Yi Gao,Xing Hu,Tongtong Xu,Xin Xia,David Lo,Xiaohu Yang

DOI: https://doi.org/10.1145/3597503.3639124

2024-01-01

Abstract:Test migration, which enables the reuse of test cases crafted with knowledge and creativity by testers across various platforms and programming languages, has exhibited effectiveness in mobile app testing. However, unit test migration at the source code level has not garnered adequate attention and exploration. In this paper, we propose a novel cross-language and cross-platform test migration methodology, named MUT, which consists of four modules: code mapping, test case filtering, test case translation, and test case adaptation. MUT initially calculates code mappings to establish associations between source and target projects, and identifies suitable unit tests for migration from the source project. Then, MUT's code translation component generates a syntax tree by parsing the code to be migrated and progressively converts each node in the tree, ultima tely generating the target tests, which are compiled and executed in the target project. Moreover, we develop a web tool to assist developers in test migration. The effectiveness of our approach has been validated on five prevalent functional domain projects within the open-source community. We migrate a total of 550 unit tests and submitted pull requests to augment test code in the target projects on GitHub. By the time of this paper submission, 253 of these tests have already been merged into the projects (including 197 unit tests in the Luliyucoordinate-LeetCode project and 56 unit tests in the Rangerlee-HtmlParser project). Through running these tests, we identify 5 bugs, and 2 functional defects, and submitted corresponding issues to the project. The evaluation substantiates that MUT's test migration is both viable and beneficial across programming languages and different projects.

Yan Mangen,Xu Lei

DOI: https://doi.org/10.3969/j.issn.1672-9722.2011.12.003

2011-01-01

Abstract:Because of lacking of detailed information,testing for Web services is very difficult generally.A method was presented which applies mutation operator to the OWL-S documents,then test cases with the target of making different outputs was generated.The method avoids generating large number of mutants and determining equivalent mutants,then huge costs can be reduced.While this method can ensure the effectiveness of test case generation,it also can ensure the versatility and scalability by adjusting the mutation operators in terms of the condition of the application.

M. Shaban Jokhio,Gillian Dobbie,Tianming Hu,Jing Sun

DOI: https://doi.org/10.1109/ASWEC.2014.13

2014-01-01

Abstract:Semantic Web Services (SWS) introduce a semantic layer to the current web infrastructure, enabling the automated processing of web service tasks. In the past decade, various frameworks have been proposed for designing SWS. However, few of them aimed at testing SWS. Generating test cases for SWS is challenging due to its dynamic nature and abstract views, evaluating the test cases is equally essential in order to ensure the quality of the test suite. In this paper, we propose a mutation based evaluation approach to measuring the quality of test cases for SWS. Furthermore, we develop a tool support to automate the steps in the proposed solution. Finally, the approach is applied to the Amazon E-Commerce Service as a real world case study.

Mrs. R. Jeevarathinam,Dr. Antony Selvadoss Thanamani

DOI: https://doi.org/10.48550/arXiv.1002.2197

2010-02-11

Abstract:Software testing is the important phase of software development process. But, this phase can be easily missed by software developers because of their limited time to complete the project. Since, software developers finish their software nearer to the delivery time; they dont get enough time to test their program by creating effective test cases. . One of the major difficulties in software testing is the generation of test cases that satisfy the given adequacy criterion Moreover, creating manual test cases is a tedious work for software developers in the final rush hours. A new approach which generates test cases can help the software developers to create test cases from software specifications in early stage of software development (before coding) and as well as from program execution traces from after software development (after coding). Heuristic techniques can be applied for creating quality test cases. Mutation testing is a technique for testing software units that has great potential for improving the quality of testing, and to assure the high reliability of software. In this paper, a mutation testing based test cases generation technique has been proposed to generate test cases from program execution trace, so that the test cases can be generated after coding. The paper details about the mutation testing implementation to generate test cases. The proposed algorithm has been demonstrated for an example.

