Added the SRM into the new AddOn Template

.gitignore

@@ -22,4 +22,6 @@ gradle-app.setting
 *.classpath
 *.project
 *.settings
+*.idea
 /bin
+

README.md

@@ -1,17 +1,24 @@
-# ZAP Template Java Add-on
+[![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
+[![CodeQL](https://github.com/zaproxy/zap-extensions/actions/workflows/codeql.yml/badge.svg)](https://github.com/zaproxy/zap-extensions/actions/workflows/codeql.yml)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=zaproxy_zap-extensions&metric=alert_status)](https://sonarcloud.io/dashboard?id=zaproxy_zap-extensions)
 
-A template repo for a 3rd party [ZAP](https://www.zaproxy.org) Java add-on.
+This project contains add-ons for the [Zed Attack Proxy](https://github.com/zaproxy/zaproxy) (ZAP).
 
-If you'd like to create your own ZAP add-on which could be published to the [ZAP Marketplace](https://www.zaproxy.org/addons/) then copy this repo and make the following changes:
+If you are using the latest version of ZAP, you can browse and download "Software Risk Manager Extension" directly from within ZAP by clicking the Marketplace button in the toolbar.
+This specific add-on is Software Risk Manager (SRM), and you can find it in the Marketplace under the name “Software Risk Manager Extension”.
 
-1. Rename the `youruser` directories to be your github name (or choose another package hierarchy which works better for you).
+![Image](https://github.com/zaproxy/zap-extensions/wiki/images/zap-screenshot-browse-addons.png)
 
-1. Change the add-on ID `addonjava` to be a new ID which is not already on the [ZAP Marketplace](https://www.zaproxy.org/addons/).
+You can also import add-ons you have downloaded manually from https://github.com/zaproxy/zap-extensions/releases via the "File / Load Add-on File..." menu option.
 
-1. Change the code and help files to do whatever you want :smiley:
+Please see the [wiki](https://github.com/zaproxy/zap-extensions/wiki) for more details.
 
-1. Deploy and test your app locally, e.g. using `./gradlew copyZapAddon`
+## Building
 
-1. Optional: Raise an [Issue](https://github.com/zaproxy/zaproxy/issues/new?assignees=&labels=marketplace&template=third-party-addon.yml) to get your add-on published on the [ZAP Marketplace](https://www.zaproxy.org/addons/).
+The add-ons are built with [Gradle], each add-on has its own project which is located under the `addOns` project/directory.
 
-For more info on developing ZAP add-ons see https://www.zaproxy.org/docs/developer/
+To build zap-extensions follow the instructions on:
+
+https://www.zaproxy.org/docs/developer/quick-start-build/
+
+[Gradle]: https://gradle.org/

build.gradle.kts

@@ -8,21 +8,24 @@ plugins {
     id("org.zaproxy.common")
 }
 
-description = "A template for a 3rd party ZAP Java add-on."
+description = (
+    "Includes request and response data in XML reports and provides the ability " +
+        "to upload reports directly to a Software Risk Manager server"
+)
 
 zapAddOn {
-    addOnId.set("addonjava")
-    addOnName.set("A Template Java Add-on")
+    addOnId.set("srm")
+    addOnName.set("Software Risk Manager Extension")
     zapVersion.set("2.16.0")
     addOnStatus.set(AddOnStatus.ALPHA)
 
     releaseLink.set("https://github.com/youruser/javaexample/compare/v@[email protected]@CURRENT_VERSION@")
     unreleasedLink.set("https://github.com/youruser/javaexample/compare/v@[email protected]")
 
     manifest {
-        author.set("ZAP Dev Team")
-        url.set("https://www.zaproxy.org/docs/desktop/addons/addonjava/")
-        repo.set("https://github.com/zaproxy/addon-java")
+        author.set("Black Duck, Inc.")
+        url.set("https://www.zaproxy.org/docs/desktop/addons/software-risk-manager/")
+        repo.set("https://github.com/codedx/srm-zap-extension/")
         changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
 
         dependencies {
@@ -35,18 +38,24 @@ zapAddOn {
     }
 }
 
+dependencies {
+    compileOnly("org.zaproxy.addon:commonlib:1.36.0")
+    implementation("org.apache.httpcomponents:httpmime:4.5.13")
+    implementation("com.googlecode.json-simple:json-simple:1.1.1") {
+        // Not needed.
+        exclude(group = "junit")
+    }
+}
+
 java {
     val javaVersion = JavaVersion.VERSION_17
     sourceCompatibility = javaVersion
     targetCompatibility = javaVersion
 }
 
