Merge pull request #7281 from psiinon/commonlib/vibe-fix

commonLib: Alert menu item for generating a fix prompt

Author: thc202

addOns/commonlib/CHANGELOG.md

@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- Generate Fix Prompt alert menu item.
+
 ### Changed
 - Update dependencies.
 

addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/CommonlibParam.java

@@ -0,0 +1,59 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2026 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.commonlib;
+
+import org.parosproxy.paros.common.AbstractParam;
+
+/** Persisted configuration for the Common Library add-on. */
+public class CommonlibParam extends AbstractParam {
+
+    private static final String PARAM_BASE_KEY = "commonlib";
+
+    private static final String PARAM_SHOW_FIX_PROMPT_COPIED_DIALOG =
+            PARAM_BASE_KEY + ".alert.generatefixprompt.showCopiedDialog";
+
+    private boolean showFixPromptCopiedDialog = true;
+
+    @Override
+    protected void parse() {
+        showFixPromptCopiedDialog = getBoolean(PARAM_SHOW_FIX_PROMPT_COPIED_DIALOG, true);
+    }
+
+    /**
+     * Returns whether the "fix prompt copied to clipboard" confirmation dialog should be shown.
+     *
+     * @return {@code true} if the dialog should be shown, {@code false} otherwise.
+     */
+    public boolean isShowFixPromptCopiedDialog() {
+        return showFixPromptCopiedDialog;
+    }
+
+    /**
+     * Sets whether the "fix prompt copied to clipboard" confirmation dialog should be shown.
+     *
+     * @param show {@code true} if the dialog should be shown, {@code false} otherwise.
+     */
+    public void setShowFixPromptCopiedDialog(boolean show) {
+        if (showFixPromptCopiedDialog != show) {
+            showFixPromptCopiedDialog = show;
+            getConfig().setProperty(PARAM_SHOW_FIX_PROMPT_COPIED_DIALOG, showFixPromptCopiedDialog);
+        }
+    }
+}

addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ExtensionCommonlib.java

@@ -29,6 +29,7 @@
 import org.parosproxy.paros.extension.SessionChangedListener;
 import org.parosproxy.paros.model.Session;
 import org.zaproxy.addon.commonlib.internal.vulns.LegacyVulnerabilities;
+import org.zaproxy.addon.commonlib.ui.GenerateFixPromptMenu;
 import org.zaproxy.addon.commonlib.ui.ProgressPanel;
 import org.zaproxy.addon.commonlib.ui.TabbedOutputPanel;
 
@@ -108,9 +109,13 @@ public ExtensionCommonlib() {
 
     @Override
     public void hook(ExtensionHook extensionHook) {
+        CommonlibParam commonlibParam = new CommonlibParam();
+        extensionHook.addOptionsParamSet(commonlibParam);
+
         if (hasView()) {
             extensionHook.getHookView().addStatusPanel(getProgressPanel());
             getView().setOutputPanel(new TabbedOutputPanel());
+            extensionHook.getHookMenu().addPopupMenuItem(new GenerateFixPromptMenu(commonlibParam));
         }
         extensionHook.addSessionListener(new SessionChangedListenerImpl());
     }

addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ui/GenerateFixPromptMenu.java