Software Engineering

Davide Corradini,Michele Pasqua,Mariano Ceccato

DOI: https://doi.org/10.48550/arXiv.2301.01261

2023-01-04

Abstract:Mass assignment is one of the most prominent vulnerabilities in RESTful APIs. This vulnerability originates from a misconfiguration in common web frameworks, such that naming convention and automatic binding can be exploited by an attacker to craft malicious requests writing confidential resources and (massively) overriding data, that should be read-only and/or confidential. In this paper, we adopt a black-box testing perspective to automatically detect mass assignment vulnerabilities in RESTful APIs. Execution scenarios are generated purely based on the OpenAPI specification, that lists the available operations and their message format. Clustering is used to group similar operations and reveal read-only fields, the latter are candidate for mass assignment. Then, interaction sequences are automatically generated by instantiating abstract testing templates, trying to exploit the potential vulnerabilities. Finally, test cases are run, and their execution is assessed by a specific oracle, in order to reveal whether the vulnerability could be successfully exploited. The proposed novel approach has been implemented and evaluated on a set of case studies written in different programming languages. The evaluation highlights that the approach is quite effective in detecting seeded vulnerabilities, with a remarkably high accuracy.

Cryptography and Security,Software Engineering

Davide Corradini,Amedeo Zampieri,Michele Pasqua,Emanuele Viglianisi,Michael Dallago,Mariano Ceccato

DOI: https://doi.org/10.1002/stvr.1808

2022-01-23

Abstract:RESTful APIs (or REST APIs for short) represent a mainstream approach to design and develop web APIs using the REpresentational State Transfer architectural style. Black‐box testing, which assumes only the access to the system under test with a specific interface, is the only viable option when white‐box testing is impracticable. This is the case for REST APIs: their source code is usually not (or just partially) available, or a white‐box analysis across many dynamically allocated distributed components (typical of a micro‐services architecture) is computationally challenging. This paper presents RestTestGen, a novel black‐box approach to automatically generate test cases for REST APIs, based on their interface definition (an OpenAPI specification). Input values and requests are generated for each operation of the API under test with the twofold objective of testing nominal execution scenarios and error scenarios. Two distinct oracles are deployed to detect when test cases reveal implementation defects. While this approach is mainly targeting the research community, it is also of interest to developers because, as a black‐box approach, it is universally applicable across different programming languages, or in the case external (compiled only) libraries are used in a REST API. The validation of our approach has been performed on more than 100 of real‐world REST APIs, highlighting the effectiveness of the approach in revealing actual faults in already deployed services. The source code of REST APIs is usually not (or just partially) available, or difficult to analyse because spread across many dynamically allocated distributed components (typical in micro‐services architectures), or due to external (compiled only) libraries or frameworks. RestTestGen is a novel black‐box approach to automatically generate test cases for REST APIs, based on their interface definition (an OpenAPI specification). Input values and requests are generated for each operation of the API under test with the twofold objective of testing nominal execution scenarios and error scenarios. RestTestGen has been successfully applied to test more than 100 of real‐world REST APIs, highlighting the effectiveness of the approach in revealing actual faults in already deployed services.

Andrea Arcuri

DOI: https://doi.org/10.1109/QRS.2017.11

2019-01-06

Abstract:Nowadays, web services play a major role in the development of enterprise applications. Many such applications are now developed using a service-oriented architecture (SOA), where microservices is one of its most popular kind. A RESTful web service will provide data via an API over the network using HTTP, possibly interacting with databases and other web services. Testing a RESTful API poses challenges, as inputs/outputs are sequences of HTTP requests/responses to a remote server. Many approaches in the literature do black-box testing, as the tested API is a remote service whose code is not available. In this paper, we consider testing from the point of view of the developers, which do have full access to the code that they are writing. Therefore, we propose a fully automated white-box testing approach, where test cases are automatically generated using an evolutionary algorithm. Tests are rewarded based on code coverage and fault finding metrics. We implemented our technique in a tool called EVOMASTER, which is open-source. Experiments on two open-source, yet non-trivial RESTful services and an industrial one, do show that our novel technique did automatically find 38 real bugs in those applications. However, obtained code coverage is lower than the one achieved by the manually written test suites already existing in those services. Research directions on how to further improve such approach are therefore discussed.

Software Engineering

Myeongsoo Kim,Qi Xin,Saurabh Sinha,Alessandro Orso

DOI: https://doi.org/10.48550/arXiv.2204.08348

2022-04-18

Software Engineering

Abstract:Modern web services routinely provide REST APIs for clients to access their functionality. These APIs present unique challenges and opportunities for automated testing, driving the recent development of many techniques and tools that generate test cases for API endpoints using various strategies. Understanding how these techniques compare to one another is difficult, as they have been evaluated on different benchmarks and using different metrics. To fill this gap, we performed an empirical study aimed to understand the landscape in automated testing of REST APIs and guide future research in this area. We first identified, through a systematic selection process, a set of 10 state-of-the-art REST API testing tools that included tools developed by both researchers and practitioners. We then applied these tools to a benchmark of 20 real-world open-source RESTful services and analyzed their performance in terms of code coverage achieved and unique failures triggered. This analysis allowed us to identify strengths, weaknesses, and limitations of the tools considered and of their underlying strategies, as well as implications of our findings for future research in this area.

