9.9.0 fixes

DenisPodgurskii · DenisPodgurskii · commit 21363bdd1118 · 2026-04-08T19:28:48.000+01:00
diff --git a/src/ptk/background/dast/dastEngine.js b/src/ptk/background/dast/dastEngine.js
@@ -2309,6 +2309,7 @@ export class dastEngine {
             id: attack.id || null,
             findingId: attack.findingId || null,
             success: !!attack.success,
+            confidence: Number.isFinite(Number(attack.confidence)) ? Number(attack.confidence) : null,
             proof: attack.proof || null,
             payload: attack.payload || null,
             param: attack.param || null,
@@ -2615,6 +2616,9 @@ export class dastEngine {
             presentationAggregate: reconMeta?.presentation?.aggregate || classification.presentationAggregate || null,
             uiSurface: reconMeta.uiSurface || classification.uiSurface || null
         }
+        const persistedConfidenceDetails = attackResult?.success
+            ? this._resolveAttackConfidenceDetails(attackResult, classification)
+            : null
         if (requestData) attackMeta.request = requestData
         if (responseData) attackMeta.response = responseData
         const followupRequestData = this._compactRequestForStorage(attackResult?.renderFollowup?.request, {
@@ -2635,6 +2639,9 @@ export class dastEngine {
         }
         if (Number.isFinite(attackResult?.confidence)) attackMeta.confidence = attackResult.confidence
         if (Number.isFinite(attackResult?.metadata?.confidence)) attackMeta.confidence = attackResult.metadata.confidence
+        if (!Number.isFinite(attackMeta.confidence) && Number.isFinite(persistedConfidenceDetails?.confidence)) {
+            attackMeta.confidence = persistedConfidenceDetails.confidence
+        }
         if (actionToken) {
             attackMeta.actionToken = actionToken
         }
@@ -7781,6 +7788,8 @@ export class dastEngine {
         if (String(classification.outputKind || '').toLowerCase() !== 'recon') {
             return
         }
+        const confidenceDetails = this._resolveAttackConfidenceDetails(attack, classification)
+        const confidence = Number.isFinite(confidenceDetails?.confidence) ? confidenceDetails.confidence : null
         const ptkMeta = this._resolveAttackPtkMeta(attack)
         const reqSchema = attack.request && attack.request.request ? attack.request.request : attack.request
         const originalReq = requestRecord?.original?.request || requestRecord?.original || {}
@@ -7826,6 +7835,7 @@ export class dastEngine {
             ruleName: classification.ruleName,
             category: classification.category || 'recon',
             severity: classification.severity || null,
+            confidence,
             outputKind: "recon",
             reconKind: ptkMeta.reconKind || classification.reconKind || null,
             presentationAggregate: ptkMeta?.presentation?.aggregate || classification.presentationAggregate || null,
@@ -7846,7 +7856,8 @@ export class dastEngine {
                     resolverKey,
                     param: location.param || null,
                     payload: payloadValue || null,
-                    proof: attack?.proof || null
+                    proof: attack?.proof || null,
+                    confidenceSignals: Array.isArray(confidenceDetails?.signals) ? confidenceDetails.signals : []
                 }
             }
         })
diff --git a/src/ptk/background/dast/modules/modules.json b/src/ptk/background/dast/modules/modules.json
@@ -11305,7 +11305,13 @@
             "constants": {
               "regex": "/(admin|administrator|manage|management|console|cpanel|superadmin)(/|\\b)"
             },
-            "extensions": {}
+            "extensions": {
+              "ptk": {
+                "presentation": {
+                  "aggregate": "scan"
+                }
+              }
+            }
           }
         },
