Update codebase to ZAP 2.17

Change all add-ons and `testutils` to use 2.17 (SNAPSHOT).
Update code accordingly (e.g. address deprecations).

Signed-off-by: thc202 <[email protected]>

Author: thc202

addOns/accessControl/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.16.0.
+- Update minimum ZAP version to 2.17.0.
 - Maintenance changes.
 
 ## [10] - 2024-03-25

addOns/addOns.gradle.kts

@@ -174,7 +174,7 @@ subprojects {
         }
     }
 
-    val zapGav = "org.zaproxy:zap:2.16.0"
+    val zapGav = "org.zaproxy:zap:2.17.0-SNAPSHOT"
     dependencies {
         "zap"(zapGav)
     }
@@ -187,7 +187,7 @@ subprojects {
         )
 
         manifest {
-            zapVersion.set("2.16.0")
+            zapVersion.set("2.17.0")
 
             changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
             repo.set("https://github.com/zaproxy/zap-extensions/")

addOns/alertFilters/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Update minimum ZAP version to 2.17.0.
 
 ## [25] - 2025-11-04
 ### Changed

addOns/alertFilters/src/main/java/org/zaproxy/zap/extension/alertFilters/ExtensionAlertFilters.java

@@ -452,7 +452,7 @@ private void updateAlert(Alert alert, AlertFilter filter) {
                     alert.getPluginId(),
                     filter.getNewRisk());
             getExtAlert().updateAlert(updAlert);
-            getExtAlert().updateAlertInTree(origAlert, updAlert);
+            getExtAlert().updateAlertInTree(updAlert);
             if (alert.getHistoryRef() != null) {
                 alert.getHistoryRef().updateAlert(updAlert);
                 if (alert.getHistoryRef().getSiteNode() != null) {
@@ -472,10 +472,7 @@ private Alert getAlert(RecordAlert recordAlert) {
         int historyId = recordAlert.getHistoryId();
         if (historyId > 0) {
             HistoryReference href = this.getExtHistory().getHistoryReference(historyId);
-            Alert alert = new Alert(recordAlert, href);
-            // TODO remove once targeting 2.17+
-            alert.setHistoryId(recordAlert.getHistoryId());
-            return alert;
+            return new Alert(recordAlert, href);
         } else {
             // Not ideal :/
             return new Alert(recordAlert);

addOns/allinonenotes/CHANGELOG.md

@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
-- Update minimum ZAP version to 2.16.0.
+- Update minimum ZAP version to 2.17.0.
 - Maintenance changes.
 
 ### Fixed

addOns/ascanrules/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Changed
+- Update minimum ZAP version to 2.17.0.
 - The External Redirect scan rule has been updated to account for potential false positives involving JavaScript comments.
 
 ## [75] - 2025-11-04

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java

@@ -29,7 +29,7 @@
 import java.util.List;
 import java.util.Map;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -748,7 +748,7 @@ private boolean processContexts(
                             .raise();
                 } else if (AlertThreshold.LOW.equals(this.getAlertThreshold())) {
                     HttpMessage ctx2Message = contexts.get(0).getMsg();
-                    if (StringUtils.containsIgnoreCase(
+                    if (Strings.CI.contains(
                             ctx.getMsg()
                                     .getResponseHeader()
                                     .getHeader(HttpFieldsNames.CONTENT_TYPE),

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java

@@ -35,7 +35,7 @@
 import net.htmlparser.jericho.Source;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.mozilla.javascript.CompilerEnvirons;
@@ -357,7 +357,7 @@ static String getLocationUrl(String value) {
      * @return true if it's a valid open redirect
      */
     private static boolean checkPayload(String value) {
-        if (value == null || !StringUtils.startsWithIgnoreCase(value, HttpHeader.HTTP)) {
+        if (value == null || !Strings.CI.startsWith(value, HttpHeader.HTTP)) {
             return false;
         }
 
@@ -460,7 +460,7 @@ private static RedirectType isRedirected(String payload, HttpMessage msg) {
 
         // (5) Check if redirection occurs by Javascript
         // http://code.google.com/p/html5security/wiki/RedirectionMethods
-        if (StringUtils.indexOfIgnoreCase(content, payload) != -1) {
+        if (Strings.CI.indexOf(content, payload) != -1) {
             List<Element> jsElements = htmlSrc.getAllElements(HTMLElementName.SCRIPT);
 
             for (Element el : jsElements) {
@@ -498,8 +498,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) {
     }
 
     private static boolean isPresent(Matcher matcher) {
-        return matcher.find()
-                && StringUtils.startsWithIgnoreCase(matcher.group(1), HttpHeader.HTTP);
+        return matcher.find() && Strings.CI.startsWith(matcher.group(1), HttpHeader.HTTP);
     }
 
     /** Visibility increased for unit testing purposes only */

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java

@@ -345,7 +345,7 @@ public byte[] decode(String value) {
                     // The last letter represents the length
                     int last = value.length() - 1;
                     if (((last + (int) value.charAt(last)) % 4) == 0) {
-                        Base64 decoder = new Base64(true);
+                        Base64 decoder = Base64.builder().setUrlSafe(true).get();
                         return decoder.decode(value.substring(0, last));
                     }
                 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java

@@ -26,7 +26,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Strings;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -640,7 +640,7 @@ public void scan(HttpMessage sourceMsg, String param, String value) {
                                                         .raise();
                                             } else {
                                                 HttpMessage ctx2Message = contexts2.get(0).getMsg();
-                                                if (StringUtils.containsIgnoreCase(
+                                                if (Strings.CI.contains(
                                                         ctx.getMsg()
                                                                 .getResponseHeader()
                                                                 .getHeader(