Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LLM Integration #5861

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

LLM Integration #5861

wants to merge 9 commits into from

Conversation

TmmmmmR
Copy link

@TmmmmmR TmmmmmR commented Oct 30, 2024

Overview

This extension integrates LLM with ZAP and includes two main features:

  • API Sequencing: Import Swagger/OpenAPI definitions to generate sequences of HTTP calls for subsequent scanning operations.
  • Alert Review: Examine an alert and determine the confidence level based on evidence from ZAP, complete with an explanation for the updated confidence level.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

For more details, please refer to the developer rules and guidelines.

Copy link

github-actions bot commented Oct 30, 2024

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll have to finish the rest of my review in a bit, but here's some starting bits.

Comment on lines 167 to 175
getExtAlert().updateAlert(updatedAlert);
getExtAlert().updateAlertInTree(originalAlert, updatedAlert);
if (alert.getHistoryRef() != null) {
alert.getHistoryRef().updateAlert(updated_alert);
alert.getHistoryRef().updateAlert(updatedAlert);
if (alert.getHistoryRef().getSiteNode() != null) {
// Needed if the same alert was raised on another href for the same
// SiteNode
alert.getHistoryRef().getSiteNode().updateAlert(updated_alert);
alert.getHistoryRef().getSiteNode().updateAlert(updatedAlert);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about these conditionals and doing the same action over and over, shouldn't the call hat 167 have done it regardless of the conditions?

Copy link
Author

@TmmmmmR TmmmmmR Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why, but without this I get this exception when I do alert review for a node of alerts :

Index -1 out of bounds for length 10
java.lang.ArrayIndexOutOfBoundsException: Index -1 out of bounds for length 10

I used the same code from this extension : https://github.com/zaproxy/zap-extensions/blob/main/addOns/alertFilters/src/main/java/org/zaproxy/zap/extension/alertFilters/ExtensionAlertFilters.java#L459

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kingthorin : do you see another way to walk through alerts ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the "normal" loop we use for reading. I guess part of the problem you're encountering might be timing with the updates. I'd have to play with it and see if your conditions can be simplified or worked around somehow.

https://github.com/zaproxy/community-scripts/blob/main/standalone/Loop%20through%20alerts.js

Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should only have the base help and messages.

@kingthorin
Copy link
Member

There's likely a bunch of places swagger should be replaced with openapi.

https://swagger.io/blog/api-strategy/difference-between-swagger-and-openapi/

@yns000
Copy link

yns000 commented Nov 8, 2024

Hi TmmmmmR,

I started my review on this, but ended up having a few questions, can I propose we setup a meeting between yourself and the 2 reviewers so that to see a demo of the addon?

Thank you,
Yiannis

@TmmmmmR
Copy link
Author

TmmmmmR commented Nov 11, 2024

Hello @yns000, yes of course ! I'm available on slack under the dev-llm channel, my username is temmar.

@TmmmmmR
Copy link
Author

TmmmmmR commented Nov 20, 2024

I have read the CLA Document and I hereby sign the CLA.

@psiinon
Copy link
Member

psiinon commented Dec 20, 2024

You'll need to add "llm" here https://github.com/zaproxy/zap-extensions/pull/5861/files otherwise it cant be deployed.
I've done that locally and I can see the extension in ZAP but I cant see any GUI changes for it. I'll look into that some more..

Copy link
Member

@psiinon psiinon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some comments which should get the help displayed correctly

PUBLIC "-//Sun Microsystems Inc.//DTD JavaHelp HelpSet Version 2.0//EN"
"http://java.sun.com/products/javahelp/helpset_2_0.dtd">
<helpset version="2.0" xml:lang="en-GB">
<title>Simple Example Add-On</title>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-> LLM Integration (or somethong like that)

<title>Simple Example Add-On</title>

<maps>
<homeID>top</homeID>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

top -> addon.llm


<index version="2.0">
<!-- index entries are merged (sorted) into core index -->
<indexitem text="simple" target="simple" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<indexitem text="llm" target="addon.llm" />

"http://java.sun.com/products/javahelp/map_1_0.dtd">

<map version="1.0">
<mapID target="simple-icon" url="contents/images/cake.png" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all instances of simple -> llm. Will need a new icon - I'll look for something suitable 😁 Probably dont need the about.html page?

<toc version="2.0">
<tocitem text="ZAP User Guide" tocid="toplevelitem">
<tocitem text="Add Ons" tocid="addons">
<tocitem text="Simple Example" image="simple-icon" target="simple">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple > LLM, simple -> llm and drop the about.html page?

@@ -0,0 +1,23 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is probably not really needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants