pscanrules: Improve version detection in Server Header Info Leak rule (10036)

addOns/pscanrules/CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+## Unreleased
+- Improved detection of version information in Server Header Info Leak passive scan rule (Issue #9160).
+
 ### Changed
 - Address redirection in a reference.
 - Update dependency.

addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java

@@ -47,7 +47,9 @@ public class ServerHeaderInfoLeakScanRule extends PluginPassiveScanner
 
     private static final Logger LOGGER = LogManager.getLogger(ServerHeaderInfoLeakScanRule.class);
 
-    private static final Pattern VERSION_PATTERN = Pattern.compile(".*\\d.*");
+    // Match version-like patterns such as 2.4, 2.4.49, 10.0.1, etc.
+private static final Pattern VERSION_PATTERN = Pattern.compile("\\d+\\.\\d+(\\.\\d+)?");
+
     private static final Map<String, String> ALERT_TAGS;
 
     static {
@@ -72,7 +74,8 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
             // It is set so lets check it. Should only be one but it's a vector so iterate to be
             // sure.
             for (String serverDirective : serverOption) {
-                boolean matched = VERSION_PATTERN.matcher(serverDirective).matches();
+               boolean matched = VERSION_PATTERN.matcher(serverDirective).find();
+
                 if (matched) { // See if there's any version info.
                     // While an alpha string might be the server type (Apache, Netscape, IIS, etc.)
                     // that's much less of a head-start than actual version details.