ascan: Pause timers when pausing scan

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

Author: kingthorin

zap/src/main/java/org/parosproxy/paros/core/scanner/AbstractPlugin.java

@@ -79,13 +79,15 @@
 // ZAP: 2023/07/06 Deprecate delayInMs.
 // ZAP: 2024/10/16 Remove isFileExist call from isSuccess and isPage200 - it results in too many
 // FPs.
+// ZAP: 2025/12/08 Pause timers when pausing the scan (Issue 3455).
 package org.parosproxy.paros.core.scanner;
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.security.InvalidParameterException;
+import java.time.Instant;
 import java.util.Date;
 import java.util.Map;
 import java.util.Objects;
@@ -398,15 +400,15 @@ public void run() {
 
         try {
             if (!isStop()) {
-                this.started = new Date();
+                setTimeStarted();
                 scan();
             }
 
         } catch (Exception e) {
             getLog().error(e.getMessage(), e);
         } finally {
+            setTimeFinished();
             notifyPluginCompleted(getParent());
-            this.finished = new Date();
         }
     }
 
@@ -844,6 +846,23 @@ protected boolean isStop() {
         return parent.isStop() || parent.isSkipped(this);
     }
 
+    /** Helper to block efficiently while the parent scanner is paused. */
+    public void handlePause() {
+        if (parent == null) {
+            return;
+        }
+
+        // Parent is a HostProcess; HostProcess delegates wait/isPaused to the Scanner.
+        if (isStop()) {
+            parent.stop();
+            return;
+        }
+        parent.waitIfPaused();
+        if (isStop()) {
+            return;
+        }
+    }
+
     @Override
     public boolean isEnabled() {
         return enabled;
@@ -1353,13 +1372,26 @@ public Date getTimeFinished() {
 
     @Override
     public void setTimeStarted() {
-        this.started = new Date();
+        Instant now = getNowInstant();
+        this.started = Date.from(now);
         this.finished = null;
     }
 
     @Override
     public void setTimeFinished() {
-        this.finished = new Date();
+        Instant now = getNowInstant();
+        this.finished = Date.from(now);
+    }
+
+    private Instant getNowInstant() {
+        Instant now = null;
+        if (parent != null) {
+            now = parent.getEffectiveInstant();
+        }
+        if (now == null) {
+            now = Instant.now();
+        }
+        return now;
     }
 
     @Override

zap/src/main/java/org/parosproxy/paros/core/scanner/HostProcess.java

@@ -106,10 +106,12 @@
 // ZAP: 2022/09/21 Use format specifiers instead of concatenation when logging.
 // ZAP: 2023/01/10 Tidy up logger.
 // ZAP: 2023/05/17 Skip rules that reach the maximum number of alerts.
+// ZAP: 2025/12/08 Pause timers when pausing the scan (Issue 3455).
 package org.parosproxy.paros.core.scanner;
 
 import java.io.IOException;
 import java.text.DecimalFormat;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -174,7 +176,7 @@ public class HostProcess implements Runnable {
      */
     private final Map<Integer, PluginStats> mapPluginStats = new HashMap<>();
 
-    private long hostProcessStartTime = 0;
+    private Instant hostProcessStartInstant = null;
 
     // ZAP: progress related
     private int nodeInScopeCount = 0;
@@ -342,8 +344,7 @@ public void run() {
         LOGGER.debug("HostProcess.run");
 
         try {
-            hostProcessStartTime = System.currentTimeMillis();
-
+            hostProcessStartInstant = getNowInstant();
             // Initialise plugin factory to report the state of the plugins ASAP.
             pluginFactory.reset();
             synchronized (mapPluginStats) {
@@ -480,7 +481,8 @@ private void logScanInfo() {
     }
 
     private void processPlugin(final Plugin plugin) {
-        mapPluginStats.get(plugin.getId()).start();
+        PluginStats ps = mapPluginStats.get(plugin.getId());
+        ps.start(getNowInstant());
 
         if (nodeInScopeCount == 0) {
             pluginSkipped(
@@ -532,6 +534,12 @@ private void processPlugin(final Plugin plugin) {
         }
     }
 
