mcp: First version of server

Signed-off-by: Simon Bennetts <psiinon@gmail.com>

Author: psiinon

addOns/automation/CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Added
+- Access to the progress of long running jobs
+
 ### Changed
 - Move the Automation panel to the workspace window.
 - Use the main output panel for plan output messages.

addOns/automation/src/main/java/org/zaproxy/addon/automation/ExtensionAutomation.java

@@ -38,6 +38,7 @@
 import java.util.Map.Entry;
 import java.util.SortedSet;
 import java.util.TreeSet;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import javax.swing.Timer;
@@ -117,6 +118,7 @@ public class ExtensionAutomation extends ExtensionAdaptor implements CommandLine
     private AutomationParam param;
     private LinkedHashMap<Integer, AutomationPlan> plans = new LinkedHashMap<>();
     private List<AutomationPlan> runningPlans = Collections.synchronizedList(new ArrayList<>());
+    private final Map<String, LongRunningJob> longRunningJobs = new ConcurrentHashMap<>();
 
     private CommandLineArgument[] arguments = new CommandLineArgument[5];
     private static final int ARG_AUTO_RUN_IDX = 0;
@@ -185,6 +187,8 @@ public void hook(ExtensionHook extensionHook) {
 
                     @Override
                     public void sessionChanged(Session session) {
+                        longRunningJobs.clear();
+
                         // Work around for core bug - can be removed once the core is fixed and
                         // released
                         String authHeaderValueVar = System.getenv(ZAP_AUTH_HEADER_VALUE);
@@ -398,6 +402,78 @@ public List<AutomationPlan> getRunningPlans() {
         return Collections.unmodifiableList(runningPlans);
     }
 
+    protected void registerLongRunningJob(LongRunningJob job) {
+        // Need to register the job before it is run, so expect the jobId to be null to start with
+        new Thread() {
+            @Override
+            public void run() {
+                while (job.getId() == null) {
+                    try {
+                        sleep(200);
+                    } catch (InterruptedException e) {
+                        // Ignore
+                    }
+                }
+                longRunningJobs.put(job.getId(), job);
+            }
+        }.start();
+    }
+
+    /**
+     * Returns all known IDs of long-running jobs that have been started. Jobs remain tracked after
+     * completion so their status can be queried. The map is cleared when a new ZAP session is
+     * started.
+     *
+     * @return a list of job IDs
+     * @since 0.59.0
+     */
+    public List<String> getLongRunningJobIds() {
+        return new ArrayList<>(longRunningJobs.keySet());
+    }
+
+    /**
+     * Returns the progress for the specified job ID.
+     *
+     * @param id the job id
+     * @return the progress percentage (0-100), or -1 if the job is not found
+     * @since 0.59.0
+     */
+    public int getProgress(String id) {
+        LongRunningJob job = longRunningJobs.get(id);
+        return job != null ? job.getProgress() : -1;
+    }
+
+    /**
+     * Returns the progress of all known long-running jobs.
+     *
+     * @return a map of job ID to progress percentage (0-100)
+     * @since 0.59.0
+     */
+    public Map<String, Integer> getAllProgress() {
+        Map<String, Integer> result = new HashMap<>();
+        for (Entry<String, LongRunningJob> entry : longRunningJobs.entrySet()) {
+            result.put(entry.getKey(), entry.getValue().getProgress());
+        }
+        return result;
+    }
+
+    /**
+     * Stops a long-running job by ID. The job must implement {@link AutomationJob} for stopping to
+     * take effect.
+     *
+     * @param id the job id
+     * @return {@code true} if the job was found and stopped, {@code false} otherwise
+     * @since 0.59.0
+     */
+    public boolean stopLongRunningJob(String id) {
+        LongRunningJob job = longRunningJobs.get(id);
+        if (job instanceof AutomationJob automationJob) {
+            automationJob.stop();
+            return true;
+        }
+        return false;
+    }
+
     public void stopPlan(AutomationPlan plan) {
         plan.stopPlan();
     }
@@ -500,6 +576,9 @@ public AutomationProgress runPlan(AutomationPlan plan, boolean resetProgress) {
                 timer.start();
             }
             try {
+                if (job instanceof LongRunningJob lrJob) {
+                    registerLongRunningJob(lrJob);
+                }
                 job.runJob(env, progress);
             } catch (Exception e) {
                 LOGGER.error(e.getMessage(), e);