@@ -0,0 +1,150 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2026 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.commonlib.ui;
+
+import java.awt.Toolkit;
+import java.awt.datatransfer.StringSelection;
+import javax.swing.JCheckBox;
+import javax.swing.JOptionPane;
+import org.apache.commons.lang3.StringUtils;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.core.scanner.Alert;
+import org.parosproxy.paros.view.View;
+import org.zaproxy.addon.commonlib.CommonAlertTag;
+import org.zaproxy.addon.commonlib.CommonlibParam;
+import org.zaproxy.zap.extension.alert.PopupMenuItemAlert;
+
+/**
+ * A right-click menu item for alerts that generates a prompt the user can paste into an LLM to ask
+ * it to fix the vulnerability. The prompt is copied to the system clipboard.
+ *
+ * <p>The prompt text is intentionally written in English rather than translated, as LLMs generally
+ * perform better with English input.
+ */
+@SuppressWarnings("serial")
+public class GenerateFixPromptMenu extends PopupMenuItemAlert {
+
+    private static final long serialVersionUID = 1L;
+
+    // Prompt text is not i18n - LLMs handle English better than other languages.
+    private static final String INTRO =
+            "A security scanner (ZAP by Checkmarx) has found a vulnerability in the application you are"
+                    + " working on. Please identify where in the codebase this vulnerability exists"
+                    + " and provide a fix.";
+    private static final String SYSTEMIC_NOTE =
+            "Note: This vulnerability appears to occur across the application - there may be"
+                    + " multiple instances that all need to be fixed.";
+    private static final String CLOSING =
+            "Please identify where in the codebase this vulnerability exists and provide a fix.";
+
+    private final CommonlibParam param;
+
+    public GenerateFixPromptMenu(CommonlibParam param) {
+        super(Constant.messages.getString("commonlib.alert.generatefixprompt.menu"), false);
+        this.param = param;
+    }
+
+    @Override
+    public void performAction(Alert alert) {
+        String prompt = buildPrompt(alert);
+        Toolkit.getDefaultToolkit()
+                .getSystemClipboard()
+                .setContents(new StringSelection(prompt), null);
+
+        if (param.isShowFixPromptCopiedDialog()) {
+            JCheckBox doNotShowAgain =
+                    new JCheckBox(
+                            Constant.messages.getString(
+                                    "commonlib.alert.generatefixprompt.donotshowagain"));
+            JOptionPane.showMessageDialog(
+                    View.getSingleton().getMainFrame(),
+                    new Object[] {
+                        Constant.messages.getString("commonlib.alert.generatefixprompt.copied"),
+                        " ",
+                        doNotShowAgain
+                    },
+                    Constant.messages.getString("commonlib.alert.generatefixprompt.title"),
+                    JOptionPane.INFORMATION_MESSAGE);
+            param.setShowFixPromptCopiedDialog(!doNotShowAgain.isSelected());
+        }
+    }
+
+    static String buildPrompt(Alert alert) {
+        StringBuilder sb = new StringBuilder();
+
+        sb.append(INTRO);
+        sb.append("\n\n");
+
+        boolean systemic =
+                alert.getTags() != null
+                        && alert.getTags().containsKey(CommonAlertTag.SYSTEMIC.getTag());
+        if (systemic) {
+            sb.append(SYSTEMIC_NOTE);
+            sb.append("\n\n");
+        }
+
+        sb.append("## Vulnerability\n\n");
+
+        appendField(sb, "Name", alert.getName());
+
+        int risk = alert.getRisk();
+        if (risk >= 0 && risk < Alert.MSG_RISK.length) {
+            appendField(sb, "Risk", Alert.MSG_RISK[risk]);
+        }
+
+        int confidence = alert.getConfidence();
+        if (confidence >= 0 && confidence < Alert.MSG_CONFIDENCE.length) {
+            appendField(sb, "Confidence", Alert.MSG_CONFIDENCE[confidence]);
+        }
+
+        appendField(sb, "URL", alert.getUri());
+        appendField(sb, "Method", alert.getMethod());
+        appendField(sb, "Parameter", alert.getParam());
+        appendField(sb, "Attack", alert.getAttack());
+        appendField(sb, "Evidence", alert.getEvidence());
+
+        appendSection(sb, "Description", alert.getDescription());
+        appendSection(sb, "Solution", alert.getSolution());
+        appendSection(sb, "References", alert.getReference());
+        appendSection(sb, "Other Information", alert.getOtherInfo());
+
+        sb.append("\n").append(CLOSING);
+
+        return sb.toString();
+    }
+
+    private static void appendField(StringBuilder sb, String label, String value) {
+        if (StringUtils.isNotBlank(value)) {
+            sb.append("**").append(label).append("**: ").append(value).append("\n");
+        }
+    }
+
+    private static void appendSection(StringBuilder sb, String heading, String value) {
+        if (StringUtils.isNotBlank(value)) {
+            sb.append("\n## ").append(heading).append("\n\n");
+            sb.append(value).append("\n");
+        }
+    }
+
+    @Override
+    public boolean isSafe() {
+        return true;
+    }
+}

