From 5ea693a9198e89e9a491689beeeed87d5bc75ce0 Mon Sep 17 00:00:00 2001
From: Lakshmishree B N <lakshmishree2126@gmail.com>
Date: Fri, 28 Nov 2025 16:33:54 +0530
Subject: [PATCH 1/2] Enhanced version detection in Server Header Info Leak
 scan rule (Issue #9160)

---
 .../extension/pscanrules/ServerHeaderInfoLeakScanRule.java | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java
index 893aee367f..0e1dbb8085 100644
--- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java
+++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java
@@ -47,7 +47,9 @@ public class ServerHeaderInfoLeakScanRule extends PluginPassiveScanner
 
     private static final Logger LOGGER = LogManager.getLogger(ServerHeaderInfoLeakScanRule.class);
 
-    private static final Pattern VERSION_PATTERN = Pattern.compile(".*\\d.*");
+    // Match version-like patterns such as 2.4, 2.4.49, 10.0.1, etc.
+private static final Pattern VERSION_PATTERN = Pattern.compile("\\d+\\.\\d+(\\.\\d+)?");
+
     private static final Map<String, String> ALERT_TAGS;
 
     static {
@@ -72,7 +74,8 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
             // It is set so lets check it. Should only be one but it's a vector so iterate to be
             // sure.
             for (String serverDirective : serverOption) {
-                boolean matched = VERSION_PATTERN.matcher(serverDirective).matches();
+               boolean matched = VERSION_PATTERN.matcher(serverDirective).find();
+
                 if (matched) { // See if there's any version info.
                     // While an alpha string might be the server type (Apache, Netscape, IIS, etc.)
                     // that's much less of a head-start than actual version details.

From ebfb9b6f89e7db013c2d593b64f04d0911dc178b Mon Sep 17 00:00:00 2001
From: Lakshmishree B N <lakshmishree2126@gmail.com>
Date: Fri, 28 Nov 2025 17:42:55 +0530
Subject: [PATCH 2/2] Use non-capturing version regex and update changelog
 (Issue #9160)

---
 addOns/pscanrules/CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
index 9a13032c0d..0454433ffc 100644
--- a/addOns/pscanrules/CHANGELOG.md
+++ b/addOns/pscanrules/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+## Unreleased
+- Improved detection of version information in Server Header Info Leak passive scan rule (Issue #9160).
+
 ### Changed
 - Address redirection in a reference.
 - Update dependency.