cats-13.0.0

Breaking Changes:

• The generation engine was rewritten to better handle anyOf/oneOf/allOf combinations. The following arguments were removed: --generateXxxCombinationsForResponses and --filterXxxFromRequestPayloads.
• cats fuzz is replaced with cats template for non-OpenAPI fuzzing

Release Notes:

• feat: Add new mutator for big list of naughty strings
• feat: Add ability to detect error detail leaks in api responses
• fix: Fix infinite loop issue for complex self-referencing objects
• feat: Add --limitNumberOfFields argument to be able to limit the number of fuzzed fields when payloads are very big
• feat: Add --selfReferenceDepth as argument for the cats generate subcommand
• feat: Remove arguments for filtering anyOf/oneOf combinations as they are not needed anymore
• feat: Add new generator for job titles
• feat: Add new generator for gender
• feat: Add new generator for company departments
• fix: #146 properly format examples for date and date-time schemas
• fix: Fix issue with OverflowArraySizeFuzzer that wasn't properly serializing array elements
• feat: Introduce improved generation engine for payloads that is faster and more reliable
• fix: Fix ExampleFieldsFuzzer to properly serialize examples
• feat: Allow useExamples to be null and only influence other flags when explicitly set to true or false
• fix: #145 correct typos
• feat: Allow continuous fuzzing when running in template fuzzing
• feat: Display additional config info when cats starts
• fix: #143 and #144 Add new arguments to handle examples from OpenAPI specs
• fix: Don't add path and http method for linters that run globally
• fix: Exclude emailAddress from address generator
• fix: Fix issue that was reporting null operationIds as duplicates

cats-12.1.0

• fix: Fix for #142 - add Cookie header in the list of authorization headers
• fix: Fix issue when query parameters have empty name
• fix: Fix issue of matching reponse content types when content type was invalid
• fix: Fix issue when oneOf/anyOf could be different vairants of arrays in root path
• feat: Add fuzzer name in console for current running path
• fix: Escape json keys like key.subkey.[anotherKey]
• fix Fix NPE when apiresponse schema was null
• fix: Fix issue when request body had a reference to a schema that was referencing another schema
• fix: Default to static value when header value fails to be parsed from Parameter schema
• fix: Limit xxxOf combinations when linting
• fix: Improve handling of complex regexes through call chains and report regexes which could not be translate into concrete strings
• feat: Add custom generator for timestamps
• fix: Fix for #141 regexes with starting and ending with .*
• fix: Fix for #140 NPE when running cats fuzz sub-command
• fix: Improve handling of allOf schemas with single child
• feat: Consider properties with name 'link' as candidates for URIGenerator
• fix: Fix issue when request content type doesn't have a schema
• feat: Improve openapi parser to consider schemas having additionalProperties false and type string as string schemas
• fix: Fix issue when oneOf/anyOf could be array or simple schemas
• fix: Fix cases when generated examples are too large to be stored in memory
• fix: Properly generate strings when regex doesn't have quantifiers, but has min length
• feat: Improve handling of complex regexes like email, password or uri
• fix: Improve detection of self-refence properties and properly stop generation after --selfReferenceDepth
• fix: Fix issue when json key was '*'
• fix: Improve handling of regex that have length in their definition
• fix: Improve self-references detection
• fix: Generate examples for parameters that have content-type
• fix: Escape json keys like @idempotency_key
• fix: Fix issue when nested oneOf/anyOf combinations was considering duplicate payload structures
• fix: Fix issue with escaped URLs not being properly replaced with ref data and url params
• feat: Make NewFieldsFuzzer run for empty payloads
• fix: Fix issue with dark mode not displaying well on test case page
• fix: Update cats list sub-command description to reflect all usages
• fix: Bold and underline Usage header from help
• feat: Add --skipPath for linting
• fix: Fix issue with request payload not being selected by default in test case page

cats-12.0.0

• feat: Display current path/total paths in command line
• feat: Add possibility to specify run order of paths
• fix: Cache additionalProperties in order to avoid cyclic calls
• fix: Decrease size for OverflowMapSizeFuzzer as it lead to outofmemory
• fix: Fix issue with cyclic dependencies on additionalProperties
• feat: After CATS runs, print number of errors by error reason
• fix: Fix issue in swagger-parser with array query params with inline schemas
• fix: Fix parsing JSON issues for keys like filters[]
• fix: Query parameters that have cross path references to inline array schemas are now properly solved
• feat: Add additional data to be displayed in the summary report: number of paths and average execution time
• feat: Properly parse strings which are actually escaped JSONs
• fix: Prevent stackoverflow issue when schema was referring itself
• feat: Reorganize summary page to include tests execution chart and additional details
• fix: Fix issues with cross-path param reference and empty title inline schemas
• fix: Improve cross-path reference solving for ApiResponses
• feat: Introduce support for cross-path components references like #/paths/~1v2~11-clicks/get/responses/200/headers/ratelimit-limit

