Missing Payload and Endpoint Data in OWASP ZAP Scan Import

[Rikozi]

Bug description
After uploading the OWASP ZAP simple output file from the DefectDojo sample-scan-files, the exploit payload used by OWASP ZAP and the infected URL are missing on the DefectDojo dashboard. These details do not appear in the findings, making it difficult to identify the specific vulnerabilities and the affected endpoints.

Steps to reproduce
Steps to reproduce the behavior:

1. Go to Engagements and click Import Scan Results.
2. Upload the OWASP ZAP simple output file (from sample-scan-files).
3. Complete the form and confirm the import.
4. Navigate to Findings for the engagement.
5. Observe that while findings are generated, the exploit payload and specific infected URL are missing.

Expected behavior
DefectDojo should display:

1. The exploit payload used by OWASP ZAP to identify the vulnerability.
2. The exact URL or endpoint that is vulnerable.

Screenshots

[valentijnscholten]

It could be that the sample files are outdated. I notice that the test reports used for the unit tests are using a different format: https://github.com/DefectDojo/django-DefectDojo/blob/bugfix/unittests/scans/zap/zap-xml-plus-format.xml.

Could you test/verify with a real ZAP report?