pass otherinfo to llm

Signed-off-by: Najam Ul Saqib <[email protected]>

Author: njmulsqb

addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmAssistant.java

@@ -34,22 +34,45 @@ public interface LlmAssistant {
             "As a software architect, and based on your previous answer, generate other potential missing endpoints that are not mentioned in the OpenAPI file. For example, if there is GET /product/1, suggest DELETE /product/1 if it's not mentioned")
     HttpRequestList complete();
 
-    @SystemMessage(
-            "You are a web application security expert reviewing potential false positives. Answer only in JSON.")
-    @UserMessage(
-            "Your task is to review the following finding from ZAP (Zed Attack Proxy).\n"
-                    + "The confidence level is a pull down field which allows you to specify how confident you are in the validity of the finding : \n"
-                    + "- 0 if it's False Positive\n"
-                    + "- 1 if it's Low\n"
-                    + "- 2 if it's Medium\n"
-                    + "- 3 if it's High\n"
-                    + "\n"
-                    + "The alert is described as follows : {{description}}\n"
-                    + "\n"
-                    + "As evidence, the HTTP response contains :\n"
-                    + "---\n"
-                    + "{{evidence}}\n"
-                    + "---\n"
-                    + "Provide a short consistent explanation of the new score.\n")
+    static final String ALERT_REVIEW_SYSTEM_MSG =
+            "You are a web application security expert reviewing potential false positives. Answer only in JSON.";
+    static final String ALERT_REVIEW_GOAL =
+            "Provide a short consistent explanation of the new score.\n";
+    static final String ALERT_REVIEW_PROMPT =
+            """
+            Your task is to review the following finding from ZAP (Zed Attack Proxy).
+            The confidence level is a pull down field which allows you to specify how confident you are in the validity of the finding:
+            - 0 if it's False Positive
+            - 1 if it's Low
+            - 2 if it's Medium
+            - 3 if it's High
+
+            The alert is described as follows : {{description}}
+
+            As evidence, the HTTP response contains:
+            ---
+            {{evidence}}
+            ---
+            """
+                    + ALERT_REVIEW_GOAL;
+
+    static final String ALERT_REVIEW_OTHERINFO_PROMPT =
+            ALERT_REVIEW_PROMPT
+                    + """
+                    Also, here's some additional information that may be useful for you to reach your conclusion:
+                    ---
+                    {{otherinfo}}
+                    """
+                    + ALERT_REVIEW_GOAL;
+
+    @SystemMessage(ALERT_REVIEW_SYSTEM_MSG)
+    @UserMessage(ALERT_REVIEW_PROMPT)
     Confidence review(@V("description") String description, @V("evidence") String evidence);
+
+    @SystemMessage(ALERT_REVIEW_SYSTEM_MSG)
+    @UserMessage(ALERT_REVIEW_OTHERINFO_PROMPT)
+    Confidence review(
+            @V("description") String description,
+            @V("evidence") String evidence,
+            @V("otherinfo") String otherinfo);
 }

addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java

@@ -36,6 +36,7 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 import org.apache.commons.httpclient.util.HttpURLConnection;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -75,6 +76,9 @@ public LlmCommunicationService(LlmOptions options) {
         requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR, new HistoryPersister());
     }
 
+    /** For testing purposes only. */
+    LlmCommunicationService() {}
+
     private ChatLanguageModel buildModel(LlmOptions options) {
         return switch (options.getModelProvider()) {
             case AZURE_OPENAI ->
@@ -170,7 +174,13 @@ public void reviewAlert(Alert alert) {
             LOGGER.debug("Reviewing alert : {}", alert.getName());
             LOGGER.debug("Confidence level from ZAP : {}", alert.getConfidence());
             Stats.incCounter("stats.llm.alertreview.call");
-            llmConfidence = llmAssistant.review(alert.getDescription(), alert.getEvidence());
+            if (StringUtils.isBlank(alert.getOtherInfo())) {
+                llmConfidence = llmAssistant.review(alert.getDescription(), alert.getEvidence());
+            } else {
+                llmConfidence =
+                        llmAssistant.review(
+                                alert.getDescription(), alert.getEvidence(), alert.getOtherInfo());
+            }
 
             if (llmConfidence.getLevel() == alert.getConfidence()) {
                 Stats.incCounter("stats.llm.alertreview.result.same");
@@ -206,7 +216,7 @@ public void reviewAlert(Alert alert) {
         }
     }
 
