Blog: 2.16.0

Signed-off-by: Simon Bennetts <[email protected]>

site/content/blog/2025-01-09-zap-2-16-0/index.md

@@ -0,0 +1,109 @@
+---
+title: "ZAP 2.16.0"
+summary: "ZAP 2.16.0 has just been [released](/docs/desktop/releases/2.16.0/). It includes a brand new spider, detachable tabs, policy definitions, and lots more..."
+images:
+- https://www.zaproxy.org/blog/2025-01-09-zap-2-16-0/images/blog-2-16-0.png
+type: post
+tags:
+- blog
+- release
+date: "2025-01-09"
+authors:
+    - simon
+---
+ZAP 2.16.0 has just been [released](/docs/desktop/releases/2.16.0/)!
+
+![ZAPbot with 2.16.0 banner](images/blog-2-16-0.png)
+
+This release was made possible thanks to [Checkmarx](https://checkmarx.com/) 
+who employ 3 of the [Core Team](/docs/team/) to work fulltime on ZAP.
+
+This is a big release and includes many very singificant changes.
+Look out for new [Blog Posts](/blog/) and [Videos](/videos/) which will cover some of these new features in much more depth in the coming days and weeks.
+
+### Update to a Minimum of Java 17
+
+ZAP now requires a minimum of Java 17 to run. This allows us to use more modern Java features in the ZAP codebase.
+
+As a result of this move scripts which use the Nashorn JavaScript engine may no longer work, 
+this is because the engine is no longer present in Java 17.
+
+Any scripts configured to use Nashorn will automatically be changed to use the 
+[Graal.js](/docs/desktop/addons/graalvm-javascript/) JavaScript engine.
+However you may still need to migrate these scripts, see the 
+[Migration Guide from Nashorn to GraalJS](https://www.graalvm.org/latest/reference-manual/js/NashornMigrationGuide/).
+
+### Client Spider
+
+The [Client Integration](/docs/desktop/addons/client-side-integration/) add-on is now included as standard, and provides a new 
+[Client Spider](/docs/desktop/addons/client-side-integration/spider/).
+The Client Spider works in a similar way to the AJAX Spider but it has access to the DOM via the ZAP Browser Extension
+which means that it can find content which the AJAX Spider cannot find.
+
+While it is still at an early stage we believe it is a more effective approach than the AJAX Spider.
+We will be focussing on improving the Client Spider and the current plan is for it to supersede the AJAX Spider
+as the recommended way of crawling modern web apps.
+
+### Detachable Tabs
+
+You can now detach any of the ZAP desktop tabs so that they will appear in their own windows.
+This means that you can see more than one tab in the group at the same time, and allows you to distribute those windows
+across multiple monitors. 
+
+Just right click any tab to see the 'detach' option and close the tab window to return it to the main ZAP window.
+
+### Standard Policy Definitions
+
+We now have a standard set of active scan policy definitions which we recommend for use in specific situations.
+Using these definitions will just enable the most suitable active scan rules. This will speed up your active scans
+and will reduce noise. Some of the standard active scan rules are really targetted at pentesters, and these can waste 
+developers time.
+
+For more details see the new [Scan Policies](/docs/desktop/addons/scan-policies/) add-on.
+
+### Site Tree Export and Pruning
+
+We now have a standard format for representing the Sites Tree in a text file: 
+[Sites Tree Format](/docs/desktop/addons/import-export/sites-tree-format/) .
+This format uniquely identifies nodes in the Sites tree.
+While this might not sound particularly exciting, it does actually allow you to use ZAP to perform "differential" scans,
+i.e. only attacking endpoints that have changed. This means that ZAP can be used to perform really fast testing in CI/CD.
+
+### Sequence Scanning Updates
+
+The [Sequence Scanner](/docs/desktop/addons/sequence-scanner/) add-on has received
+significant attention. It now runs much more quickly and has full Automation Framework support.
+As a result it has been promoted to Beta status.
+
+### Passive Scanner Moved into an Add-On
+
+The passive scanner has now been moved into an add-on: [Passive Scanner](/docs/desktop/addons/passive-scanner/).
+We have an ongoing plan to move as much functionality out of the core as possible, as this allows us to push out fixes and
+enhancements much more quickly.
+
+### Automation Framework Enhancements
+
+The [Automation Framework](/docs/automate/automation-framework/) has a set of new jobs:
+
+* [activeScan-config](/docs/desktop/addons/automation-framework/job-ascanconfig/) This job configures the active scanner, for custom active scans (e.g. Sequence).
+* [activeScan-policy](/docs/desktop/addons/automation-framework/job-ascanpolicy/) This job defines an active scan policy.
+* [spiderClient](/docs/desktop/addons/client-side-integration/automation/) This job allows you to run the client spider.
+* [exitStatus](/docs/desktop/addons/automation-framework/job-exitstatus/) This job sets ZAP's exit code based on scan results.
+* [sequence-import](/docs/desktop/addons/sequence-scanner/automation/) This job allows you to create a sequence from an HAR file.
+* [sequence-activeScan](/docs/desktop/addons/sequence-scanner/automation/) This job allows you to active scan sequences.
+
+### Checkmarx Rebranding
+
+This release is the first full release with the "ZAP by Checkmarx" branding.
+
+### Docker Hub Organisation Deprecation
+
+We will not use the [softwaresecurityproject](https://hub.docker.com/u/softwaresecurityproject) org for 2.16.0 or following releases.
+
+If you still use this org then please switch to [zaproxy](https://hub.docker.com/u/zaproxy).
+
+### Release Notes
+
+See the [release notes](/docs/desktop/releases/2.16.0/) for dependency updates, other enhancements, and fixes.  
+
+Thank you to everyone who contributed to this release.