Huayao Wu,Lixin Xu,Xintao Niu,Changhai Nie

DOI: https://doi.org/10.1145/3510003.3510151

2022-01-01

Abstract:This paper presents RestCT, a systematic and fully automatic approach that adopts Combinatorial Testing (CT) to test RESTful APIs. RestCT is systematic in that it covers and tests not only the interactions of a certain number of operations in RESTful APIs, but also the interactions of particular input-parameters in every single operation. This is realised by a novel two-phase test case generation approach, which first generates a constrained sequence covering array to determine the execution orders of available operations, and then applies an adaptive strategy to generate and refine several constrained covering arrays to concretise input-parameters of each operation. RestCT is also automatic in that its application relies on only a given Swagger specification of RESTful APIs. The creation of CT test models (especially, the inferring of dependency relationships in both operations and input-parameters), and the generation and execution of test cases are performed without any human intervention. Experimental results on 11 real-world RESTful APIs demonstrate the effectiveness and efficiency of RestCT. In particular, RestCT can find eight new bugs, where only one of them can be triggered by the state-of-the-art testing tool of RESTful APIs.

Enrico Viganò,Oscar Cornejo,Fabrizio Pastore,Lionel Briand

DOI: https://doi.org/10.48550/arXiv.2201.10160

2022-10-06

Abstract:Cyber-physical systems (CPSs) typically consist of a wide set of integrated, heterogeneous components; consequently, most of their critical failures relate to the interoperability of such <a class="link-external link-http" href="http://components.Unfortunately" rel="external noopener nofollow">this http URL</a>, most CPS test automation techniques are preliminary and industry still heavily relies on manual testing. With potentially incomplete, manually-generated test suites, it is of paramount importance to assess their quality. Though mutation analysis has demonstrated to be an effective means to assess test suite quality in some specific contexts, we lack approaches for CPSs. Indeed, existing approaches do not target interoperability problems and cannot be executed in the presence of black-box or simulated components, a typical situation with CPSs. In this paper, we introduce data-driven mutation analysis, an approach that consists in assessing test suite quality by verifying if it detects interoperability faults simulated by mutating the data exchanged by software components. To this end, we describe a data-driven mutation analysis technique (DaMAT) that automatically alters the data exchanged through data buffers. Our technique is driven by fault models in tabular form where engineers specify how to mutate data items by selecting and configuring a set of mutation operators. We have evaluated DaMAT with CPSs in the space domain; specifically, the test suites for the software systems of a microsatellite and nanosatellites launched on orbit last year. Our results show that the approach effectively detects test suite shortcomings, is not affected by equivalent and redundant mutants, and entails acceptable costs.

Software Engineering

M. Shaban Jokhio,Gillian Dobbie,Jing Sun,Tianming Hu

DOI: https://doi.org/10.1109/iceccs.2013.30

2013-01-01

Abstract:Semantic Web Services (SWS) introduce a semantic layer to the current web infrastructure, enabling the automated processing of web tasks. Different frameworks have been proposed for designing SWS, however, there has been little research in the area of testing SWS. Generating test cases for SWS is challenging due to its dynamic nature and abstract views, evaluating the test cases is equally essential in order to ensure the quality of the test suite. In this paper, we propose a goal oriented generation and mutation based evaluation approach towards SWS testing. This way, the generation (model-based) and evaluation (code-based) procedures are totally independent to each other, which further provides a much accurate measurement on the results. In addition, a tool support has been developed to automate the major steps in the proposed solution.

Chung-Hsuan Tsai,Shi-Chun Tsai,Shih-Kun Huang

DOI: https://doi.org/10.48550/arXiv.2112.15485

2021-12-31

Abstract:With the growth of web applications, REST APIs have become the primary communication method between services. In order to ensure system reliability and security, software quality can be assured by effective testing methods. Black box fuzz testing is one of the effective methods to perform tests on a large scale. However, conventional black box fuzz testing generates random data without judging the quality of the input. We implement a black box fuzz testing method for REST APIs. It resolves the issues of blind mutations without knowing the effectiveness by Test Coverage Level feedback. We also enhance the mutation strategies by reducing the testing complexity for REST APIs, generating more appropriate test cases to cover possible paths. We evaluate our method by testing two large open-source projects and 89 bugs are reported and confirmed. In addition, we find 351 bugs from 64 remote API services in <a class="link-external link-http" href="http://APIs.guru" rel="external noopener nofollow">this http URL</a>. The work is in <a class="link-external link-https" href="https://github.com/iasthc/hsuan-fuzz" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Amit Seal Ami,Kaushal Kafle,Kevin Moran,Adwait Nadkarni,Denys Poshyvanyk

