cats

Release Notes:

• Improve cyclic schema dependencies detection to avoid infinite loops
• Add new arguments that deal with anyOf/oneOf generation
• Fix NPE when pattern was empty
• Filter out request payloads that are not fully created and still include ONE_OF/ANY_OF
• If --targetFields are not supplied, compute all fields combinations from --data for cats fuzz
• If --urlParams are not supplied for http methods with body, generate random values
• Fix issue with lookahead regex operators causing strings not to be generated
• Fix for #122
• Several improvements for the cats fuzz subcommand
• Add 2 new arguments for --simpleReplace and --printProgress for cats fuzz sub-command
• Make cats fuzz sub-command render findings in console as it progresses
• When running in summary mode don't prefix log lines with stars
• Fix issue with refData from all not adding keys that were not on the path entry
• Make matchXXX arguments required for cats fuzz
• Fix issues with default values for boolean arguments and their negatable values
• Make cats fuzz do fuzzing based on the FUZZ keyword

Release notes:

• Change generator logic to consider enum and default values first
• Fix several possible NPEs
• Fix #117
• Fix #119
• Fix #116
• Fix an issue where path specific headers were overriden by all level headers
• Flag when a test case result is switched from error/warn to success based on --ignoreXXX arguments
• Add default value for xxxOf combinations as they grow exponentially and some OpenAPI specs abuse this
• Fix self-reference detection by keeping full qualified property names
• Add multiple generators
• Increase limit for yaml file size
• Fix issue when OpenAPI parser was adding an empty schema
• Fail gracefully when schema definitions are not part of the contract
• Accomodate additional cases for allOf composition with root oneOf schemas
• Improve oneOf/anyOf combination generation to avoid stackoverflow on circular references
• Add additional arguments to configure interaction with anyOf/oneOf schemas

Release notes:

• Only apply custom generators for String schemas
• Make very large fuzzer not check content type and response schema
• Make RandomResourcesFuzzer expect 404,400,422 not just 400

Release notes:

• Handle IOException cases when parsing fails during response streaming
• Consistently handle non-json responses and empty responses
• Make Abugida fuzzer expect both 4xx and 2xx as not all services might proper sanitize data
• Make fields totally skippable for fuzzing using a !field syntax
• Fix issue with data generator that was not considering the fully qualified name
• Add new generator for cardholdername
• Check that --server is a valid URL in all commands
• Improve error reporting for FunctionalFuzzer and SecurityFuzzer for cases when custom file was empty or required keywords were not present

Release notes:

• Fix for #101 #102 #014 #105 #106
• Add compatibility with OpenAPI 3.1 specs
• List mutators using cats list ...
• Allow custom mutators to load values from files
• Add new fuzzers for json keys
• Add new fuzzers that sends additional http methods
• Print error when OpenAPI spec is not valid
• Don't print progress in dry run as it has summary progress
• Add singular arguments for all plurals
• Add argument to limit number of possible anyOf/oneOf combinations
• Print proper error when supplied files are having wrong syntax
• Add more Generators to generate more real world data

Release Notes:

• Fix for #98 when schema might be null for some reasons
• Fix issue with arrays of elements having objects using xxxOf
• Fix for #100 when enum might be null, do not issue warning for response schema matching
• Change PathPlurals linter's algorithm to accommodate resources/actions paths
• Add unused schemes in cats stats command
• Significantly Improve memory usage, especially when using with running more than 10000 tests, by not storing the entire test case after being written to disk
• Make report width bigger in order to accommodate large fuzzer names and large test numbers
• Update the LargeXXX and VeryLargeXXX fuzzers to expect response code 431 and don't match content type or response body
• Introduce continuous fuzzing using cats random ... that let's you run fuzzing continuously until certain stop conditions are met

Release notes:

• Enhanced help for all commands and sub-commands, adding exit codes and examples
• Fix issue with --matchResponseRegex argument which was ignoring the regex
• Change expected result and response message for user dictionary and template fuzzers in order to match arguments supplied
• Fix for #94
• Fix NPE when expected response headers were null
• Skip json objects case linter for non-body http methods
• Fix issue with generating examples for array schemas with null internal schemas
• Add new argument toogle for cases when services might allow invalid values in enums
• Report errors even when running in blackbox mode and reporting is ignored
• Add new --matchInput argument to check if input is reflected in response
• Add new command to validate if OpenAPI specs are valid
• Fix for #96 - preserve data type for global variables in functional fuzzer

Release notes:

• Make sure content types also include versioning or vendor extensions when matching
• Don't replace url params for RandomResourceFuzzer

Release Notes:

• Fix intermitent failing test due regex generation issues
• Add idempotency and security headers in cats stats
• Fix issue in OverflowMapSize when map was null
• Optimize String generation and accomodate different corner cases based on size and regex
• Fix issue with JSON keys having spaces in name
• Add possibility to have multiple additional parameters in ref data file
• Throw exception when field is declared in path, but it doesn't have a definition
• Skip regex matching against schema pattern for VeryLargeXXXInFields fuzzers
• Fix matching paths failing due to { and } not being escaped
• Fix issue when path was longer than screen size
• Add condition to skip invalid maps
• Fix issue with multi-level anyOf/oneOf declarations in order to generate all possible combinations
• Add key=value pair arguments as alternative to file arguments
• Fix for #92 - NPE when schema was empty
• Add configurable response codes for fuzzers #89