cats-11.8.0

• feat: Make help consistent across all arguments
• fix: Don't mutate field if it's not part of the current payload
• fix: Fix --dryRun not properly displaying number of test to be run
• fix: Fix padding for banner and logo on summary page
• feat: Add additional data to be displayed in the summary report
• feat: Add new generator for content types
• feat: Add new argument to cache generated payloads instead of generating them every time
• feat: Display path and http method when showing processing errors at the end of the run
• fix: Fix serialization of DateTime objects when fuzzers where replacing fields
• fix: Improve regex generator to deal with fix length patterns
• feat: Print errors during fuzzer processing at the end of execution
• fix: When OpenAPI schema doesn't have min/max default to -1/-1
• fix: Escape json keys like $idempotency_key
• fix: Return default alphanumeric pattern for empty patterns
• fix: Fix HttpStatusCodeInRangeLinter to conside 1xx,2xx,3xx,4xx,5xx codes
• fix: Accomodate additional regexes with fixed length in definition and also having minLength and maxLength defined
• fix: Ignore root schema names from cyclic references check
• fix: Escape json keys like key[inner]
• fix: Change default min length for headers to 1 when no constraint defined in OpenAPI
• feat: Change PhoneNumberGenerator to also match phone1, phone2, etc.
• feat: Add http method when printing that a param does not have a defined schema
• fix: Make sure total string size does not exceed max possible on jvm
• fix: Fix issues when content type is not Json and logic for param replacement was relying on json formatting
• fix: When schema length is Integer.MAX_VALUE use only MAX_VALUE / 100 to generate exact length values
• fix: Fix some edge cases for string generation
• fix: When NewFieldsFuzzer cannot add new fields skip the test
• fix: When payloads are not valid jsons compare them as strings
• fix: Update StringGenerator to try to generate twice for each generator to increase chances of generating a value matching the pattern
• fix: When path variable is not defined in OpenAPI print error instead of throwing exception
• fix: When path variable is not defined in OpenAPI print error instead of throwing exception
• fix: Fix issue with NewFieldsFuzzer to be skipped for primitives and better interpret arrays
• fix: Fix issue with DefaultValuesInFieldsFuzzer to do simple replace instead of merge fuzzing
• fix: When an exception happens before running the fuzzer make sure contract path is recorded

cats-11.7.1

• feat: Change display progress to unknown progress instead of percentage as percentages were unreliable
• fix: When field is enum consider left boundary as length of element at position 0
• fix: Escape zero width char to properly be displayed in the report
• fix: ZeroWidthCharsInNamesHeadersFuzzer should not match response content type and body
• fix: Split ZeroWidthCharacters fuzzers based on sanitization logic

cats-11.7.0

• fix: Fix issue with progress not being displayed when request payload contained many fields
• fix: Fix issue when UUIDs could not be generated in native binaries
• fix: Fix for #128 for case insensitive regexes
• feat: Add new linter to check relevant response codes have response bodies
• fix: Fix for #125 caused by pattern also allowing empty strings
• feat: Add new generator for state codes
• feat: Add new generator for sort codes
• feat: Add new generator for nationality
• feat: Add new generator for bank account numbers
• fix: Improve phone number generator to accommodate regexes starting with +
• fix: Add lineOne as possible field name for line1 generator
• feat: cats generate ... will output single json instead of array when one type of request possible
• fix: Fix for #127 when contentType is declared globally
• feat: Add new linter to detect duplicate operationIds
• feat: Add new linter to detect empty path elements
• fix: Mark null responses as matching schema
• feat: Include additional potential monitoring endpoints to be displayed by cats stats sub-command
• feat: Add 2 new fields fuzzers that are fuzzing field names and field values with zero length characters
• fix: Add env. prefix to RELEASE_URL

cats-11.6.0

• Include additional characters in the zero width chars small list
• Allow -X for http method in main command
• Add two new header fuzzers to cover basic zero width characters test cases
• Enable debug logging earlier in GenerateCommand
• Proper display stacktraces in CatsCommand
• Update javadoc to reflect that RandomResourceFuzzer runs for all http methods
• Add new command to generate valid response templates
• Change logic for phone generator to select from 10 and 11 length numbers only
• Exclude citizenship from the IP generator match condition
• Make method return empty list when urlParams are null
• When responses have binary content such as pdf or csv, assume the body matches
• Change argument help to remove TemplateFuzzer reference

cats-11.5.0

Release Notes:

• Improve cyclic schema dependencies detection to avoid infinite loops
• Add new arguments that deal with anyOf/oneOf generation
• Fix NPE when pattern was empty
• Filter out request payloads that are not fully created and still include ONE_OF/ANY_OF
• If --targetFields are not supplied, compute all fields combinations from --data for cats fuzz
• If --urlParams are not supplied for http methods with body, generate random values
• Fix issue with lookahead regex operators causing strings not to be generated
• Fix for #122
• Several improvements for the cats fuzz subcommand
• Add 2 new arguments for --simpleReplace and --printProgress for cats fuzz sub-command
• Make cats fuzz sub-command render findings in console as it progresses
• When running in summary mode don't prefix log lines with stars
• Fix issue with refData from all not adding keys that were not on the path entry
• Make matchXXX arguments required for cats fuzz
• Fix issues with default values for boolean arguments and their negatable values
• Make cats fuzz do fuzzing based on the FUZZ keyword

cats-11.4.0

Release notes:

• Change generator logic to consider enum and default values first
• Fix several possible NPEs
• Fix #117
• Fix #119
• Fix #116
• Fix an issue where path specific headers were overriden by all level headers
• Flag when a test case result is switched from error/warn to success based on --ignoreXXX arguments
• Add default value for xxxOf combinations as they grow exponentially and some OpenAPI specs abuse this
• Fix self-reference detection by keeping full qualified property names
• Add multiple generators
• Increase limit for yaml file size
• Fix issue when OpenAPI parser was adding an empty schema
• Fail gracefully when schema definitions are not part of the contract
• Accomodate additional cases for allOf composition with root oneOf schemas
• Improve oneOf/anyOf combination generation to avoid stackoverflow on circular references
• Add additional arguments to configure interaction with anyOf/oneOf schemas

cats-11.3.0

Release notes:

• Only apply custom generators for String schemas
• Make very large fuzzer not check content type and response schema
• Make RandomResourcesFuzzer expect 404,400,422 not just 400