addOns/commonlib/src/main/javahelp/help/contents/generate-fix-prompt.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+    <title>
+        Generate Fix Prompt
+    </title>
+</head>
+<body>
+<h1>Generate Fix Prompt</h1>
+
+The <strong>Generate Fix Prompt</strong> right-click menu option is available on alerts in the Alerts tab.
+It generates a prompt that you can paste into any Large Language Model (LLM) — such as ChatGPT, GitHub Copilot,
+or Claude — and ask it to fix the vulnerability in your codebase.
+
+<h2>Usage</h2>
+
+<ol>
+    <li>Right-click an alert in the Alerts tab.</li>
+    <li>Select <strong>Generate Fix Prompt</strong>.</li>
+    <li>The prompt is copied to your clipboard.</li>
+    <li>Paste it into your LLM of choice and review its suggested fix.</li>
+</ol>
+
+<h2>What the prompt contains</h2>
+
+The generated prompt includes all information ZAP has about the vulnerability:
+
+<ul>
+    <li><strong>Name</strong> — the alert name.</li>
+    <li><strong>Risk</strong> — Informational, Low, Medium, or High.</li>
+    <li><strong>Confidence</strong> — how confident ZAP is that the finding is a true positive.</li>
+    <li><strong>URL</strong> — the URL at which the vulnerability was found.</li>
+    <li><strong>Method</strong> — the HTTP method used (GET, POST, etc.).</li>
+    <li><strong>Parameter</strong> — the affected parameter, if applicable.</li>
+    <li><strong>Attack</strong> — the payload ZAP used to trigger the vulnerability, if applicable.</li>
+    <li><strong>Evidence</strong> — the string found in the response that confirmed the vulnerability, if applicable.</li>
+    <li><strong>Description</strong> — a full description of the vulnerability class.</li>
+    <li><strong>Solution</strong> — ZAP's recommended remediation guidance.</li>
+    <li><strong>References</strong> — links to further reading.</li>
+    <li><strong>Other Information</strong> — any additional context provided by the scan rule.</li>
+</ul>
+
+<h2>Systemic vulnerabilities</h2>
+
+Some scan rules raise <em>systemic</em> alerts — issues that tend to affect the whole application rather than a single
+endpoint, such as missing security headers or insecure cookie settings. When a systemic alert is detected the prompt
+includes a note telling the LLM that there may be multiple instances across the codebase that all need to be fixed.
+
+<h2>Confirmation dialog</h2>
+
+After the prompt is copied a confirmation dialog is shown. You can suppress this dialog in future by selecting
+<strong>Do not show this message again</strong> before dismissing it. This preference is saved in the ZAP
+configuration file and can be restored by resetting ZAP's options.
+
+<p>
+See also:
+<ul>
+    <li><a href="https://www.zaproxy.org/docs/desktop/ui/tabs/alerts/">Alerts tab</a></li>
+</ul>
+
+</body>
+</html>

addOns/commonlib/src/main/javahelp/help/map.jhm

@@ -7,4 +7,5 @@
     <mapID target="commonlib" url="contents/commonlib.html" />
     <mapID target="commonlib.output.panel" url="contents/output-panel.html" />
     <mapID target="commonlib.alert.tags" url="contents/alerttags.html" />
+    <mapID target="commonlib.alert.generatefixprompt" url="contents/generate-fix-prompt.html" />
 </map>

addOns/commonlib/src/main/javahelp/help/toc.xml

@@ -9,6 +9,7 @@
             <tocitem text="Common Library" target="commonlib">
                 <tocitem text="Tabbed Output Panel" target="commonlib.output.panel" />
                 <tocitem text="Alert Tags" target="commonlib.alert.tags" />
+                <tocitem text="Generate Fix Prompt" target="commonlib.alert.generatefixprompt" />
             </tocitem>
         </tocitem>
     </tocitem>

addOns/commonlib/src/main/resources/org/zaproxy/addon/commonlib/resources/Messages.properties

@@ -1,3 +1,8 @@
+commonlib.alert.generatefixprompt.copied = The fix prompt has been copied to the clipboard.\nYou can now paste it into an LLM to ask it to fix the vulnerability.
+commonlib.alert.generatefixprompt.donotshowagain = Do not show this message again
+commonlib.alert.generatefixprompt.menu = Generate Fix Prompt
+commonlib.alert.generatefixprompt.title = Fix Prompt Copied
+
 commonlib.desc = A library of shared functionality
 
 commonlib.name = Common Library