         {
diff --git a/src/ptk/background/dast/services/dastResultProjector.js b/src/ptk/background/dast/services/dastResultProjector.js
@@ -148,6 +148,7 @@ export class DastResultProjector {
             success: !!attack.success
         }
         const scalarKeys = [
+            "confidence",
             "proof",
             "param",
             "name",
diff --git a/src/ptk/browser/assets/js/dast.js b/src/ptk/browser/assets/js/dast.js
@@ -4330,9 +4330,27 @@ function ensureGroupedReconObservation(map, attack, original, requestId) {
     return map.get(key)
 }
 
+function scoreGroupedReconSampleAttack(attack = null) {
+    if (!attack || typeof attack !== 'object') return 0
+    let score = 0
+    if (attack.findingId || attack?.finding?.id) score += 8
+    if (Number.isFinite(Number(attack?.confidence)) || Number.isFinite(Number(attack?.finding?.confidence)) || Number.isFinite(Number(attack?.metadata?.confidence))) score += 4
+    if (attack?.finding?.presentationAggregate || attack?.presentationAggregate) score += 2
+    if (Array.isArray(attack?.finding?.evidence?.dast?.samples) && attack.finding.evidence.dast.samples.length) score += 3
+    if (attack?.finding?.description || attack?.description || attack?.metadata?.description || attack?.metadata?.docs?.description) score += 1
+    if (attack?.finding?.links || attack?.links || attack?.metadata?.links || attack?.metadata?.docs?.links) score += 1
+    return score
+}
+
+function selectPreferredGroupedReconSampleAttack(current = null, incoming = null) {
+    return scoreGroupedReconSampleAttack(incoming) >= scoreGroupedReconSampleAttack(current) ? incoming : current
+}
+
 function collectGroupedReconObservation(map, attack, original, requestId) {
     const entry = ensureGroupedReconObservation(map, attack, original, requestId)
     if (!entry) return
+    entry.sampleAttack = selectPreferredGroupedReconSampleAttack(entry.sampleAttack, attack)
+    entry.sampleRequest = entry.sampleAttack?.request || attack?.request || original?.request || original || entry.sampleRequest
     const request = attack?.request || original?.request || original || {}
     const method = String(request?.method || '').trim().toUpperCase() || 'GET'
     const path = normalizeObservationRoutePath(request?.url || request?.ui_url || request?.target || '')
@@ -4360,8 +4378,8 @@ function renderGroupedReconRoutes(entry) {
             </div>
         `
     }
-    const previewRoutes = routes.slice(0, 6)
-    const remainingRoutes = routes.slice(6)
+    const previewRoutes = routes.slice(0, 3)
+    const remainingRoutes = routes.slice(3)
     const renderRouteItem = (route) => {
         const label = `${route.method} ${route.path}`
         if (route.url) {
@@ -4370,19 +4388,18 @@ function renderGroupedReconRoutes(entry) {
         return `<li>${ptk_utils.escapeHtml(label)}</li>`
     }
     const preview = previewRoutes.map(renderRouteItem).join('')
-    const remaining = remainingRoutes.length
     const allRoutes = remainingRoutes.map(renderRouteItem).join('')
     const toggleKey = ptk_utils.escapeHtml(String(entry?.key || ''))
     return `
         <div class="description">
-            <p>Affected routes: <b>${routes.length}</b>${entry.rawCount > routes.length ? `</p><p>Matched requests: <b>${entry.rawCount}</b>` : ''}</p>
+            <p>Affected routes: <b>${routes.length}</b>${entry.rawCount > routes.length ? ` | Matched responses: <b>${entry.rawCount}</b>` : ''}</p>
             <ul style="margin: 6px 0 0 16px;">${preview}</ul>
-            ${remaining > 0 ? `
+            ${remainingRoutes.length > 0 ? `
                 <div class="grouped_recon_routes_all" data-grouped-routes-key="${toggleKey}" style="display:none;">
                     <ul style="margin: 6px 0 0 16px;">${allRoutes}</ul>
                 </div>
                 <p style="margin-top:6px;">
