Releases: Endava/cats
Releases · Endava/cats
cats-13.8.0
- fix: Fix wildcard path issues not being supported due to early validation
- fix: Fix issue with same parameter names for different operations on the same path
- fix: Accept 405 as valid return type for RandomResourcesFuzzer
- feat: Add new argument for discriminator casing default
- fix: Fix issue when oneOf/anyOf schemas that also had properties in root parent
- fix: #198 Merge path level params with operation level params
- feat: Add shorthand functions for dynamic values using #(fun) syntax
- feat: Allow global variables in functional fuzzer files
- feat: Allow to have path variables in functional files
- fix: Improve ldap injection detection to have less false positives
- fix: Allow type coercion fuzzers to permit 2xx and 4xx when strictTypes is false
- feat: When field has format but not patter make sure fuzzed value is matched against format
- feat: Update functional tests to use scenario instead of description for test scenario
- feat: Improve dsl parser used for java expressions in headers and ref data
- fix: When swapping discriminators make sure field exists in JSON
- feat: When report is skipped for specific results, present in the output the total tests run
- fix: Fix issue when oneOf/anyOf schemas that also had properties in root parent
- fix: Fix AIOB on BiDi fuzzer when payload empty
- feat: Add 3 new injection fuzzers
- feat: Add 10 new fuzzers focused on type coercion
cats-13.7.0
- feat:
EmptyStringHeadersFuzzerandSpacesOnlyInHeadersFuzzerexpect both 2xx and 4xx for headers with format - fix: Simple body fuzzers must run once per path+http method
- feat: Add
--mode positiveand--mode negativeargument to run only positive or negative scenarios only across all fuzzers - feat: Remove heavy dependencies by replacing them with own implementations which resulted in reduced final jar and binary size
- feat: Add more generators for vin, vat, license plate, etc.
- feat: When cats finished, write top 5 failings fuzzers
- feat: Improve cluster matching performance for error leaks
- feat: Don't bold text on console for cats configuration
- feat: Add
--heathCheckprofile for quickly checking service health - feat: Add
cats list --profilesto display the built in profiles - feat: Add
--checkAllowHeaderto toggle between info and warn for http methods fuzzers - feat: Show error when provided paths do not exist in the contract when supplied through --path(s)
- fix: EmptyBodyFuzzer should expect 4XX if the body is required even though internal fiels are not
- feat: Add quality gates to support flexible failed threasholds for error and warns
- feat: Update exit codes to be standard 0, 1, 2
- fix:
EmptyJsonFuzzerandEmptyBodyFuzzershould expect 2XX or 4XX depending on required fields being defined in the contract - feat: Don't display full help on parameter errors
- feat: Add profiles to make it easy to run cats we pre-defined categories of fuzzers
- feat: Display seed when CATS starts
cats-13.6.0
- feat: PrefixNumbersWithZeroFieldsFuzzer has different expected response code based on --allowLeadingZeroInNumbers
- fix: #192 - Make sure negative counts are not used in repeat method when formatting malformed JSONs
- fix: #191 - Properly handle root arrays in MassAssignmentFuzzer
- feat: Reduce final binary size by 30% by removing spring dependencies and writing custom logic
- feat: Add support for --seed to get deterministic payloads generation
- feat: Allow fuzzer config to override response code by path and method #190
- fix: Fix performance issue for error leaks detection that was lowercasing for every check
- feat: Improve Injection fuzzers detection logic
- fix: Fix issue when running zero tests that displayed IO and Auth errors message
cats-13.5.0
- feat: Add new fuzzer for date range inversion
- feat: Add 2 new charts in the summary report with response code distribution and top failing paths
- feat: Add 2 more fuzzers for mass assignment and ssrf
- feat: Add argument filters based on operation IDs
- feat: Add 4 new injection fuzzers that can run in default mode with 10 payloads and full mode with 100+ payloads
- feat: Add new fuzzer for insecure object referenes
- feat: Add new fuzzer for prefixing numbers with zeros
- feat: Enhance replay command to replay all --errros and/or --warnings from a previous run
