LLM Integration

[TmmmmmR]

Overview

This extension integrates LLM with ZAP and includes two main features:

• API Sequencing: Import Swagger/OpenAPI definitions to generate sequences of HTTP calls for subsequent scanning operations.
• Alert Review: Examine an alert and determine the confidence level based on evidence from ZAP, complete with an explanation for the updated confidence level.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

• Update help
• Update changelog
• Run ./gradlew spotlessApply for code formatting
• Write tests
• Check code coverage
• Sign-off commits
• Squash commits
• Use a descriptive title

For more details, please refer to the developer rules and guidelines.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[kingthorin]

I'll have to finish the rest of my review in a bit, but here's some starting bits.

[kingthorin]

Should only have the base help and messages.

[kingthorin]

There's likely a bunch of places swagger should be replaced with openapi.

https://swagger.io/blog/api-strategy/difference-between-swagger-and-openapi/

[yns000]

Hi TmmmmmR,

I started my review on this, but ended up having a few questions, can I propose we setup a meeting between yourself and the 2 reviewers so that to see a demo of the addon?

Thank you,
Yiannis

[TmmmmmR]

Hello @yns000, yes of course ! I'm available on slack under the dev-llm channel, my username is temmar.

[TmmmmmR]

I have read the CLA Document and I hereby sign the CLA.

[psiinon]

You'll need to add "llm" here https://github.com/zaproxy/zap-extensions/pull/5861/files otherwise it cant be deployed.
I've done that locally and I can see the extension in ZAP but I cant see any GUI changes for it. I'll look into that some more..

[psiinon]

Added some comments which should get the help displayed correctly

[psiinon]

Checkmarx One – Scan Summary & Details – a8b4ff51-9c76-4c3f-b200-066b3a6967c0

New Issues (9)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-52798	Npm-path-to-regexp-0.1.10	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2025-24010	Npm-vite-4.5.5	details Recommended version: 4.5.6 Description: Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	SSRF	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/settings/LlmOptionsPanel.java: 129	details The application sends a request to a remote server, for some resource, using openConnection in /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/s... Attack Vector
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 46	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
	Unpinned Actions Full Length Commit SHA	/cla.yml: 19	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
	Unpinned Actions Full Length Commit SHA	/ci.yml: 26	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 34	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 27	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues (9)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Heap_Inspection	/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java: 392
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 901
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 854
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 877
	Log_Forging	/addOns/client/src/main/java/org/zaproxy/addon/client/spider/ClientSpiderDialog.java: 342
	Log_Forging	/addOns/client/src/main/java/org/zaproxy/addon/client/spider/ClientSpiderDialog.java: 342
	Log_Forging	/addOns/client/src/main/java/org/zaproxy/addon/client/spider/ClientSpiderDialog.java: 342
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 35
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 50

[psiinon]

You need to add "llm" at https://github.com/zaproxy/zap-extensions/blob/main/settings.gradle.kts#L75 in order for it to be built via gradle.
How are you currently deploying it?
I'm not seeing any of the GUI changes taking effect, so I'll dig into that some more..

[TmmmmmR]

Sorry I didn't https://github.com/zaproxy/zap-extensions/blob/main/settings.gradle.kts to my commit.
you can build using : .\gradlew.bat addOns:llm:copyZapAddOn

[psiinon]

Thanks, thats how I am building it. I'm still not seeing the GUI changes though :/ Will investigate - it could be a local problem, although other add-ons seem to deploy fine that way

[kingthorin]

You can suppress the serialized warning. Just look around the repo you'll find other examples.

[psiinon]

I'm still not able to see and of the PR changes after deploying the add-on, and I've not had a chance to look into that yet.
Any other reviewers see the same or does it work for you?

[psiinon]

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

[TmmmmmR]

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

Do I need to remove the re-implementation of the validateParam method ? currently I validate both apikey and the LLM endpoint URL and display warnings in case they are invalid.

[kingthorin]

I cleaned up the GGiven comments, I had done this review the other day when GitHub had an incident and apparently that cause some repeats/duplication 😞

[kingthorin]

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

It seems the options handler also isn't being unloaded, even after un-installing the add-on it still complains though it can't find the proper resource message :) Had to restart ZAP in order to save options changes.

[thc202]

That's a side effect of not doing this way #5861 (comment)

[TmmmmmR]

Thank you for all feedbacks, I have updated my PR with the requested edits.