Release notes:

• Make cats stats customizable so that you can filter certain information
• Add more generated body names to naming linters
• Fix scenario name for QueryParamsCaseLinterFuzzer as it wasn't taking into consideration the naming name
• Remove path name from versions fuzzer as it runs globally
• When operationId is null return path + http method
• Fix reporting issue for global linters when running with --verbosity summary
• Fix reporting issue for FunctionalFuzzer in --verbosity summary
• Fix issue for oneOf/anyOf usage when one of the possibilities was actually nullable
• Add possibility to filter paths based on tag when using cats list --paths
• Add possibility to include/skip tags
• Introduce an additional regex generator library to accommodate additional weird regexes

Release Notes:

• add new --maskHeaders argument to mask sensitive headers in report files
• CATS is now testing response content type and will report a warning if it doesn't match the contract; you can use --ignoreResponseContentTypeCheck to ignore this check
• add new fuzzers for random resources checking and response http headers checking
• VersionsLinterFuzzer will now check for versions in paths, servers definition and content type headers
• NamingsLinterFuzzer is now split into more granular linters
• 501 is now on the response code ignore list when running in --blackbox mode
• improve reporting for error scenarios
• add new cats stats sub-command to display some statistics about OpenAPI contracts
• add new argument to list info for a single path using the cats list sub-command

Release notes:

• Add argument to skip deprecated operations
• Add argument to send application/merge-patch+json for PATCH operations
• Filter blank lines and commented lines from string files #84
• Add 6 new http fuzzers
• Add checkFalse and checkTrue to be used instead of checkBoolean in verify section
• Add possibility to replace entire request body with custom payload with SecurityFuzzer
• Fix for #85
• Add cats info sub-command to display details about OS and CATS version
• Fix for #86
• Fix progress issue for FunctionalFuzzer with --verbosity summary
• Make sure exceptions are displayed in --verbosity summary if CATS cannot run at all

Release notes:

• Don't include request/response details in linters report file
• Fix issue with fields naming conventions being reported multiple times
• Add new argument to set max response time and fail tests if it's exceeded
• Make CATS banner be displayed only when printing help command
• Add 2 new arguments to filter based on field type and field format
• Fix issue for matching Cache-Control header when having multiple values
• Introduce new argument to control number of random headers sent by the random headers fuzzers
• Add argument to be able to filter anyOf and oneOf selection if only one is valid
• Add 8 new fuzzers that are sending non-json request with different values
• Display separator between tests considering the console columns

Changed behaviour:

• Make response json parser more relaxed and use rfc4627
• Preserve Of in the Fuzzers naming
• Make Payload default to be displayed when opening individual test cases
• Introduce --verbosity argument to allow a more compact output in console which default to summary and reduced CATS logging to less verbose output
• Don't attempt to run fuzzer if field is not part of the payload

Release notes:

• Add new argument to disable ANSI codes for output: --no-color
• Add 2 new HTTP fuzzers that send null and empty bodies
• Add 3 new HTTP header fuzzers that send invalid values in Content-Length and Transfer-Encoding headers
• Add new argument to set the User-Agent header
• Display old/new status code and response body in cats replay command
• Refactor security headers fuzzer to allow X-XSS-Protection to either not be present or have value set as zero
• Add more details to the cats list --paths subcommand
• Improve logging and reporting when tests are ignore based on --ignoreXXX arguments
• Logging doesn't include label now, only icons

Release notes:

• hot fix for Quarkus issue that removed subcommands from final binary caused them to fail

Release notes:

• Fix issue when root json was array - CATS was generating a simple object instead of array
• Remove dependency on github packages #76

Release notes:

• Fix for #75
• Add configuration to release to maven central #76
• Fix for #80
• Fix issue with Linters not properly running
• Fix corner case for oneOf definitions when there are multiple arrays nested

Release notes:

• Fix for #74
• Fix for #73
• Fix styling issues for dark mode

Release notes:

• Brand new logo
• New reporting design with more cleaner UI and omni-search in summary page
• Fix out of bounds issue with pattern containing length
• Add new fuzzer to replace primitive values with objects
• Add new Fuzzer to replace objects with arrays
• Change the value for almost valid UUID values
• Add fuzzers to replace arrays with primitives or objects
• Add new Fuzzer to overflow array size
• Switch skip message to debug to avoid too much logging
• Add new Fuzzer to overflow map sizes
• Ignore empty_body when checking naming conventions
• Don't escape query params when writing the full request path
• When searching for the fuzzedField in validation error response accomodate for snake-case and kebab_case
• Add possibility to skip fuzzers when running lint command
• Add possibility to include/exclude more granular log levels
• Add 2 new arguments to ignore reporting for success and warning
• #72 Add possibility to ignore fields in FunctionalFuzzer
• Renamed ContractInfo Fuzzers to LintFuzzers
• Add update check functionality to display new version if available

Release notes:

• Output report files when running cats replay if --output argument is supplied. #71
• Add possibility to add --server when running cats replay
• Fix for #69
• Change extension of summary json files from .js to .json
• Run special characters fuzzers for all string field types, not only StringSchema. This includes email, password, etc.
• Don't send query parameters when they are set to null
• When searching for the fuzzedField in validation error response make sure it matches snake-case and kebab_case
• Fix issue when generators were generating special chars and exact value fuzzers would fail due to values being sanitized by the services