-                    <a href="#" class="toggle_grouped_recon_routes" data-grouped-routes-key="${toggleKey}" data-expanded="0">Show all routes</a>
+                    <a href="#" class="toggle_grouped_recon_routes" data-grouped-routes-key="${toggleKey}" data-expanded="0">More</a>
                 </p>
             ` : ''}
         </div>
@@ -4420,6 +4437,7 @@ function buildGroupedReconDetailsPayload(entry, resolvedAttack = null) {
 function buildGroupedReconCardHtml(entry) {
     if (!entry?.sampleAttack) return null
     const meta = rutils.getMiscMeta(entry.sampleAttack)
+    const confidence = rutils.resolveConfidence(entry.sampleAttack)
     const severityAttr = meta.severity || ''
     const safeRequestId = entry.requestId === null || entry.requestId === undefined || entry.requestId === ''
         ? '__ptk_grouped_recon__'
@@ -4439,12 +4457,7 @@ function buildGroupedReconCardHtml(entry) {
             data-severity="${ptk_utils.escapeHtml(severityAttr)}"
             data-request-id="${ptk_utils.escapeHtml(safeRequestId)}"
             data-grouped-recon-key="${keyAttr}">
-            <div class="ptk-finding-header">
-                <div class="ptk-finding-header-main">${titleHtml}</div>
-            </div>
-            <div class="description">
-                <p>Grouped posture observation to reduce repeated low-signal route cards.</p>
-            </div>
+            ${rutils.renderFindingHeader(titleHtml, confidence)}
             ${targetUrl ? `<div class="description"><p>Sample URL: <a href="${safeTarget}" target="_blank">${safeTarget}</a></p></div>` : ''}
             ${routesHtml}
             <div class="ui left floated">
@@ -5838,7 +5851,7 @@ jQuery(function () {
         const expanded = String($(this).attr("data-expanded") || "0") === "1"
         $allRoutes.toggle(!expanded)
         $(this).attr("data-expanded", expanded ? "0" : "1")
-        $(this).text(expanded ? "Show all routes" : "Hide routes")
+        $(this).text(expanded ? "More" : "Less")
         return false
     })
 
@@ -6568,7 +6581,9 @@ function bindScanResult(result) {
             const aggregateKey = getPassiveHeadersAggregateFindingKey(enrichedAttack, original)
             if (aggregateKey) {
                 const attrValue = (window.CSS && typeof CSS.escape === 'function') ? CSS.escape(aggregateKey) : escAttrValue(aggregateKey)
-                if ($(`#attacks_info .attack_info[data-aggregate-key="${attrValue}"]`).length) {
+                const $existing = $(`#attacks_info .attack_info[data-aggregate-key="${attrValue}"]`)
+                if ($existing.length) {
+                    $existing.replaceWith(rutils.bindAttack(enrichedAttack, original, attackKey, requestKey))
                     return
                 }
             }
@@ -7142,7 +7157,9 @@ function flushDastQueue() {
             const aggregateKey = getPassiveHeadersAggregateFindingKey(enrichedAttack, original)
             if (aggregateKey) {
                 const attrValue = (window.CSS && typeof CSS.escape === 'function') ? CSS.escape(aggregateKey) : escAttrValue(aggregateKey)
-                if ($(`#attacks_info .attack_info[data-aggregate-key="${attrValue}"]`).length) {
+                const $existing = $(`#attacks_info .attack_info[data-aggregate-key="${attrValue}"]`)
+                if ($existing.length) {
+                    $existing.replaceWith(rutils.bindAttack(enrichedAttack, original, attackId, requestId))
                     return
                 }
             }
diff --git a/src/ptk/browser/assets/js/rutils.js b/src/ptk/browser/assets/js/rutils.js

Original file line number	Diff line number	Diff line change
`@@ -148,6 +148,7 @@ export class DastResultProjector {`
`148`	`148`	`success: !!attack.success`
`149`	`149`	`}`
`150`	`150`	`const scalarKeys = [`
	`151`	`+ "confidence",`
`151`	`152`	`"proof",`
`152`	`153`	`"param",`
`153`	`154`	`"name",`