site/content/docs/automate/automation-framework.md

@@ -34,8 +34,11 @@ The framework supports:
 The full set of jobs currently supported by the framework and other add-ons are:
 
 * [activeScan](/docs/desktop/addons/automation-framework/job-ascan/) - runs the active scanner
+* [activeScan-config](/docs/desktop/addons/automation-framework/job-ascanconfig/) - configures the active scanner, for custom active scans (e.g. Sequence)
+* [activeScan-policy](/docs/desktop/addons/automation-framework/job-ascanpolicy/) - defines an active scan policy
 * [alertFilter](/docs/desktop/addons/alert-filters/automation/) - alert filter configuration, provided with the [Alert Filters](/docs/desktop/addons/alert-filters/) add-on
 * [delay](/docs/desktop/addons/automation-framework/job-delay/) - waits for a specified time or until a condition is met
+* [exitStatus](/docs/desktop/addons/automation-framework/job-exitstatus/) - sets ZAP's exit code based on scan results
 * [graphql](/docs/desktop/addons/graphql-support/automation/) - GraphQL schema import, provided with the [GraphQL](/docs/desktop/addons/graphql-support/) add-on
 * [import](/docs/desktop/addons/import-export/automation/) - allows you to import HAR(HTTP Archive File), ModSecurity2 Logs, ZAP Messages or a file containing URLs locally
 * [openapi](/docs/desktop/addons/openapi-support/automation/) - OpenAPI definition import, provided with the [OpenAPI](/docs/desktop/addons/openapi-support/) add-on
@@ -46,9 +49,12 @@ The full set of jobs currently supported by the framework and other add-ons are:
 * [report](/docs/desktop/addons/report-generation/automation/) - report generation, provided with the [Report Generation](/docs/desktop/addons/report-generation/) add-on
 * [requestor](/docs/desktop/addons/automation-framework/job-requestor/) - sends specific requests to targets
 * [script](/docs/desktop/addons/script-console/automation/) - adds, removes and runs scripts
+* [sequence-activeScan](/docs/desktop/addons/sequence-scanner/automation/) - allows you to active scan sequences
+* [sequence-import](/docs/desktop/addons/sequence-scanner/automation/) - allows you to create a sequence from an HAR file
 * [soap](/docs/desktop/addons/soap-support/automation/) - SOAP WSDL import, provided with the [SOAP](/docs/desktop/addons/soap-support/) add-on
 * [spider](/docs/desktop/addons/automation-framework/job-spider/) - runs the traditional spider
 * [spiderAjax](/docs/desktop/addons/ajax-spider/automation/) - runs the ajax spider, provided with the [Ajax Spider](/docs/desktop/addons/ajax-spider/) add-on
+* [spiderClient](/docs/desktop/addons/client-side-integration/automation/) - allows you to run the client spider
 
 For details of future changes planned see the [tracker issue](https://github.com/zaproxy/zaproxy/issues/6461).
 
