2.17 Headline changes and Alert details

Signed-off-by: Simon Bennetts <psiinon@gmail.com>

Author: psiinon

addOns/help/src/main/javahelp/contents/releases/2.17.0.html

@@ -11,25 +11,37 @@ <H1>Release 2.17.0</H1>
 
 This is a bug fix and enhancement release.
 
-TBC
-
 <H3>Alert De-duplication</H3>
-Changes have been made in order to reduce the number of alerts which ZAP may raise that are duplicaes or highly similar, more closely being aligned with the Sites Tree representation.
+Changes have been made in order to reduce the number of alerts which ZAP may raise that are duplicates or highly similar, more closely being aligned with the Sites Tree representation.
 See the <a href="https://www.zaproxy.org/blog/2025-09-30-alert-de-duplication/">Alert De-duplication blog</a> for further details.
 
 <H3>Systemic Alerts</H3>
-TBC
+Alerts that are typically site-wide will now be flagged as being "Systemic" in both the ZAP Desktop UI and in reports.
+<p>
+This can also significantly reduce the number of "duplicate" alerts reported.
+
+<H3>Insights</H3>
+A new "Insights" tab shows key information which is not related to vulnerabilities, or potentially even related to the application in question.
+<p>
+Insights tell you more about your applications, about the effectiveness of a scan, and can even stop a scan early if significant problems are identified.
+<p>
+Insights are also included in all of the official ZAP reports.
+
+<H3>Improved Disk and Memory Space Error Handling</H3>
+ZAP will now detect disk and memory space issues and attempt to handle them more gracefully.
+<p>
+Any problems encountered will be reported via the Insights.
+
+<H3>Automation Disk Space Reduction</H3>
+Active Scan Temporary HTTP Messages are no longer persisted by default when ZAP is run headless.
+This can significantly reduce the amount of disk space needed.
+<p>
+The option is also available in the Desktop but is turned off be default, so that the user can inspect them.
 
 <H3>Structured Reports ISO 8601 Standard Date</H3>
 The structured reports (JSON and XML) now have an ISO 8601 standard date field/attribute (“created”); 
 the existing “generatedString” field will be removed in the future.
 
-<H3>Active Scan Temporary HTTP Messages</H3>
-If this option is selected the active scanner will persist all HTTP messages sent while active scanning, which allows to further inspect them (e.g. custom passive scanners, manually).
-They are temporary and removed once the session is closed, for cases where the HTTP messages are not necessary it is advised to disable this option for performance reasons (I/O, disk space).
-<p>
-By default the HTTP messages are persisted unless in command line mode, where sessions are usually discarded once ZAP finishes.
-
 <H3>Dependency Updates</H3>
 
 As usual the release includes dependency updates.
@@ -45,6 +57,12 @@ <H2>Add-Ons</H2>
 <H3>Updated Add-Ons</H3>
 All of the add-ons included by default have been updated since the last full release.
 
+<H3>New Add-Ons</H3>
+
+<ul>
+  <li>Insights - as detailed above</li>
+</ul>
+
 <H2>Enhancements</H2>
 <ul>
 <li>TBC</li>