addOns/automation/src/main/java/org/zaproxy/addon/automation/LongRunningJob.java

@@ -0,0 +1,42 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2026 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.automation;
+
+/**
+ * Marker interface for automation jobs that run for an extended period.
+ *
+ * <p>Jobs implementing this interface provide a unique identifier and progress information.
+ */
+public interface LongRunningJob {
+
+    /**
+     * Returns a unique identifier for this job instance.
+     *
+     * @return the job id, or {@code null} if the job has not yet started and obtained an id
+     */
+    String getId();
+
+    /**
+     * Returns the progress of the job as a percentage (0-100).
+     *
+     * @return the progress percentage
+     */
+    int getProgress();
+}

addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanJob.java

@@ -41,6 +41,7 @@
 import org.zaproxy.addon.automation.AutomationProgress;
 import org.zaproxy.addon.automation.ContextWrapper;
 import org.zaproxy.addon.automation.JobResultData;
+import org.zaproxy.addon.automation.LongRunningJob;
 import org.zaproxy.addon.automation.gui.ActiveScanJobDialog;
 import org.zaproxy.addon.commonlib.Constants;
 import org.zaproxy.zap.extension.ascan.ActiveScan;
@@ -49,7 +50,7 @@
 import org.zaproxy.zap.model.Target;
 import org.zaproxy.zap.users.User;
 
-public class ActiveScanJob extends AutomationJob {
+public class ActiveScanJob extends AutomationJob implements LongRunningJob {
 
     public static final String JOB_NAME = "activeScan";
     private static final String OPTIONS_METHOD_NAME = "getScannerParam";
@@ -65,6 +66,8 @@ public class ActiveScanJob extends AutomationJob {
     private PolicyDefinition policyDefinition = new PolicyDefinition();
     private Data data;
     private boolean forceStop;
+    private volatile Integer scanId;
+    private volatile ActiveScan currentScan;
 
     public ActiveScanJob() {
         data = new Data(this, this.parameters, this.policyDefinition);
@@ -248,38 +251,43 @@ public void runJob(AutomationEnvironment env, AutomationProgress progress) {
         }
 
         forceStop = false;
-        int scanId = this.getExtAScan().startScan(target, user, contextSpecificObjects.toArray());
-
-        long endTime = Long.MAX_VALUE;
-        if (JobUtils.unBox(this.getParameters().getMaxScanDurationInMins()) > 0) {
-            // The active scan should stop, if it doesnt we will stop it (after a few seconds
-            // leeway)
-            endTime =
-                    System.currentTimeMillis()
-                            + TimeUnit.MINUTES.toMillis(
-                                    this.getParameters().getMaxScanDurationInMins())
-                            + TimeUnit.SECONDS.toMillis(5);
-        }
-
-        // Wait for the active scan to finish
-        ActiveScan scan;
+        scanId = this.getExtAScan().startScan(target, user, contextSpecificObjects.toArray());
+        ActiveScan scan = this.getExtAScan().getScan(scanId);
+        try {
+            currentScan = scan;
+
+            long endTime = Long.MAX_VALUE;
+            if (JobUtils.unBox(this.getParameters().getMaxScanDurationInMins()) > 0) {
+                // The active scan should stop, if it doesnt we will stop it (after a few seconds
+                // leeway)
+                endTime =
+                        System.currentTimeMillis()
+                                + TimeUnit.MINUTES.toMillis(
+                                        this.getParameters().getMaxScanDurationInMins())
+                                + TimeUnit.SECONDS.toMillis(5);
+            }
 