+    private Instant getNowInstant() {
+        return (parentScanner != null && parentScanner.getEffectiveInstant() != null)
+                ? parentScanner.getEffectiveInstant()
+                : Instant.now();
+    }
+
     private void traverse(StructuralNode node, boolean incRelatedSiblings, TraverseAction action) {
         if (node == null || isStop()) {
             return;
@@ -680,8 +688,10 @@ private boolean scanMessage(Plugin plugin, int messageId) {
             if (this.isStop()) {
                 return false;
             }
+            checkPause();
             thread = threadPool.getFreeThreadAndRun(test);
             if (thread == null) {
+                checkPause();
                 Util.sleep(200);
             }
 
@@ -795,11 +805,16 @@ public HttpSender getHttpSender() {
      */
     public boolean isStop() {
         if (this.scannerParam.getMaxScanDurationInMins() > 0) {
-            if (System.currentTimeMillis() - this.hostProcessStartTime
-                    > TimeUnit.MINUTES.toMillis(this.scannerParam.getMaxScanDurationInMins())) {
-                this.stopReason =
-                        Constant.messages.getString("ascan.progress.label.skipped.reason.maxScan");
-                this.stop();
+            if (hostProcessStartInstant != null) {
+                long elapsedMs =
+                        getNowInstant().toEpochMilli() - hostProcessStartInstant.toEpochMilli();
+                if (elapsedMs
+                        > TimeUnit.MINUTES.toMillis(this.scannerParam.getMaxScanDurationInMins())) {
+                    this.stopReason =
+                            Constant.messages.getString(
+                                    "ascan.progress.label.skipped.reason.maxScan");
+                    this.stop();
+                }
             }
         }
         return (isStop || parentScanner.isStop());
@@ -811,15 +826,32 @@ public boolean isStop() {
      * @return true if the process has been paused
      */
     public boolean isPaused() {
-        return parentScanner.isPaused();
+        return parentScanner != null && parentScanner.isPaused();
     }
 
     private void checkPause() {
-        while (parentScanner.isPaused() && !isStop()) {
-            Util.sleep(500);
+        if (parentScanner != null) {
+            parentScanner.waitIfPaused();
         }
     }
 
+    /**
+     * Delegates to the parent Scanner to block while the global scan is paused. Provides the same
+     * API that plugins/host code expect to call on their parent.
+     */
+    public void waitIfPaused() {
+        if (parentScanner != null) {
+            parentScanner.waitIfPaused();
+        }
+    }
+
+    public Instant getEffectiveInstant() {
+        if (parentScanner != null) {
+            return parentScanner.getEffectiveInstant();
+        }
+        return Instant.now();
+    }
+
     public int getPercentageComplete() {
         return this.percentage;
     }
@@ -854,7 +886,10 @@ private void notifyHostProgress(String msg) {
     }
 
     private void notifyHostComplete() {
-        long diffTimeMillis = System.currentTimeMillis() - hostProcessStartTime;
+        long diffTimeMillis =
+                (hostProcessStartInstant != null)
+                        ? getNowInstant().toEpochMilli() - hostProcessStartInstant.toEpochMilli()
+                        : 0L;
         String diffTimeString = decimalFormat.format(diffTimeMillis / 1000.0) + "s";
         LOGGER.info(
                 "completed host {} in {} with {} alert(s) raised.",
@@ -1099,9 +1134,11 @@ public boolean isSkipped(Plugin plugin) {
 
         } else if (this.scannerParam.getMaxRuleDurationInMins() > 0
                 && plugin.getTimeStarted() != null) {
-            long endtime = System.currentTimeMillis();
+            long endtime;
             if (plugin.getTimeFinished() != null) {
                 endtime = plugin.getTimeFinished().getTime();
+            } else {
+                endtime = getNowInstant().toEpochMilli();
             }
             if (endtime - plugin.getTimeStarted().getTime()
                     > TimeUnit.MINUTES.toMillis(this.scannerParam.getMaxRuleDurationInMins())) {
@@ -1142,7 +1179,8 @@ void pluginCompleted(Plugin plugin) {
             // Plugin was not processed
             return;
         }
-        pluginStats.stopped();
+        // Stop plugin stats with scanner-aligned Instant so totalTime excludes paused time.
+        pluginStats.stopped(getNowInstant());
 