 spotless {
-    kotlinGradle {
-        ktlint()
+    java {
+        // Don't check license nor format/style, 3rd-party add-on.
+        clearSteps()
     }
 }
-
-dependencies {
-    compileOnly("org.zaproxy.addon:commonlib:1.36.0")
-}

gradle.properties

@@ -1,2 +1,2 @@
-version=0.1.0
+version=2025.9.0
 release=false

settings.gradle.kts

@@ -1,6 +1,13 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+    }
+}
+
 plugins {
     id("org.zaproxy.common.settings") version "0.5.0"
     id("com.diffplug.spotless") version "6.25.0" apply false
 }
 
-rootProject.name = "addon-java"
+rootProject.name = "zap-srm-addon"

src/main/java/com/blackduck/zap/srm/ExtensionAlertHttp.java

@@ -0,0 +1,105 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.blackduck.zap.srm;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.core.scanner.Alert;
+import org.parosproxy.paros.model.SiteNode;
+import org.parosproxy.paros.network.HttpMessage;
+
+import java.util.List;
+
+public class ExtensionAlertHttp {
+
+	private static final Logger LOGGER = LogManager.getLogger(ExtensionAlertHttp.class);
+
+	public ExtensionAlertHttp() {
+	}
+
+	public String getXml(SiteNode site) {
+		StringBuilder xml = new StringBuilder();
+		xml.append("<alerts>");
+		List<Alert> alerts = site.getAlerts();
+		for (Alert alert : alerts) {
+			if (alert.getConfidence() != Alert.CONFIDENCE_FALSE_POSITIVE) {
+				String urlParamXML = getUrlParamXML(alert);
+				xml.append(alert.toPluginXML(urlParamXML));
+			}
+		}
+		xml.append("</alerts>");
+		return xml.toString();
+	}
+
+	private String getHTML(Alert alert) {
+		// gets HttpMessage request and response data from each alert and removes illegal and
+		// special characters
+		StringBuilder httpMessage = new StringBuilder();
+
+		HttpMessage message = alert.getMessage();
+
+		if (message == null) {
+			LOGGER.warn(Constant.messages.getString("srm.error.httpMessage", alert.getAlertId()));
+			return httpMessage.toString();
+		}
+
+		String requestHeader = message.getRequestHeader().toString();
+		String requestBody = message.getRequestBody().toString();
+		String responseHeader = message.getResponseHeader().toString();
+		String responseBody = message.getResponseBody().toString();
+
+		httpMessage.append("<requestdata>");
+		httpMessage.append(ReportGenerator.entityEncode(requestHeader));
+		httpMessage.append(ReportGenerator.entityEncode(requestBody));
+		httpMessage.append("\n</requestdata>\n");
+		httpMessage.append("<responsedata>");
+		httpMessage.append(ReportGenerator.entityEncode(responseHeader));
+		httpMessage.append(ReportGenerator.entityEncode(responseBody));
+		httpMessage.append("\n</responsedata>\n");
+
+		return httpMessage.toString();
+	}
+
+	public String getUrlParamXML(Alert alert) {
+
+		String uri = alert.getUri();
+		String param = alert.getParam();
+		String attack = alert.getAttack();
+		String otherInfo = alert.getOtherInfo();
+		String evidence = alert.getEvidence();
+
+		StringBuilder sb = new StringBuilder(200); // ZAP: Changed the type to StringBuilder.
+		sb.append(getHTML(alert));
+		sb.append("  <uri>").append(ReportGenerator.entityEncode(uri)).append("</uri>\r\n");
+		sb.append("  <param>").append(ReportGenerator.entityEncode(param)).append("</param>\r\n");
+		sb.append("  <attack>")
+				.append(ReportGenerator.entityEncode(attack))
+				.append("</attack>\r\n");
+		if (evidence != null && evidence.length() > 0) {
+			sb.append("  <evidence>")
+					.append(ReportGenerator.entityEncode(evidence))
+					.append("</evidence>\r\n");
+		}
+		sb.append("  <otherinfo>")
+				.append(ReportGenerator.entityEncode(otherInfo))
+				.append("</otherinfo>\r\n");
+		return sb.toString();
+	}
+}