-        while (true) {
-            this.sleep(500);
-            scan = this.getExtAScan().getScan(scanId);
-            if (scan.isStopped() || forceStop) {
-                break;
+            // Wait for the active scan to finish
+            while (true) {
+                this.sleep(500);
+                scan = this.getExtAScan().getScan(scanId);
+                currentScan = scan;
+                if (scan.isStopped() || forceStop) {
+                    break;
+                }
+                if (!this.runMonitorTests(progress) || System.currentTimeMillis() > endTime) {
+                    forceStop = true;
+                    break;
+                }
             }
-            if (!this.runMonitorTests(progress) || System.currentTimeMillis() > endTime) {
-                forceStop = true;
-                break;
+            if (forceStop) {
+                this.getExtAScan().stopScan(scanId);
+                progress.info(Constant.messages.getString("automation.info.jobstopped", getType()));
             }
+            progress.addJobResultData(createJobResultData(scanId));
+        } finally {
+            currentScan = null;
         }
-        if (forceStop) {
-            this.getExtAScan().stopScan(scanId);
-            progress.info(Constant.messages.getString("automation.info.jobstopped", getType()));
-        }
-        progress.addJobResultData(createJobResultData(scanId));
 
         getExtAScan().setPanelSwitch(true);
     }
@@ -289,6 +297,20 @@ public void stop() {
         forceStop = true;
     }
 
+    @Override
+    public String getId() {
+        return scanId != null ? "ascan-" + scanId : null;
+    }
+
+    @Override
+    public int getProgress() {
+        ActiveScan scan = currentScan;
+        if (scan != null) {
+            return scan.getProgress();
+        }
+        return getStatus() == Status.COMPLETED ? 100 : 0;
+    }
+
     @Override
     public List<JobResultData> getJobResultData() {
         ActiveScan lastScan = this.getExtAScan().getLastScan();

addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanJobUnitTest.java

@@ -75,6 +75,7 @@
 import org.zaproxy.addon.automation.AutomationJob.Order;
 import org.zaproxy.addon.automation.AutomationProgress;
 import org.zaproxy.addon.automation.ContextWrapper;
+import org.zaproxy.addon.automation.ExtensionAutomation;
 import org.zaproxy.zap.extension.ascan.ActiveScan;
 import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
 import org.zaproxy.zap.extension.ascan.PolicyManager;
@@ -128,6 +129,9 @@ void setUp() throws Exception {
         policyManager = mock();
         given(extAScan.getPolicyManager()).willReturn(policyManager);
 
+        ExtensionAutomation extAutomation = mock(ExtensionAutomation.class);
+        given(extensionLoader.getExtension(ExtensionAutomation.class)).willReturn(extAutomation);
+
         Control.initSingletonForTesting(Model.getSingleton(), extensionLoader);
         Model.getSingleton().getOptionsParam().load(new ZapXmlConfiguration());
     }
@@ -145,6 +149,8 @@ void shouldReturnDefaultFields() {
         assertThat(job.getOrder(), is(equalTo(Order.ATTACK)));
         assertThat(job.getParamMethodObject(), is(extAScan));
         assertThat(job.getParamMethodName(), is("getScannerParam"));
+        assertThat(job.getId(), is(equalTo(null)));
+        assertThat(job.getProgress(), is(equalTo(0)));
     }
 
     @Test

addOns/mcp/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+All notable changes to this add-on will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## Unreleased
+
+- First version with initial resources and tools.

addOns/mcp/gradle.properties

@@ -0,0 +1 @@
+version=0.0.1

addOns/mcp/mcp.gradle.kts

@@ -0,0 +1,41 @@
+description = "An add-on that implements an MCP server in ZAP."
+
+zapAddOn {
+    addOnName.set("MCP Server")
+
+    manifest {
+        author.set("ZAP Dev Team")
+        extensions {
+            register("org.zaproxy.addon.mcp.ExtensionMcp")
+        }
+        dependencies {
+            addOns {
+                register("automation") {
+                    version.set(">=0.31.0")
+                }
+                register("commonlib") {
+                    version.set(">=1.17.0")
+                }
+                register("network") {
+                    version.set(">=0.1.0")
+                }
+            }
+        }
+    }
+}
+
+dependencies {
+    zapAddOn("automation")
+    zapAddOn("commonlib")
+    zapAddOn("network")
+
+    testImplementation(project(":testutils"))
+}
+
+crowdin {
+    configuration {
+        val resourcesPath = "org/zaproxy/addon/${zapAddOn.addOnId.get()}/resources/"
+        tokens.put("%messagesPath%", resourcesPath)
+        tokens.put("%helpPath%", resourcesPath)
+    }
+}