{"id":21602764,"url":"https://github.com/codeintelligencetesting/spring-boot-example","last_synced_at":"2025-04-11T02:35:09.650Z","repository":{"id":103043046,"uuid":"605617577","full_name":"CodeIntelligenceTesting/spring-boot-example","owner":"CodeIntelligenceTesting","description":"A Spring Boot demo application ","archived":false,"fork":false,"pushed_at":"2023-12-21T08:14:56.000Z","size":46,"stargazers_count":6,"open_issues_count":2,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-25T00:04:31.525Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CodeIntelligenceTesting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-23T14:41:38.000Z","updated_at":"2025-02-27T08:49:47.000Z","dependencies_parsed_at":"2023-12-12T16:47:30.678Z","dependency_job_id":"d3313cf8-ce3e-403e-956f-66d4e2d30361","html_url":"https://github.com/CodeIntelligenceTesting/spring-boot-example","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fspring-boot-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fspring-boot-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fspring-boot-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fspring-boot-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CodeIntelligenceTesting","download_url":"https://codeload.github.com/CodeIntelligenceTesting/spring-boot-example/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248330049,"owners_count":21085645,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T19:14:16.061Z","updated_at":"2025-04-11T02:35:09.629Z","avatar_url":"https://github.com/CodeIntelligenceTesting.png","language":"Java","readme":"\u003cdiv align=\"center\"\u003e\n\u003ca href=\"https://www.code-intelligence.com/\"\u003e\n\u003cimg src=\"https://www.code-intelligence.com/hubfs/Logos/CI%20Logos/Logo_quer_white.png\" alt=\"Code Intelligence logo\" width=\"450px\"\u003e\n\u003c/a\u003e\n\u003c/div\u003e\n\n# API Testing\nBuilding robust APIs is an important and challenging endeavor that requires thorough testing.\nWhile unit tests are indispensable to ensure the functional correctness of APIs, they are not\nenough to address the security and reliability issues. In unit testing, we test the \nscenarios that we are aware of. However, there are scenarios unknown to us that lead to \nsecurity vulnerabilities or performance problems.\n\nIn this example, we demonstrate how you can perform automated API testing for security and reliability issues\nwith JUnit. This is enabled by the JUnit integration provided by CI Fuzz.\n\n## Demo Spring Boot Application\nThe demo application offers a single REST API endpoint `hello` that can be called a `name` parameter, and it replies\nwith `\"Hello \u003cname\u003e!\"`. We made the endpoint fail when the provided name is equal to `attacker` ignoring case. We will\ndemonstrate how you can use CI Fuzz with our JUnit 5 integration to test this application. We will also show how \nyou can automatically find the failing test case.\n\nYou can run the application as follows\n```shell\nmvn spring-boot:run\n```\nThe endpoint can then be reached at `http://localhost:8080/hello` and can be called via `http://localhost:8080/hello?name=foo` \n\n## Unit tests\nThe project contains two unit tests that test the endpoint with two names `Developer` and `Contributor`. \nThis demonstrates how you would test your code using specific inputs triggering specific behavior. \nYou can run the unit tests\n```shell\nmvn test\n```\n\n## Fuzz tests\nWhile unit tests provide a great value to make sure that your code is functionally correct. \nHowever, there might be corner cases and interactions that you are not aware of that can cause security \nand reliability issues. To address these cases, you create a fuzz test, which is a method \nannotated with `@FuzzTest` and at least one parameter. Using a single parameter of type\n[FuzzedDataProvider](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_intelligence/jazzer/api/FuzzedDataProvider.html), \nwhich provides utility functions to produce commonly used Java values, or `byte[]`. \nCI Fuzz will then execute with method in a loop and in each iteration provide new inputs that maximize \ncode coverage and trigger interesting behavior in your application.\n\nIn this example, we provide a fuzz test that uses the fuzzer input as the `name` parameter \nfor the `hello` API. This way, CI Fuzz can explore the different possibilities of the parameter\nthat trigger interesting behaviors, and thus very fast will find the prepared issue by generating the\n`\"attacker\"` name.