Add test suite and integrate to run on CI #34
Comments
|
What are your thoughts around this @ckarande have non security focused unit tests running and passing or security focused tests (regression maybe?) running and continually failing... as the whole idea of the project is to be broken to start with and then the students fix the vulns? |
|
@binarymist Sorry for getting back to it after a long time. I didn't mean to ignore it at all. On thinking more about it, I would prefer security focused functional tests instead of unit tests on a higher priority. I like the idea that tests fail to begin with and students make them pass as they fix the vulnerabilities. To assist, we can add a branch with all tests passing for a reference. |
ckarande
changed the title
|
This is insane, I was just thinking about this as I was lying in bed and wondering about this exact issue, had forgotten that I had submitted it. That's a 10:4, Adding a branch with "all tests passing"... I'll work toward doing this as my Fascicle 1 gets near to handing to the technical editor, still a few months off. |
|
Thanks @binarymist . Assigning it to you. Great to know progress on Fascicle 1 :) |
|
Is there anything that I can do to complete this ? Let me know if you need any help |
Means it has to be kept up to date as changes are made to master, this would need to be well documented, it'd also mean more work for contributors and mergers. Thoughts: @ckarande @lirantal @mostafahussein ? |
|
That's a great idea. Would love to see this, and as you said we should recognize the effort that this brings, especially with creating a baseline of tests for what we have so far. |
|
I don't think we have any tests other than the security regression test, which I'll be removing at some point... As soon as purpleteam is in prime-time, as purpleteam is using NodeGoat currently as the main SUT. |
|
We can break it down to phases or stages that needs to be done in the pipeline. So what about the following:
Lastly OWASP as in organization - or any other member responsible for this - might submit a proposal to Docker so we can have this as an official image which will allow us to have the automated security checks provided by dockerhub. |
Didn't you have something like this setup at some point @ckarande?
NodeGoat currently uses "jsbeautifier" and "jshint" via npm script I don't personally see a snyk.io report, not sure if @ckarande has this setup, keep in mind though, that the application is supposed to be insecure ;-) I'm not sure what you would add for As @ckarande mentioned above:
So we probably want to stick with that direction |
|
Okay, but I need clarification regarding this point: Do you mean by |
|
Should this issue still even be open @ckarande ? |
|
@binarymist I would prefer to keep this issue open for any contributors to pick up or we implement it in future. @mostafahussein thanks for your interest in it. About the
I hope above helps. @binarymist @lirantal please suggest if you have any opinion or alternate suggestions on approaching this. @binarymist, pretty impressive work with purpleteam project, please suggest if any of your work could be used as a reference for the purpose of these tests. |
|
This sounds very much like security regression testing, which we had a PoC for (still do, but is very much redundant with purpleteam). It was my intention to rip that PoC out, once I have purpleteam running in the Cloud... which shouldn't be far away now, although it looks like I may be taking another full time job soon. purpleteam removes the need for any sort of test suite. The SaaS and CLI is smart enough to work out "how" to test based on "what" you tell it to test, which is provided by a build user config file. This one specifically targets NodeGoat as the SUT. |
|
Sounds good. Lets revisit this once you have the purpleteam running in the cloud. I would be very interested in seeing its demo with Nodegoat if possible. |
|
Addressed in #147 |
No description provided.
The text was updated successfully, but these errors were encountered: