
     private JList<String> sitesSelector;
@@ -123,7 +118,6 @@ public void init() {
         this.removeAllFields();
         // Ensure the contexts and sites get re-read as they may well have changed
         this.contextsModel = null;
-        this.sitesModel = null;
         this.contextsSelector = null;
         this.sitesSelector = null;
 
@@ -390,25 +384,12 @@ public Component getListCellRendererComponent(
         return contextsSelector;
     }
 
-    private DefaultListModel<String> getSitesModel() {
-        if (sitesModel == null) {
-            sitesModel = new DefaultListModel<>();
-            SiteMap siteMap = Model.getSingleton().getSession().getSiteTree();
-            SiteNode root = siteMap.getRoot();
-            if (root.getChildCount() > 0) {
-                SiteNode child = (SiteNode) root.getFirstChild();
-                while (child != null) {
-                    sitesModel.addElement(child.getName());
-                    child = (SiteNode) root.getChildAfter(child);
-                }
-            }
-        }
-        return sitesModel;
-    }
-
     private JList<String> getSitesSelector() {
         if (sitesSelector == null) {
-            sitesSelector = new JList<>(getSitesModel());
+            List<String> list = ExtensionReports.getSites();
+            String[] arr = new String[list.size()];
+            list.toArray(arr);
+            sitesSelector = new JList<String>(arr);
         }
         return sitesSelector;
     }
@@ -453,10 +434,7 @@ private ReportData getReportData(Template template) {
         reportData.setTheme(template.getThemeForName(getStringValue(FIELD_THEME)));
         if (reportData.getSites().isEmpty()) {
             // None selected so add all
-            reportData.setSites(
-                    IntStream.range(0, getSitesModel().size())
-                            .mapToObj(getSitesModel()::get)
-                            .collect(Collectors.toList()));
+            reportData.setSites(ExtensionReports.getSites());
         }
         reportData.setIncludeConfidence(0, this.getBoolValue(FIELD_CONFIDENCE_0));
         reportData.setIncludeConfidence(1, this.getBoolValue(FIELD_CONFIDENCE_1));

addOns/reports/src/main/java/org/zaproxy/addon/reports/automation/ReportJob.java

@@ -72,9 +72,11 @@ public void runJob(
         // Work out the file name based on the pattern
         String fileName =
                 ExtensionReports.getNameFromPattern(
-                                reportFile, env.getDefaultContextWrapper().getUrls().get(0))
-                        + "."
-                        + template.getExtension();
+                        reportFile, env.getDefaultContextWrapper().getUrls().get(0));
+
+        if (!fileName.endsWith("." + template.getExtension())) {
+            fileName += "." + template.getExtension();
+        }
 
         File file;
         if (reportDir != null && reportDir.length() > 0) {
@@ -85,6 +87,7 @@ public void runJob(
         reportData.setTitle(this.reportTitle);
         reportData.setDescription(this.reportDesc);
         reportData.setContexts(env.getContexts());
+        reportData.setSites(ExtensionReports.getSites());
 
         List<String> list = getJobDataList(jobData, "risks", progress);
         if (list.isEmpty()) {

addOns/reports/src/main/zapHomeFiles/reports/traditional-xml/report.xml

@@ -18,7 +18,8 @@
 							th:text="${helper.getRiskString(alert.risk) + ' (' + helper.getConfidenceString(alert.confidence) + ')'}"></riskdesc>
 						<confidencedesc
 							th:text="${helper.getConfidenceString(alert.confidence)}"></confidencedesc>
-						<desc th:text="${alert.description}"></desc>
+						<desc
+							th:text="${helper.legacyEscapeParagraph(alert.description)}"></desc>
 						<instances>
 							<th:block th:each="instance: ${instances}">
 								<instance>
@@ -31,9 +32,12 @@
 							</th:block>
 						</instances>
 						<count th:text="${instances.size()}"></count>
-						<solution th:text="${alert.solution}"></solution>
-						<otherinfo th:text="${alert.otherinfo}"></otherinfo>
-						<reference th:text="${alert.reference}"></reference>
+						<solution
+							th:text="${helper.legacyEscapeParagraph(alert.solution)}"></solution>
+						<otherinfo
+							th:text="${helper.legacyEscapeParagraph(alert.otherinfo)}"></otherinfo>
+						<reference
+							th:text="${helper.legacyEscapeParagraph(alert.reference)}"></reference>
 						<cweid th:text="${alert.cweid}"></cweid>
 						<wascid th:text="${alert.wascid}"></wascid>
 						<sourceid th:text="${alert.sourceHistoryId}"></sourceid>