zap-extensions icon indicating copy to clipboard operation
zap-extensions copied to clipboard
verified publisher icon zaproxy

LLM Integration

Open TmmmmmR opened this issue 1 year ago • 18 comments

Overview

This extension integrates LLM with ZAP and includes two main features:

  • API Sequencing: Import Swagger/OpenAPI definitions to generate sequences of HTTP calls for subsequent scanning operations.
  • Alert Review: Examine an alert and determine the confidence level based on evidence from ZAP, complete with an explanation for the updated confidence level.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

  • [x] Update help
  • [x] Update changelog
  • [x] Run ./gradlew spotlessApply for code formatting
  • [ ] Write tests
  • [ ] Check code coverage
  • [ ] Sign-off commits
  • [ ] Squash commits
  • [x] Use a descriptive title

For more details, please refer to the developer rules and guidelines.

TmmmmmR avatar Oct 30 '24 09:10 TmmmmmR

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

github-actions[bot] avatar Oct 30 '24 09:10 github-actions[bot]

There's likely a bunch of places swagger should be replaced with openapi.

https://swagger.io/blog/api-strategy/difference-between-swagger-and-openapi/

kingthorin avatar Oct 31 '24 16:10 kingthorin

Hi TmmmmmR,

I started my review on this, but ended up having a few questions, can I propose we setup a meeting between yourself and the 2 reviewers so that to see a demo of the addon?

Thank you, Yiannis

yns000 avatar Nov 08 '24 16:11 yns000

Hello @yns000, yes of course ! I'm available on slack under the dev-llm channel, my username is temmar.

TmmmmmR avatar Nov 11 '24 14:11 TmmmmmR

I have read the CLA Document and I hereby sign the CLA.

TmmmmmR avatar Nov 20 '24 08:11 TmmmmmR

You'll need to add "llm" here https://github.com/zaproxy/zap-extensions/pull/5861/files otherwise it cant be deployed. I've done that locally and I can see the extension in ZAP but I cant see any GUI changes for it. I'll look into that some more..

psiinon avatar Dec 20 '24 14:12 psiinon

Logo Checkmarx One – Scan Summary & Details55948703-2701-4f18-b49f-fc5e8fad4f94

New Issues (1)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH SSRF /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmOptionsPanel.java: 140
detailsThe application sends a request to a remote server, for some resource, using openConnection in /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/L...
ID: kynhekFZcmz2RX3O%2BgsHqdztWKE%3D
Attack Vector

psiinon avatar Jan 23 '25 16:01 psiinon

You need to add "llm" at https://github.com/zaproxy/zap-extensions/blob/main/settings.gradle.kts#L75 in order for it to be built via gradle. How are you currently deploying it? I'm not seeing any of the GUI changes taking effect, so I'll dig into that some more..

psiinon avatar Jan 28 '25 17:01 psiinon

Sorry I didn't https://github.com/zaproxy/zap-extensions/blob/main/settings.gradle.kts to my commit. you can build using : .\gradlew.bat addOns:llm:copyZapAddOn

TmmmmmR avatar Jan 28 '25 17:01 TmmmmmR

Thanks, thats how I am building it. I'm still not seeing the GUI changes though :/ Will investigate - it could be a local problem, although other add-ons seem to deploy fine that way

psiinon avatar Jan 28 '25 17:01 psiinon

You can suppress the serialized warning. Just look around the repo you'll find other examples.

kingthorin avatar Jan 28 '25 18:01 kingthorin

I'm still not able to see and of the PR changes after deploying the add-on, and I've not had a chance to look into that yet. Any other reviewers see the same or does it work for you?

psiinon avatar Jan 30 '25 12:01 psiinon

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

psiinon avatar Jan 31 '25 09:01 psiinon

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

Do I need to remove the re-implementation of the validateParam method ? currently I validate both apikey and the LLM endpoint URL and display warnings in case they are invalid.

TmmmmmR avatar Feb 04 '25 09:02 TmmmmmR

I cleaned up the Given comments, I had done this review the other day when GitHub had an incident and apparently that cause some repeats/duplication 😞

kingthorin avatar Feb 04 '25 10:02 kingthorin

I've just tried to save my options for something else and I couldnt - I get a message saying Failed to save the options: LLM API Key not defined - this should not be mandatory 😁

It seems the options handler also isn't being unloaded, even after un-installing the add-on it still complains though it can't find the proper resource message :) Had to restart ZAP in order to save options changes.

kingthorin avatar Feb 05 '25 14:02 kingthorin

That's a side effect of not doing this way https://github.com/zaproxy/zap-extensions/pull/5861#discussion_r1935882649

thc202 avatar Feb 05 '25 16:02 thc202

Thank you for all feedbacks, I have updated my PR with the requested edits.

TmmmmmR avatar Feb 06 '25 13:02 TmmmmmR

Would be good to add a meaningful commit message.

thc202 avatar Jul 03 '25 13:07 thc202

Better?

kingthorin avatar Jul 03 '25 13:07 kingthorin

Thank you all!

thc202 avatar Jul 03 '25 14:07 thc202

Thanks everyone!

psiinon avatar Jul 03 '25 14:07 psiinon