         StringBuilder sb = new StringBuilder();
         if (isStop()) {
@@ -1160,7 +1198,9 @@ void pluginCompleted(Plugin plugin) {
         }
 
         sb.append(hostAndPort).append(" | ").append(plugin.getCodeName());
-        String diffTimeString = decimalFormat.format(pluginStats.getTotalTime() / 1000.0);
+        // Use scanner-aligned Instant when reporting total time for running/completed plugin.
+        long totalMs = pluginStats.getTotalTimeMillis(getNowInstant());
+        String diffTimeString = decimalFormat.format(totalMs / 1000.0);
         sb.append(" in ").append(diffTimeString).append('s');
         sb.append(" with ").append(pluginStats.getMessageCount()).append(" message(s) sent");
         sb.append(" and ").append(pluginStats.getAlertCount()).append(" alert(s) raised.");

zap/src/main/java/org/parosproxy/paros/core/scanner/PluginStats.java

@@ -19,6 +19,7 @@
  */
 package org.parosproxy.paros.core.scanner;
 
+import java.time.Instant;
 import org.zaproxy.zap.utils.Stats;
 
 /**
@@ -101,14 +102,39 @@ public String getSkippedReason() {
         return skippedReason;
     }
 
-    /** Starts the plugin stats. */
+    /** Starts the plugin stats (wall-clock fallback). */
     void start() {
-        startTime = System.currentTimeMillis();
+        start(null);
+    }
+
+    /**
+     * Starts the plugin stats using a scanner-aligned Instant.
+     *
+     * <p>Use this when the caller has an Instant from Scanner.getEffectiveInstant() to ensure
+     * paused time is excluded.
+     */
+    void start(Instant now) {
+        startTime = getNowMilliseconds(now);
         Stats.incCounter(Scanner.ASCAN_RULE_PREFIX + this.pluginId + Scanner.STARTED_POSTFIX);
     }
 
+    private long getNowMilliseconds(Instant now) {
+        return (now != null) ? now.toEpochMilli() : System.currentTimeMillis();
+    }
+
+    /** Stops the plugin stats (wall-clock fallback). */
     void stopped() {
-        totalTime = System.currentTimeMillis() - startTime;
+        stopped(null);
+    }
+
+    /**
+     * Stops the plugin stats using a scanner-aligned Instant.
+     *
+     * <p>Use this when the caller has an Instant from Scanner.getEffectiveInstant() to ensure
+     * paused time is excluded.
+     */
+    void stopped(Instant now) {
+        totalTime = getNowMilliseconds(now) - startTime;
         Stats.incCounter(
                 Scanner.ASCAN_RULE_PREFIX + this.pluginId + Scanner.TIME_POSTFIX, totalTime);
     }
@@ -123,11 +149,29 @@ public long getStartTime() {
         return startTime;
     }
 
-    public long getTotalTime() {
-        if (totalTime == 0 && startTime > 0) {
-            return System.currentTimeMillis() - startTime;
+    /**
+     * Returns the total elapsed time in milliseconds for this plugin.
+     *
+     * <p>If the plugin has finished, returns (finished - started). If the plugin is still running
+     * and {@code now} is provided, returns (now - started). If the plugin is still running and
+     * {@code now} is null, uses Instant.now() as fallback.
+     *
+     * <p>Callers should pass the scanner-aligned Instant (Scanner.getEffectiveInstant()) when
+     * available so paused time is excluded.
+     */
+    public long getTotalTimeMillis(Instant now) {
+        if (startTime <= 0) {
+            return 0L;
+        }
+        if (totalTime != 0L) {
+            return totalTime;
         }
-        return totalTime;
+        return getNowMilliseconds(now) - startTime;
+    }
+
+    /** Backwards-compatible API: returns total milliseconds using wall-clock fallback. */
+    public long getTotalTime() {
+        return getTotalTimeMillis(null);
     }
 
     /**