cats-13.4.5
- fix: Add missing resource file for title generation
- feat: Add ascii logo and description in cats --version
- fix: Fix builds for macos intel
- fix: Fix again #180 now for native builds
cats-13.4.4
- feat: #185 Allow fuzzers to be skipped based on vendor extension filtering
- fix: Fix for #188 - Encode URL params for all http methods
- fix: Fix for #186 - add query params for http methods with bodies
- fix: Fix for #187 - swagger 2.0 parser was adding a trailing / in base path
- fix: Fix for #180 - OpenAPI 3.1+ schema of type null and string was not properly seen as string
- fix: Prevent negative count in SimpleJsonFormatter.formatJsonString
- fix: CLI --server parameter should take priority over OpenAPI servers
cats-13.4.3
- fix: Fix for #179 - reporting folder was reinitialized at the end of the run session
cats-13.4.2
- fix: Fix issue when items is array of enum with size 1
- feat: Http fuzzers for not documented methods check for Allow header in response
- feat: #172 Get server info from openapi spec and mix with cli when variables
cats-13.4.1
- fix: Fix for #177 - generate report even though CATS quits with an exception
- feat: Add new fuzzer for full hangul fillers
- feat: Add new fuzzer for full width brackets
- feat: Add more info into the cats stats sub-command
- fix: Fix Signal IO or Auth issues when number of errors is more or equal than half of errors
- feat: Add more info into the cats stats sub-command
- fix: #171 Add --http2PriorKnowledge argument to be able to connect to h2 endpoints over http
- feat: Allow path=fuzzers pairs to be supplied in --skipFuzzer
- feat: Exclude zero width char fuzzer for discriminators
- feat: Add new fuzzer for duplicate keys in jsons
- feat: Add new fuzzer for bidirection char override
- feat: Add new fuzzer for homoglyphs in enums
- feat: Add new fuzzer that swaps discriminator values while keeping payload
- feat: Add new fuzzer for schemas explicitly setting additionalProperties: false
- feat: Allow 404 as valid response code as it might get thrown in different fuzzing scenarios
- fix: Fix issue with ref data replacing in root array
cats-13.3.2
- feat: Add more linters for enum and string schema limits
- feat: Add new linters to check maxLength for string schemas
- fix: Properly report total number of fuzzers or linters
- feat: Add new linters to check for enum casing consistency
- fix: Fix issue when enum value was generated as null causing generation to enter in infite loop
- fix: Fix issue when payload is array and ref data replaces root array
- fix: Fix NPE when setting ref data to null values
- fix: Fix issue with AbstractRequestBodyLinter to run per path+method
- fix: Report global fuzzers in summary run mode
- fix: Properly resolve refs rerencing other files for unused elements linters
- fix: Add new empty line when printing summary statistics
- feat: #170 Allow to supply multiple report formats in same run
- fix: Fix for #168 - When uniqueItems is true, generate unique array elements
- feat: Add new linter to check for arrays with no items
- feat: Rename --skipFuzzers to --skipLinters from cats lint sub-command
- feat: Add new linter to check for unused components schemas
- feat: Add new linter to check for unused components responses
- feat: Add new linter to check for unused components requestBodies
- feat: Add new linter to check for unused components parameters
- feat: Add new linter to check for unused components headers
- feat: Add new linter to check for unused components examples
- feat: Rename all linters to not contain word fuzzer in their naming
- feat: #167 Allow configuration to be supplied through a property file using --configFile
- feat: Add new linter to multiple success reponse codes
- feat: Add new linter to check empty response schemas
- feat: Add new linter to check empty request schemas
- feat: Add new linter to check for verb consistent namings
- feat: Add new linter to check put without body
- feat: Add new linter to check post without body
- feat: Add new linter to check patch without body
- feat: Add new linter to check pagination for get on collections
- feat: Add new linter to check operationId prefixes
- feat: Add new linter to check head methods with body
- feat: Add new linter to check get methods with body
- feat: Add new linter to check delete methods with body