Reduce usage of error level logging in ascan rules

- Add change note.
- Update logging in scan rules.

Signed-off-by: kingthorin <[email protected]>

Author: kingthorin

addOns/ascanrules/CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Address potential false positives with the XSLT Injection scan rule when payloads cause a failure which may still contain the expected evidence.
 - Depends on an updated version of the Common Library add-on.
+- Reduced usage of error level logging.
 
 ## [74] - 2025-09-18
 ### Added

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java

@@ -156,7 +156,7 @@ public void scan(HttpMessage msg, String param, String value) {
         } catch (URIException e) {
             LOGGER.debug("Failed to send HTTP message, cause: {}", e.getMessage());
         } catch (IOException e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java

@@ -21,6 +21,7 @@
 
 import static org.zaproxy.zap.extension.ascanrules.utils.Constants.NULL_BYTE_CHARACTER;
 
+import java.io.IOException;
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -258,8 +259,8 @@ private List<HtmlContext> performAttack(
             // Not an error, just means we probably attacked the redirect
             // location
             return null;
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -996,8 +997,8 @@ public void scan(HttpMessage msg, String param, String value) {
                 attackHeader(msg, param, appendedValue ? value : "");
             }
 
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java

@@ -272,7 +272,7 @@ && isPage200(verificationMsg)) {
         } catch (URIException e) {
             LOGGER.debug("Failed to send HTTP message, cause: {}", e.getMessage());
         } catch (IOException e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java

@@ -1042,9 +1042,9 @@ public void scan() {
                     if (os != null) os.close();
                 }
             }
-        } catch (Exception e) {
+        } catch (IOException e) {
             // needed to catch exceptions from the "finally" statement
-            LOGGER.error("Error scanning a node for HeartBleed: {}", e.getMessage(), e);
+            LOGGER.debug("Error scanning a node for HeartBleed: {}", e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java

@@ -409,13 +409,13 @@ private static List<String> getOptionalList(JSONObject jsonObj, String key) {
     private String readPayloadsFile(String path) {
         File f = new File(path);
         if (!f.exists()) {
-            LOGGER.error("No such file: {}", f.getAbsolutePath());
+            LOGGER.warn("No such file: {}", f.getAbsolutePath());
             return "";
         }
         try {
             return new String(Files.readAllBytes(f.toPath()), StandardCharsets.UTF_8);
         } catch (IOException e) {
-            LOGGER.error(
+            LOGGER.warn(
                     "Error on opening/reading {} payload file. Error: {}",
                     getName(),
                     e.getMessage(),

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java

@@ -156,7 +156,7 @@ public void scan(HttpMessage msg, String param, String value) {
             scanWithPayloads(param, ATTACK_PATTERNS_CVE44228, PREFIX_CVE44228);
             scanWithPayloads(param, ATTACK_PATTERNS_CVE45046, PREFIX_CVE45046);
         } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+            LOGGER.warn(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -95,8 +96,8 @@ public void scan(HttpMessage msg, String param, String value) {
             this.setParameter(msg1, param, SourceSinkUtils.getUniqueValue(msg1, param));
             LOGGER.debug("Prime msg={} param={}", msg1.getRequestHeader().getURI(), param);
             sendAndReceive(msg1, false);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -146,8 +147,8 @@ private List<HtmlContext> performAttack(
         setParameter(sourceMsg2, param, attack);
         try {
             sendAndReceive(sourceMsg2);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -157,8 +158,8 @@ private List<HtmlContext> performAttack(
         HttpMessage sinkMsg2 = sinkMsg.cloneRequest();
         try {
             sendAndReceive(sinkMsg2);
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
 
         if (isStop()) {
@@ -690,8 +691,8 @@ public void scan(HttpMessage sourceMsg, String param, String value) {
                     }
                 }
             }
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.ascanrules;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -102,8 +103,8 @@ public void scan() {
             sendAndReceive(msg1, false);
             SourceSinkUtils.testForSink(msg1);
 
-        } catch (Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (IOException e) {
+            LOGGER.debug(e.getMessage(), e);
         }
     }