@@ -57,8 +63,7 @@ For details of future changes planned see the [tracker issue](https://github.com
 The [addOns](/docs/desktop/addons/automation-framework/job-addons/) job has been found to cause
 problems when updating add-ons which are defined in the current plan. This job has been depreciated and no longer does anything.
 
-From 2.12 you can use the standard ZAP [command line](/docs/desktop/cmdline/) 
-options with the AF `-autorun` option:
+You can use the standard ZAP [command line](/docs/desktop/cmdline/) options with the AF `-autorun` option:
 
 * `-addoninstall <addOnId>` to install an add-on
 * `-addonuninstall <addOnId>` to uninstall an add-on
@@ -76,14 +81,12 @@ You can use `-addoninstall` and `-addonuninstall` as many times as you need:
 
 ### Exit Value
 
-If you run the framework from the command line then ZAP will exit with:
+If you run the framework from the command line then ZAP will by default exit with:
 
 * 0: The plan ran without any problems reported
 * 1: The plan failed with an error
 * 2: The plan ran but there were warnings
 
 The framework will exit with `2` if there are warnings even if the [environment](/docs/desktop/addons/automation-framework/environment/) `failOnWarning` parameter is set to `false`.
-If you need ZAP to exit with `0` in this case then you can run ZAP with a Linux / macOS command line like:
-
-* `bash -c "./zap.sh -cmd -autorun /path/to/your/af-plan.yaml" || [ $? -ne 1 ]`
 
+The [exitStatus](/docs/desktop/addons/automation-framework/job-exitstatus/) job allows you to set ZAP's exit code based on scan results.

site/content/faq/what-operating-systems-are-supported.md

@@ -5,9 +5,7 @@ category: Technologies Supported
 weight: 7
 ---
 
-ZAP should run on all operating systems that support Java 11 - it can even run
+ZAP should run on all operating systems that support Java 17 - it can even run
 on a [Raspberry Pi](/blog/2022-08-25-zap-on-raspberry-pi/)!
 
-Note that the next version of ZAP (2.16.0) will require a minimum of Java 17.
-
 If you experience any problems running ZAP then please report them to us.

site/content/faq/what-versions-of-java-are-supported.md

@@ -6,7 +6,7 @@ weight: 2
 ---
 
 ZAP should be able to run with all/newer Java versions, but might require a minimum for certain ZAP versions:
-- ZAP 2.16.0 and later will require a minimum of Java 17
+- ZAP 2.16.0 and later requires a minimum of Java 17
 - ZAP 2.12.0 and later requires a minimum of Java 11
 - ZAP 2.7.0 and later requires a minimum of Java 8
 - ZAP 2.0.0 and later requires a minimum of Java 7

site/data/download/c_main.yml

@@ -4,7 +4,7 @@ title: ZAP 2.15.0
 info:
   - Most of the files contain the default set of functionality, and you can add more functionality at any time via the [ZAP Marketplace](/addons/).
   - The core package contains the minimal set of functionality you need to get you started.
-  - The Windows and Linux versions require [Java 11 or higher](https://adoptium.net/) to run.
-  - The macOS version includes Java 11 - you can use the Linux or Cross Platform versions if you do not want to download this.
+  - The Windows and Linux versions require [Java 17 or higher](https://adoptium.net/) to run.
+  - The macOS version includes Java 17 - you can use the Linux or Cross Platform versions if you do not want to download this.
   - The installers are built using a [multi-platform installer builder](https://www.ej-technologies.com/products/install4j/overview.html) which provides an [unattended mode](https://www.ej-technologies.com/resources/install4j/help/doc/installers/installerModes.html).
   - For more information about this release see the [release notes](/docs/desktop/releases/2.15.0/).