Introduce a new ZAP report variant/type which supports SARIF

Is your feature request related to a problem? Please describe.

We want to integrate ZAP in our security orchestration tool SecHub but the existing reports do not contain enough data. We would prefer a Sarif based report with data about request + response (body and header) and some more necessary information.

Inside this issue we want to clarify if the community would find this useful inside the existing Zap extension “reports” and a PR would be embraced or if there is a need for an own custom extension to handle this.

Also the information about the SARIF format structure shall be initial documented here (not all wanted parts are directly available in SARIF , e.g. there is no dedicated field for recommendations - see https://github.com/oasis-tcs/sarif-spec/issues/472 - and must be provided there by so called “property bags”).

Describe the solution you’d like A SARIF report containing all necessary information for a developer to understand and reprocude a vulernability. So a fix of the security bug becomes very easy.

Describe alternatives you’ve considered

• We thought about accessing/storing the session. But this seems to be a data base dump and is no option
• We thought about using report “traditional-json” and transfer at our side to SARIF, but the request/response data is completely missing
• We thought about creating a new report variant “tracing-json” and adopt the thymeleaf parts so HTTP data from Alert will be available inside report. But there we would still need a transformation at SecHub side and also it’s not clear if the ZAP community would like this. Providing a new report in SARIF format (which seems to become the standard for SAST but contains also fields for web request and response and can be used for DAST as well) could be more helpful/needed.

Additional context At https://github.com/Daimler/sechub we are just implementing an OWASP Zap PDS integration (see https://daimler.github.io/sechub/latest/sechub-product-delegation-server.html ) Our approach is to orchestrate the scan process make it easy to integrate in CI/CD without much effort and to help developers to identify, understand and to reproduce the security vulnerability easily.

The available report variants (see https://github.com/zaproxy/zap-extensions/tree/main/addOns/reports/src/main/zapHomeFiles/reports ) have not the fields of the full HTTP data to reproduce at developer site (Request header + body and related Response header and body).

IMHO it is very important for an developer to understand and to reproduce the problem, so it is easier to fix. OWASP Zap has all these information inside it’s session - but not inside the machine readable reports.

Would you like to help implementing this feature? Yes indeed, I will already start with an implementation in our fork and would provide a PR. I think I understood the architectural concept and will add content below https://github.com/zaproxy/zap-extensions/tree/main/addOns/reports/src/main/zapHomeFiles/reports