DOI: https://doi.org/10.1109/ICSE-Companion52605.2021.00034

2021-02-13

Abstract:This demo paper presents the technical details and usage scenarios of $\mu$SE: a mutation-based tool for evaluating security-focused static analysis tools for Android. Mutation testing is generally used by software practitioners to assess the robustness of a given test-suite. However, we leverage this technique to systematically evaluate static analysis tools and uncover and document soundness issues. $\mu$SE's analysis has found 25 previously undocumented flaws in static data leak detection tools for Android. $\mu$SE offers four mutation schemes, namely Reachability, Complex-reachability, TaintSink, and ScopeSink, which determine the locations of seeded mutants. Furthermore, the user can extend $\mu$SE by customizing the API calls targeted by the mutation analysis. $\mu$SE is also practical, as it makes use of filtering techniques based on compilation and execution criteria that reduces the number of ineffective mutations.

Software Engineering

Ana B. Sanchez,Jose A. Parejo,Sergio Segura,Amador Duran,Mike Papadakis,Ana B. Sánchez,José A. Parejo,Amador Durán

DOI: https://doi.org/10.1109/tse.2024.3377378

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation testing drives the creation and improvement of test cases by evaluating their ability to identify synthetic faults. Over the past decades, the technique has gained popularity in academic circles. In practice, however, little is known about its adoption and use. While there are some pilot studies applying mutation testing in industry, the overall usage of mutation testing among developers remains largely unexplored. To fill this gap, this paper presents the results of a qualitative study among open-source developers on the use of mutation testing. Specifically, we report the results of a survey of 104 contributors to open-source projects using a variety of mutation testing tools. The findings of our study provide helpful insights into the use of mutation testing in practice, including its main benefits and limitations. Overall, we observe a high degree of satisfaction with mutation testing across different programming languages and mutation testing tools. Developers find the technique helpful for improving the quality of test suites, detecting bugs, and improving code maintainability. Popularity, usability, and configurability emerge as key factors for the adoption of mutation tools, whereas performance stands overwhelmingly as their main limitation. These results lay the groundwork for new research contributions and tools that meet the needs of developers and boost the widespread adoption of mutation testing.

engineering, electrical & electronic,computer science, software engineering

Ali Parsai,Alessandro Murgia,Quinten David Soetens,Serge Demeyer

DOI: https://doi.org/10.1145/2764979.2764987

2015-06-24

Abstract:Refactoring is an activity that improves the internal structure of the code without altering its external behavior. When performed on the production code, the tests can be used to verify that the external behavior of the production code is preserved. However, when the refactoring is performed on test code, there is no safety net that assures that the external behavior of the test code is preserved. In this paper, we propose to adopt mutation testing as a means to verify if the behavior of the test code is preserved after refactoring. Moreover, we also show how this approach can be used to identify the part of the test code which is improperly refactored.

Software Engineering

Shufang Lee,Xiaoying Bai,Yinong Chen

DOI: https://doi.org/10.1109/anss-41.2008.13

2008-01-01

Abstract:Web Ontology Language for Services (OWL-S) is a standard XML-based language for specifying workflows and integration semantics among Web services (WS), which form composite WS. This paper analyzes the fault patterns of OWL-S specified composite WS and their workflows, proposes an ontology-based mutation analysis method, and applies specification-based mutation techniques for composite WS simulation and testing. Four categories of OWL-S mutant operators are specified, including data mutation, condition mutation, control flow mutation, and data flow mutation. Finally, the paper studies the ontology-based input mutation technique using a BookFinder service as a case study, which shows that ontology-based mutation provides viable test adequacy criteria for testing OWL-S specified composite WS.

