v5.2.3

Release notes:

• Fix #3
• Fix #4
• When non-fuzzing commands like ./cats.jar list fuzzers CATS will not display fuzzing related data anymore

v5.2.2

Release notes:

• Fix an issue when a response was an array and CATS didn't properly check if the elements match the declared schema
• Whitelist the body_ JSON objects names generated by OpenAPI in order to not be labeled incorrectly by the Contract fuzzers
• Allow JSON object names to also match snake_case and hyphen-case
• Allow refData to contain fields which can be marked for removal using cats_remove_field

v5.2.1

Release notes:

• custom files now use JsonPath syntax, so you have more control on the properties being replaced/used
• fix for SpacesOnlyInFieldsTrimValidateFuzzer being ignored when the fuzzers where running
• introduce arguments like --checkHeaders, --checkFields or --checkContract to be able to run only categories of fuzzers

v5.2.0

Release Notes:

• fix various issues when dealing with oneOf or allOf elements
• add new Fuzzers for checking OpenAPI contract good practices in terms of presence of specific elements, naming conventions, content types, recommended headers
• fix issue when CATS was considering a 404 a valid response for validation error; it now expects 400 or 422
• CATS now also checks if the fuzzedField is present in a validation error response
• allow org.apache.commons.lang3 classes to be used via SPeL in configuration files such as refData, customFuzzer, etc
• fix issue with --printExecutionStatistics was only considering SKIPPED tests
• fix for elements sometimes not being displayed in the proper order in the final report

v5.1.1

Release notes:

• Add the possibility to add additionalProperties inside refData and customFuzzerFile
• Add possibility to supply dynamic values to refData, customFuzzerFile and securityFuzzerFile. Currently it supports only the java.time package
• Update Report summary to also includes the path

v5.1.0

Release Notes:

• fix for HttpMethodsFuzzer not conditioning HEAD by GET requests
• Add 2 new Fuzzers for exact value matching: MinimumExactValuesInNumericFieldsFuzzer and MaximumExactValuesInNumericFieldsFuzzer
• Add new security Fuzzers for checking security headers and mime types according to OWASP REST API recommendations
• list fuzzers will now list fuzzers based on categories: Field, Header and Http

v5

Release notes:

• Add 2 new fuzzers for minLength and maxLength exact matching on String fields
• Add a new SecurityFuzzer that can be used for common security testing scenarios like XSS, SQL injection, etc
• Add a new argument called useExamples which can control whether CATS should use examples from the contract or only generate values
• Add a new argument called printExecutionStatistics that will display average, best case and worse case response times
• Add responseTimeInMs as part of the response information inside the CATS report
• Make DuplicateHeaderFuzzer iterate through all headers and send duplicates, rather than just for the first one
• Improve logging summary by adding colour codes
• Make CATS exit with a non-zero code when there is at least an error
• Add a new fuzzer called DummyFuzzer that will send a dummy payload to all defined paths
• Add a new argument called excludedFuzzers to be able to globally exclude specific fuzzers
• Add a new fuzzer for invalid values in ENUMs
• Improve logging for skipForXXX params and command listing
• Change the list of paths from the paths argument to be comma separated in order to be consistent with all other arguments

v4.5

Release notes:

• Arrays can be set as query params
• Date-Time values are now properly made incorrect
• Fix the extreme negative values in integer fields to return 2 * Long.MIN_VALUE instead of zero
• Take into consideration responseBodies elements
• Fix for request that only have $ref for their bodies
• CustomFuzzer can now run business linked scenarios based on the order defined in the customFuzzer file
• CustomFuzzer can now validate elements in responses

v4.4.1

Release notes:

• Fix an issue for GET requests that didn't have Operation Parameters causing NPE

v4.4

Release Notes:

• add a new StringsInNumericFieldsFuzzer
• introduce the ability to skip specific fuzzers for certain paths
• fix an issue with hierarchical allOf elements
• add better error handling when there is a problem parsing refData and headers files
• remove the - from the log lines
• print the number of fuzzers when listing the fuzzers
• correctly report the reason for skipping a fuzzer
• update all dependencies to the latest versions
• fix an issue where not all fields where considered when dealing with allOf, anyOf or oneOf