Could someone please suggest why Risk data is blank for many alerts in OWASP ZAP alert details available at following ZAP official site:
https://www.zaproxy.org/docs/alerts/
For example -
Id Alert Risk
10011 Cookie Without Secure Flag Low
10009 In Page Banner Information Leak
10015 Incomplete or No Cache-control and Pragma HTTP Header Set
10017 Cross-Domain JavaScript Source File Inclusion
10019 Content-Type Header Missing
10020 X-Frame-Options Header
10020-1 X-Frame-Options Header Not Set Medium
How, in such cases, risk or severity should be defined. Should it be based on whether risk is applicable for a specific web application.
Also, for some alerts, in the ZAP reports, Risk is populated as for example Low(Medium). Should it be considered as Low or medium.