Ziqi Wang,Weihan Tian,Baojiang Cui

DOI: https://doi.org/10.32604/cmc.2023.047051

2024-01-01

Abstract:The API used to access cloud services typically follows the Representational State Transfer (REST) architecture style. RESTful architecture, as a commonly used Application Programming Interface (API) architecture paradigm, not only brings convenience to platforms and tenants, but also brings logical security challenges. Security issues such as quota bypass and privilege escalation are closely related to the design and implementation of API logic. Traditional code level testing methods are difficult to construct a testing model for API logic and test samples for in-depth testing of API logic, making it difficult to detect such logical vulnerabilities. We propose RESTlogic for this purpose. Firstly, we construct a test group based on the tree structure of the REST API, adapt a logic vulnerability testing model, and use feedback based methods to detect code document inconsistency defects. Secondly, based on an abstract logical testing model and resource lifecycle information, generate test cases and complete parameters, and alleviate inconsistency issues through parameter inference. Once again, we propose a method of analyzing test results using joint state codes and call stack information, which compensates for the shortcomings of traditional analysis methods. We will apply our method to testing REST services, including OpenStack, an open source cloud operating platform for experimental evaluation. We have found a series of inconsistencies, known vulnerabilities, and new unknown logical defects.

computer science, information systems,materials science, multidisciplinary

JIANG Ying,XIN Guo-Mao,SHAN Jin-Hui,ZHANG Lu,XIE Bing,YANG Fu-Qing

DOI: https://doi.org/10.3321/j.issn:0254-4164.2005.04.015

2005-01-01

Chinese Journal of Computers

Abstract:Software testing is one of the most important techniques used to assure the quality of Web Services at present. Test data generation is an important topic in Web Services testing. The quality of test data will influence the efficiency and cost during Web Services testing. Based on the design by contract testing technology for Web Services, this paper presents a method of automated test data generation for Web Services. Firstly, according to the description information and contracts in WSDL document of Web Services, the initial test data are generated automatically by random method. Then the test data are selected by means of contract mutation testing. The algorithms about initial test data generation and test data selection are presented. In order to improve the quality and efficiency of Web Services testing, this method can generate a test suite meeting a certain contract mutation score. Finally, a prototype has been developed on the Microsoft. NET platform. For the same Web Service with different contracts, the experiments are carried out on this prototype. The contract mutation score of generated test data is compared with the statement coverage score and condition coverage score. The results have shown that the method is effective in automated test data generation for Web Services.

Clinton Cao,Annibale Panichella,Sicco Verwer

2024-12-05

Abstract:The rising popularity of the microservice architectural style has led to a growing demand for automated testing approaches tailored to these systems. EvoMaster is a state-of-the-art tool that uses Evolutionary Algorithms (EAs) to automatically generate test cases for microservices' REST APIs. One limitation of these EAs is the use of unit-level search heuristics, such as branch distances, which focus on fine-grained code coverage and may not effectively capture the complex, interconnected behaviors characteristic of system-level testing. To address this limitation, we propose a new search heuristic (MISH) that uses real-time automaton learning to guide the test case generation process. We capture the sequential call patterns exhibited by a test case by learning an automaton from the stream of log events outputted by different microservices within the same system. Therefore, MISH learns a representation of the systemwide behavior, allowing us to define the fitness of a test case based on the path it traverses within the inferred automaton. We empirically evaluate MISH's effectiveness on six real-world benchmark microservice applications and compare it against a state-of-the-art technique, MOSA, for testing REST APIs. Our evaluation shows promising results for using MISH to guide the automated test case generation within EvoMaster.

Software Engineering,Artificial Intelligence

Amit Seal Ami,Syed Yusuf Ahmed,Radowan Mahmud Redoy,Nathan Cooper,Kaushal Kafle,Kevin Moran,Denys Poshyvanyk,Adwait Nadkarni

DOI: https://doi.org/10.1145/3611643.3613099

2023-08-13

Abstract:While software engineers are optimistically adopting crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of crypto-detectors' effectiveness at finding crypto-API misuses in practice. This demo paper presents the technical details and usage scenarios of our tool, namely Mutation Analysis for evaluating Static Crypto-API misuse detectors (MASC). We developed $12$ generalizable, usage based mutation operators and three mutation scopes, namely Main Scope, Similarity Scope, and Exhaustive Scope, which can be used to expressively instantiate compilable variants of the crypto-API misuse cases. Using MASC, we evaluated nine major crypto-detectors, and discovered $19$ unique, undocumented flaws. We designed MASC to be configurable and user-friendly; a user can configure the parameters to change the nature of generated mutations. Furthermore, MASC comes with both Command Line Interface and Web-based front-end, making it practical for users of different levels of expertise.

Cryptography and Security,Software Engineering