Merge branch 'release-2.6.0'

.classpath

@@ -2,7 +2,6 @@
 <classpath>
 	<classpathentry kind="src" path="src"/>
 	<classpathentry kind="src" path="test"/>
-	<classpathentry kind="lib" path="lib/ant.jar"/>
 	<classpathentry kind="lib" path="lib/orange-extensions-1.3.0.jar"/>
 	<classpathentry kind="lib" path="lib/bcmail-jdk15on-152.jar"/>
 	<classpathentry kind="lib" path="lib/bcprov-jdk15on-152.jar"/>
@@ -13,6 +12,7 @@
 	<classpathentry kind="lib" path="lib/commons-configuration-1.9.jar"/>
 	<classpathentry kind="lib" path="lib/commons-csv-1.1.jar"/>
 	<classpathentry kind="lib" path="lib/commons-httpclient-3.1.jar"/>
+	<classpathentry kind="lib" path="lib/commons-io-2.4.jar"/>
 	<classpathentry kind="lib" path="lib/commons-jxpath-1.3.jar"/>
 	<classpathentry kind="lib" path="lib/commons-lang-2.6.jar"/>
 	<classpathentry kind="lib" path="lib/commons-logging-api-1.1.1.jar"/>
@@ -21,8 +21,7 @@
 	<classpathentry kind="lib" path="lib/harlib-jackson-1.1.2.jar"/>
 	<classpathentry kind="lib" path="lib/hsqldb.jar"/>
 	<classpathentry kind="lib" path="lib/java-semver-0.8.0.jar"/>
-	<classpathentry kind="lib" path="lib/JBroFuzz.jar"/>
-	<classpathentry kind="lib" path="lib/JBroFuzzEncoder.jar"/>
+	<classpathentry kind="lib" path="lib/jcommon-1.0.23.jar"/>
 	<classpathentry kind="lib" path="lib/jdom.jar"/>
 	<classpathentry kind="lib" path="lib/jericho-html-3.1.jar"/>
 	<classpathentry kind="lib" path="lib/jfreechart-1.0.13.jar"/>
@@ -48,5 +47,6 @@
 	<classpathentry kind="lib" path="lib/commons-codec-1.9.jar"/>
 	<classpathentry kind="lib" path="lib/commons-logging-1.2.jar"/>
 	<classpathentry kind="lib" path="lib/httpcore-4.4.1.jar"/>
+	<classpathentry kind="lib" path="lib/ice4j-1.0.jar"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>

.gitignore

@@ -9,4 +9,7 @@ out/
 /build/buildtest/
 /build/dist/
 /build/results/
-/bin/
+/bin/
+
+# Node
+node_modules/

CONTRIBUTING.md

@@ -72,3 +72,27 @@ Add-ons are a great way to extend ZAP and can be ideal for student projects - ma
 The ZAP 'core' underpins all of the other ZAP features, and so ensuring it is as robust as possible is very important.
 
 Fixing [issues](https://github.com/zaproxy/zaproxy/issues) is very valuable (ones flagged as [IdealFirstBug](https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug) are good ones to start on) and there are always many core improvements we want to make.
+
+#### Guidelines for Pull Request (PR) submission and processing:
+
+##### What should you, the author of a pull request, expect from us (ZAP Team)?
+* How much time (maximum) until the first feedback? 1 week.
+* And following iterations? 1 week.
+* This is a guideline we should normally be able to hit. If it’s been more than a week and you haven’t heard then please feel free to add a comment to your PR and @ mention the team (@zaproxy/team-zaproxy).
+
+##### What we (ZAP Team), expect from you?
+* "Atomic commits" (logical changes to be in a single commit). Please don’t group disjointed changes into a single commit/PR.
+* Descriptive commits (subject and message):
+ * For example: https://github.com/spring-projects/spring-framework/blob/master/CONTRIBUTING.md#format-commit-messages
+* Discussion about the changes:
+ * Should be done in/on the PR or via the Dev Group and a link to that Dev Group thread added to the PR comments. (i.e.: Shared information is important, if something happens via IRC or private email please ensure a summary makes it to the PR.)
+ * Discussion will be kept in the pull request unless off topic.
+* No merge commits. Please, rebase.
+* Rebase if the branch has conflicts.
+* How much time will a pull request be left open?
+ * This isn’t static, one or more members of the ZAP Team will reach out (using @ mentions in PR comments) once or twice in order to get things back on track. If no input is received after a month or two then the PR will be closed. Total stale time will likely be 2 to 3 months.
+  * Close with a message such as: "The pull request was closed because of lack of activity (as per CONTRIBUTING guidelines)". Labeled as "Stale".
+  * If the contribution is deemed important or still valuable the code may be:
+   * Manually merged (if possible).
+   * Retrieved by another member of the team, fixed up and resubmitted. In which case the commit message (PR message) should contain a reference to the original submission.
+