\n```java\n@WebMvcTest()\npublic class GreeterApplicationTests {\n    @Autowired private MockMvc mockMvc;\n\n    @FuzzTest \n    public void fuzzTestHello(FuzzedDataProvider data) throws Exception {\n        // Initialization code\n        String name = data.consumeRemainingAsString();\n        mockMvc.perform(get(\"/hello\").param(\"name\", name));\n    }\n}\n```\n\n### Running your fuzz test\n1. (Once) Install the CI Fuzz CLI named `cifuzz`. You can get the\n   [latest release from GitHub](https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest)\n   or by running our install script:\n\n    ```shell\n    sh -c \"$(curl -fsSL https://raw.githubusercontent.com/CodeIntelligenceTesting/cifuzz/main/install.sh)\"\n    ```\n    If you are using Windows you can download the [latest release](https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_windows.exe)\n    and execute it.\n2. Login to our [CI App](https://app.code-intelligence.com/)\n   \n    ```shell\n    cifuzz login\n    ```\n    This will create an API access token that `cifuzz` uses to communicate with the CI App. \n    When logged in, the `cifuzz` can provide more details about the findings including severity. \n    You will also be able to run your tests at scale in our SaaS.\n3. Run the fuzz test with CI Fuzz. For that you just need to provide the test class containing the fuzz test.\n   ```shell\n   \u003e cifuzz run com.example.app.GreeterApplicationTests\n   ▄ Build in progress... Done. \n   \n   Running com.example.app.GreeterApplicationTests\n   Storing generated corpus in .cifuzz-corpus/com.example.app.GreeterApplicationTests\n   Starting from an empty corpus\n   \n   Use 'cifuzz finding \u003cfinding name\u003e' for details on a finding.\n   \n   💥 [funny_sparrow] Security Issue: We panic when trying to greet an attacker! \n   in processRequest (org.springframework.web.servlet.FrameworkServlet:1014)\n   \n   Note: The reproducing inputs have been copied to the seed corpus at:\n\n      src/test/resources/com/example/GreeterApplicationTestsInputs/funny_sparrow\n\n   They will now be used as a seed input for all runs of the fuzz test,\n   including remote runs with artifacts created via 'cifuzz bundle' and\n   regression tests. For more information on regression tests, see:\n\n       https://github.com/CodeIntelligenceTesting/cifuzz/blob/main/docs/Regression-Testing.md\n\n   Execution time: 19s\n   Average exec/s: 1682\n   Findings:       1\n   Corpus entries: 6 (+6)\n   ```\n   CI Fuzz will quickly generate a test case triggering the bug (aka crashing input).\n   This test case is saved as a resource in your project and will be automatically picked\n   up when you execute your normal unit tests. That is when you execute `mvn test`,\n   all your unit tests will be executed in addition to the fuzz tests. In this scenario,\n   CI Fuzz will only execute the tests with the crashing inputs and inputs from the corpus it\n   has collected during fuzzing. This way you can ensure that you quickly test for\n   regressions.\n4. You can check the finding details as follows\n   ```shell\n   cifuzz finding funny_sparrow \n   ```\n5. You can also check the code covered by CI Fuzz \n   ```shell\n   \u003e cifuzz coverage com.example.app.GreeterApplicationTests\n   Building com.example.app.GreeterApplicationTests\n   ▄  Build in progress... Done.\n                    \n   ✅ Coverage Report:\n                                  File | Functions Hit/Found | Lines Hit/Found | Branches Hit/Found\n   com/example/GreeterApplication.java |      2 / 3  (66.7%) |  4 / 6  (66.7%) |     2 / 2 (100.0%)\n                                       |                     |                 |                   \n                                       | Functions Hit/Found | Lines Hit/Found | Branches Hit/Found\n                                 Total |               2 / 3 |           4 / 6 |              2 / 2\n\n   ```\n   In addition, you also get a `jacoco` coverage report that you can observe in your browser. \n   Having a look at coverage report helps understand the testing progress and observe the code\n   areas that CI Fuzz has not yet covered. This is valuable so that you can improve and optimize\n   your tests.\n\n# Conclusion\nIn this short tutorial, we have shown how to use CI Fuzz to test your API. `cifuzz`\noffers many more features, and if you are interested simply `cifuzz help`.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeintelligencetesting%2Fspring-boot-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodeintelligencetesting%2Fspring-boot-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeintelligencetesting%2Fspring-boot-example/lists"}