-    private static boolean isPreviouslyReviewed(Alert alert) {
+    static boolean isPreviouslyReviewed(Alert alert) {
         return !alert.getTags().containsKey(AI_REVIEWED_TAG_KEY);
     }
 
@@ -218,4 +228,9 @@ private static String getUpdatedOtherInfo(Alert alert, Confidence llmConfidence)
     private static ExtensionAlert getExtAlert() {
         return Control.getSingleton().getExtensionLoader().getExtension(ExtensionAlert.class);
     }
+
+    /* For testing purposes. Not intended for regular use. */
+    void setAssistant(LlmAssistant assistant) {
+        this.llmAssistant = assistant;
+    }
 }

addOns/llm/src/test/java/org/zaproxy/addon/llm/services/LlmCommunicationServiceUnitTest.java

@@ -0,0 +1,104 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2025 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.llm.services;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.withSettings;
+
+import java.util.HashMap;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EmptySource;
+import org.junit.jupiter.params.provider.NullSource;
+import org.mockito.quality.Strictness;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.core.scanner.Alert;
+import org.zaproxy.addon.llm.communication.Confidence;
+import org.zaproxy.zap.testutils.TestUtils;
+import org.zaproxy.zap.utils.I18N;
+
+/** Unit test for {@link LlmCommunicationServiceUnitTest}. */
+class LlmCommunicationServiceUnitTest extends TestUtils {
+
+    @BeforeAll
+    static void beforeAll() {
+        Constant.messages = mock(I18N.class);
+    }
+
+    @Disabled
+    @ParameterizedTest
+    @NullSource
+    @EmptySource
+    void shouldUseTwoParamReviewMethodWhenNoOtherInfo(String otherInfo) {
+        // Given
+        LlmAssistant assistant =
+                mock(LlmAssistant.class, withSettings().strictness(Strictness.LENIENT));
+        LlmCommunicationService service = new LlmCommunicationService();
+        service.setAssistant(assistant);
+        Alert alert = new Alert(-1);
+        alert.setDescription("desc");
+        alert.setEvidence("evidence");
+        alert.setConfidence(Alert.CONFIDENCE_MEDIUM);
+        alert.setOtherInfo(otherInfo);
+        alert.setTags(new HashMap<String, String>());
+        given(assistant.review(anyString(), anyString()))
+                .willReturn(new Confidence(Alert.CONFIDENCE_MEDIUM, "explanation"));
+        given(assistant.review(anyString(), anyString(), anyString()))
+                .willReturn(new Confidence(Alert.CONFIDENCE_MEDIUM, "explanation"));
+
+        // When
+        service.reviewAlert(alert);
+        // Then
+        verify(assistant).review(anyString(), anyString());
+        verify(assistant, never()).review(anyString(), anyString(), anyString());
+    }
+
+    @Disabled
+    @Test
+    void shouldUseThreeParamReviewMethodWhenNoOtherInfo() {
+        // Given
+        LlmAssistant assistant =
+                mock(LlmAssistant.class, withSettings().strictness(Strictness.LENIENT));
+        LlmCommunicationService service = new LlmCommunicationService();
+        service.setAssistant(assistant);
+        Alert alert = new Alert(-1);
+        alert.setDescription("desc");
+        alert.setEvidence("evidence");
+        alert.setConfidence(Alert.CONFIDENCE_MEDIUM);
+        alert.setOtherInfo("other info");
+        alert.setTags(new HashMap<String, String>());
+        given(assistant.review(anyString(), anyString()))
+                .willReturn(new Confidence(Alert.CONFIDENCE_MEDIUM, "explanation"));
+        given(assistant.review(anyString(), anyString(), anyString()))
+                .willReturn(new Confidence(Alert.CONFIDENCE_MEDIUM, "explanation"));
+
+        // When
+        service.reviewAlert(alert);
+        // Then
+        verify(assistant).review(anyString(), anyString(), anyString());
+        verify(assistant, never()).review(anyString(), anyString());
+    }
+}