Add test suite and integrate to run on CI

[ckarande]

[binarymist]

What are your thoughts around this @ckarande have non security focused unit tests running and passing or security focused tests (regression maybe?) running and continually failing... as the whole idea of the project is to be broken to start with and then the students fix the vulns?

[ckarande]

@binarymist Sorry for getting back to it after a long time. I didn't mean to ignore it at all.

On thinking more about it, I would prefer security focused functional tests instead of unit tests on a higher priority. I like the idea that tests fail to begin with and students make them pass as they fix the vulnerabilities. To assist, we can add a branch with all tests passing for a reference.

[binarymist]

This is insane, I was just thinking about this as I was lying in bed and wondering about this exact issue, had forgotten that I had submitted it. That's a 10:4, Adding a branch with "all tests passing"... I'll work toward doing this as my Fascicle 1 gets near to handing to the technical editor, still a few months off.

[ckarande]

Thanks @binarymist . Assigning it to you. Great to know progress on Fascicle 1 :)

[mostafahussein]

Is there anything that I can do to complete this ? Let me know if you need any help

[binarymist]

Adding a branch with "all tests passing".

Means it has to be kept up to date as changes are made to master, this would need to be well documented, it'd also mean more work for contributors and mergers. Thoughts: @ckarande @lirantal @mostafahussein ?

[lirantal]

That's a great idea. Would love to see this, and as you said we should recognize the effort that this brings, especially with creating a baseline of tests for what we have so far.

[binarymist]

I don't think we have any tests other than the security regression test, which I'll be removing at some point... As soon as purpleteam is in prime-time, as purpleteam is using NodeGoat currently as the main SUT.

[mostafahussein]

We can break it down to phases or stages that needs to be done in the pipeline. So what about the following:

• Using TravisCI
• ESlint for checking code style (I know it is not a big deal at this point but we might use it at least to guarantee that any contributor follows the same code style )
• for the security checks i noticed that you already have snyk.io (this according to an issue that was opened before), am i right ? what else can we add ? maybe npm audit ?
  And sure if there are any kind of unit testing will be added too.

Lastly OWASP as in organization - or any other member responsible for this - might submit a proposal to Docker so we can have this as an official image which will allow us to have the automated security checks provided by dockerhub.