LEGALNOTICE.md

@@ -0,0 +1,72 @@
+COPYRIGHT
+---------
+
+OWASP Zed Attack Proxy (ZAP)
+
+The software package is:
+
+    Copyright © 2010-2016 ZAP Development Team
+
+Individual contributions, components, and libraries are copyright of their
+respective authors.
+
+SOFTWARE LICENSE
+----------------
+
+The open source software license of OWASP Zed Attack Proxy is Apache 2.0.
+A copy of the Apache 2.0 license has been included in this software package
+in ApacheLicense-2.0.txt.
+
+THIRD-PARTY SOFTWARE LICENSES
+-----------------------------
+
+ZAP is a fork of Paros Proxy 3.2.13 developed by Chinotech Technologies Company
+and licensed under the Clarified Artistic License.
+
+In October 2014, imported files licensed under the GPL were relicensed with
+permission from the authors under Apache 2.0.
+
+The following components/libraries are distributed in this package,
+and subject to their respective licenses.
+
+| Library                       | License                   |
+|-------------------------------|---------------------------|
+| bcmail-jdk15on-152.jar        | MIT                       |
+| bcpkix-jdk15on-152.jar        | MIT                       |
+| bcprox-jdk15on-152.jar        | MIT                       |
+| BrowserLauncher2-1_3.jar      | LGPL                      |
+| - WrapLog                     | BSD-3 clause              |
+| - Regor                       | GPL / LGPL dual license   |
+| commons-beanutils-1.8.3.jar   | Apache 2.0                |
+| commons-codec-1.9.jar         | Apache 2.0                |
+| commons-collections-3.2.2.jar | Apache 2.0                |
+| commons-configuration-1.9.jar | Apache 2.0                |
+| commons-csv-1.1.jar           | Apache 2.0                |
+| commons-httpclient-3.1.jar    | Apache 2.0                |
+| commons-io-2.4.jar            | Apache 2.0                |
+| commons-jxpath-1.3.jar        | Apache 2.0                |
+| commons-lang-2.6.jar          | Apache 2.0                |
+| commons-logging-1.2.jar       | Apache 2.0                |
+| commons-logging-api-1.1.1.jar | Apache 2.0                |
+| diffutils-1.2.1.jar           | Apache 2.0                |
+| ezmorph-1.0.6.jar             | Apache 2.0                |
+| harlib-jackson-1.1.2.jar      | Apache 2.0                |
+| hsqldb.jar                    | BSD                       |
+| httpclient-4.5.jar            | Apache 2.0                |
+| httpcore-4.4.1.jar            | Apache 2.0                |
+| ice4j-1.0.jar                 | Apache 2.0                |
+| java-semver-0.8.0.jar         | MIT                       |
+| jcommon-1.0.23.jar            | LGPL                      |
+| jdom.jar                      | BSD                       |
+| jericho-html-3.1.jar          | EPL / LGPL dual license   |
+| jfreechart-1.0.13.jar         | LGPL                      |
+| jfxrt.jar                     | Oracle Binary Code        |
+| jgrapht-core-0.9.0.jar        | LGPL 2.1                  |
+| jh.jar                        | GPL + classpath exception |
+| json-lib-2.4-jdk15.jar        | MIT + "Good, Not Evil"    |
+| log4j-1.2.17.jar              | Apache 2.0                |
+| rsyntaxtextarea-2.5.8.jar     | BSD-3 clause              |
+| sqlite-jdbc-3.8.11.jar        | BSD-2 clause              |
+| - NestedVM                    | Apache 2.0                |
+| swingx-all-1.6.4.jar          | LGPL 2.1                  |
+| xom-1.2.10.jar                | LGPL                      |

README.md

@@ -5,49 +5,59 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/24/badge)](https://bestpractices.coreinfrastructure.org/projects/24)
 [![Coverity Scan Build Status](https://scan.coverity.com/projects/5559/badge.svg)](https://scan.coverity.com/projects/zaproxy-zaproxy)
 [![Github Releases](https://img.shields.io/github/downloads/zaproxy/zaproxy/latest/total.svg?maxAge=2592000)](https://zapbot.github.io/zap-mgmt-scripts/downloads.html)
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship-brightgreen.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
+[![ToolsWatch Rank 1](https://www.toolswatch.org/badges/toptools/rank1_2015.svg)](http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
 [![Twitter Follow](https://img.shields.io/twitter/follow/zaproxy.svg?style=social&label=Follow&maxAge=2592000)](https://twitter.com/zaproxy)
 
 The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[*](#justification). It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
 
 
 [![](https://raw.githubusercontent.com/wiki/zaproxy/zaproxy/images/ZAP-Download.png)](https://github.com/zaproxy/zaproxy/wiki/Downloads)
 
-####Please help us to make ZAP even better for you by answering the [ZAP User Questionnaire](https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform)!
+#### Please help us to make ZAP even better for you by answering the [ZAP User Questionnaire](https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform)!
 
 For general information about ZAP:
   * [Home page](https://www.owasp.org/index.php/ZAP) - the official ZAP page on the OWASP wiki (includes a donate button;)
   * [Twitter](https://twitter.com/zaproxy)	- official ZAP announcements (low volume)
-  * [Blog](http://zaproxy.blogspot.co.uk/)	- official ZAP blog
+  * [Blog](https://zaproxy.blogspot.com/)	- official ZAP blog
   * [Monthly Newsletters](https://github.com/zaproxy/zaproxy/wiki/Newsletters) - ZAP news, tutorials, 3rd party tools and featured contributors
   * [Swag!](https://github.com/zaproxy/zap-swag) - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License
 
 For help using ZAP:
-  * [Getting Started Guide (pdf)](https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf) - an introductory guide you can print
+  * [Getting Started Guide (pdf)](https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAPGettingStartedGuide-2.5.pdf) - an introductory guide you can print
   * [Tutorial Videos](https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB)
   * [Frequently Asked Questions](https://github.com/zaproxy/zaproxy/wiki/FAQtoplevel)
   * [User Guide](https://github.com/zaproxy/zap-core-help/wiki) - online version of the User Guide included with ZAP
-  * [User Group](http://groups.google.com/group/zaproxy-users) - ask questions about using ZAP
+  * [User Group](https://groups.google.com/group/zaproxy-users) - ask questions about using ZAP
   * IRC: irc.mozilla.org #websectools (eg [using Mibbit](http://chat.mibbit.com/?server=irc.mozilla.org%3A%2B6697&channel=%23websectools)) - chat with core ZAP developers (European office hours usually best)
   * [Add-ons](https://github.com/zaproxy/zap-extensions/wiki) - help for the optional add-ons you can install
   * [StackOverflow](https://stackoverflow.com/questions/tagged/zap) - because some people use this for everything ;)
 
+Information about the official ZAP Jenkins plugin:
+  * [Wiki](https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin)
+  * [Group](https://groups.google.com/forum/#%21forum/zaproxy-jenkins)
+  * [Issue tracker](https://issues.jenkins-ci.org/issues/?jql=project%20%3D%20JENKINS%20AND%20component%20%3D%20zap-plugin)
+  * [Source code](https://github.com/jenkinsci/zap-plugin)
+
 To learn more about ZAP development:
   * [Source Code](https://github.com/zaproxy) - for all of the ZAP related projects
   * [Wiki](https://github.com/zaproxy/zaproxy/wiki/Introduction) - lots of detailed info
-  * [Developer Group](http://groups.google.com/group/zaproxy-develop) - ask questions about the ZAP internals
+  * [Developer Group](https://groups.google.com/group/zaproxy-develop) - ask questions about the ZAP internals
   * [Crowdin (GUI)](https://crowdin.com/project/owasp-zap) - help translate the ZAP GUI
   * [Crowdin (User Guide)](https://crowdin.com/project/owasp-zap-help) - help translate the ZAP User Guide
   * [OpenHub](https://www.openhub.net/p/zaproxy)	- FOSS analytics
   * [BountySource](https://www.bountysource.com/teams/zap/issues)	- Vote on ZAP issues (you can also donate money here, but 10% taken out)
+  * [Bug Bounty Program](https://bugcrowd.com/owaspzap) - please use this to report any potential vulnerabilities you find in ZAP
 
 #### Justification
 Justification for the statements made in the tagline at the top;)
 
 Popularity:
-  * ToolsWatch Annual Best Free/Open Source Security Tool Survey: 
-   * 2015 [1st](http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
-   * 2014 [2nd](http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/)
-   * 2013 [1st] (http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/)
+  * ToolsWatch Annual Best Free/Open Source Security Tool Survey:
+    * 2016 [2nd](http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/)
+    * 2015 [1st](http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
+    * 2014 [2nd](http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/)
+    * 2013 [1st](http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/)
 
 Contributors:
   * [Code Contributors](https://www.openhub.net/p/zaproxy)