addOns/help/src/main/javahelp/contents/start/features/alerts.html

@@ -33,8 +33,123 @@ <H1>Alerts</H1>
 All alerts are listed in the <a href="../../ui/tabs/alerts.html">Alerts tab</a> 
 and a count of the total number of alerts by risk is shown in the <a href="../../ui/footer.html">footer</a>.
 </p>
+<p>
+The full set of alerts that ZAP can raise is available online at 
+<a href="https://www.zaproxy.org/docs/alerts/">https://www.zaproxy.org/docs/alerts/</a>
+</p>
+
+<a name="alertfields"></a><H2>Alert Fields</H2> 
+
+The following fields are supported.
+
+<a name="alert-name"></a><H3>Name</H3> 
+
+The name of the alert, for example "Cross Site Scripting (Reflected)"
+
+<a name="alert-url"></a><H3>URL</H3> 
+
+The URL related to the alert.
+
+<a name="alert-nodename"></a><H3>Node Name</H3> 
+
+A normalised version of the URL, which is also used in the <a href="sitestree.html">Sites Tree</a> 
+
+<a name="alert-risk"></a><H3>Risk</H3> 
+
+The relative severity of the alert.
+<p>
+One of:
+<ul>
+<li>Informational
+<li>Low
+<li>Medium
+<li>High
+</ul>
+
+The risk is automatically set for Alerts raised by ZAP.
+If you want to change the risk you can either do that manually for each alert or you can create an
+Alert Filter to do it automatically.
+
+<a name="alert-confidence"></a><H3>Confidence</H3> 
+
+The relative confidence in the alert.
+<p>
+One of:
+<ul>
+<li>False Positive
+<li>Low
+<li>Medium
+<li>High
+<li>Confirmed
+</ul>
+
+ZAP will not raise an alert with a confidence of either "False Positive" or "Confirmed".
+However you can set these levels either manually or via an Alert Filter.
+
+<a name="alert-param"></a><H3>Parameter</H3> 
+
+The name of the parameter that was attacked. 
+This will be empty for passive alerts or if the alert is not associated with a specific parameter.
+
+<a name="alert-attack"></a><H3>Attack</H3>
+
+The payload used to find the alert.
+This will be empty for passive alerts.
+
+<a name="alert-evidence"></a><H3>Evidence</H3>
+
+A string that appears in the request or response which was used to help identify the alert.
+This will be empty if there is no relevant string, for example for missing security headers.
+ 
+<a name="alert-cweid"></a><H3>CWE ID</H3> 
+
+The <a href="https://cwe.mitre.org/">Common Weakness Enumeration</a> ID.
+
+<a name="alert-wascid"></a><H3>WASC ID</H3> 
+
+The <a href="http://projects.webappsec.org/w/page/13246978/Threat%20Classification">Web Application Security Consortium</a> ID.
+
+<a name="alert-source"></a><H3>Source</H3> 
+
+The scan rule which raised the alert, if relevant.
+
+<a name="alert-alertref"></a><H3>Alert Reference</H3> 
+
+The ID of the rule which raised the alert, optionally followed by a dash and the alert instance.
+<p>
+All of the alerts raised by ZAP are listed on
+<a href="https://www.zaproxy.org/docs/alerts/">https://www.zaproxy.org/docs/alerts/</a>,
+and they all have a static page with a URL based on the Alert Reference.
+
+<a name="alert-input"></a><H3>Input Vector</H3> 
+
+The <a href="../../ui/dialogs/options/ascaninput.html">Active Scan Input Vector</a> used to identify the element attacked.
+This will be empty for passive alerts or if the alert is not associated with a specific parameter.
+
+<a name="alert-desc"></a><H3>Description</H3> 
+
+A detailed description of the alert. This will be the same text for all alert instances with the same reference.
+
+<a name="alert-other"></a><H3>Other Info</H3> 
+
+Alert specific information, which is potentially different for each alert raised.
+
+<a name="alert-solution"></a><H3>Solution</H3> 
+
+Potential solutions to the underlying problem. 
+Note that these solutions will be generic as ZAP does not access any source code. 
+This will be the same text for all alert instances with the same reference.
+
+<a name="alert-ref"></a><H3>Reference</H3> 
+
+A set of links to more information about the alert online.
+
+<a name="alert-tags"></a><H3>Alert Tags</H3> 
+
+The tags associated with the alert.
+The full set of tags supported are listed on <a href="https://www.zaproxy.org/alerttags/">https://www.zaproxy.org/alerttags/</a>.
 
-<a name="alertoverrides"></a><H2>Alert overrides</H2> 
+<a name="alertoverrides"></a><H2>Alert Overrides</H2> 
 
 Alerts raised by ZAP include both generic and specific information about the alerts raised.
 The specific information relates directly to the potential issue found, such as the URL and the parameter affected.