enabling new security oracles by default

core-tests/e2e-tests/spring/spring-rest-h2-z3solver/src/test/java/org/evomaster/e2etests/spring/h2/z3solver/Z3SolverEMTest.java

@@ -5,10 +5,13 @@
 import org.evomaster.core.problem.rest.data.RestIndividual;
 import org.evomaster.core.search.Solution;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertFalse;
 
+
+@Disabled("Currently disabled due to bug in reset of database")
 public class Z3SolverEMTest extends SpringTestBase {
 
     @BeforeAll

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/httporacle/failmodification/FailModificationEMTest.kt

@@ -39,8 +39,9 @@ class FailModificationEMTest : SpringTestBase(){
 
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
 
-            assertEquals(2, faults.size)
-            assertEquals(ExperimentalFaultCategory.HTTP_SIDE_EFFECTS_FAILED_MODIFICATION, faults.first().category)
+            val found = faults.filter { it.category ==  ExperimentalFaultCategory.HTTP_SIDE_EFFECTS_FAILED_MODIFICATION}
+
+            assertEquals(2, found.size)
         }
     }
 }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/httporacle/failmodification/FailModificationForbiddenEMTest.kt

@@ -38,9 +38,9 @@ class FailModificationForbiddenEMTest : SpringTestBase(){
             assertTrue(solution.individuals.size >= 1)
 
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
+                .filter { it.category ==  ExperimentalFaultCategory.HTTP_SIDE_EFFECTS_FAILED_MODIFICATION}
 
             assertEquals(1, faults.size)
-            assertEquals(ExperimentalFaultCategory.HTTP_SIDE_EFFECTS_FAILED_MODIFICATION, faults.first().category)
         }
     }
 }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/oracledisable/ForgottenAuthenticationDisableEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.oracledisable
 
 import com.foo.rest.examples.spring.openapi.v3.security.forgottenauthentication.ForgottenAuthenticationController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.e2etests.spring.openapi.v3.SpringTestBase
@@ -31,14 +32,14 @@ class ForgottenAuthenticationDisableEMTest : SpringTestBase(){
             setOption(args, "security", "true")
             setOption(args, "schemaOracles", "false")
             setOption(args, "useExperimentalOracles", "true")
-            setOption(args, "disabledOracleCodes", ExperimentalFaultCategory.IGNORE_ANONYMOUS.code.toString())
+            setOption(args, "disabledOracleCodes", DefinedFaultCategory.SECURITY_IGNORE_ANONYMOUS.code.toString())
 
             val solution = initAndRun(args)
 
             assertTrue(solution.individuals.size >= 1)
 
             val faults = DetectedFaultUtils.getDetectedFaultCategories(solution)
-            assertFalse(ExperimentalFaultCategory.IGNORE_ANONYMOUS in faults)
+            assertFalse(DefinedFaultCategory.SECURITY_IGNORE_ANONYMOUS in faults)
 
         }
     }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/oracledisable/StackTraceDisableEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.oracledisable
 
 import com.foo.rest.examples.spring.openapi.v3.security.stacktrace.StackTraceJSONController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.e2etests.spring.openapi.v3.SpringTestBase
@@ -30,14 +31,14 @@ class StackTraceDisableEMTest : SpringTestBase(){
 
             setOption(args, "security", "true")
             setOption(args, "schemaOracles", "false")
-            setOption(args, "disabledOracleCodes", ExperimentalFaultCategory.LEAKED_STACK_TRACES.code.toString())
+            setOption(args, "disabledOracleCodes", DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES.code.toString())
 
             val solution = initAndRun(args)
 
             assertTrue(solution.individuals.size >= 1)
 
             val faults = DetectedFaultUtils.getDetectedFaultCategories(solution)
-            assertFalse(ExperimentalFaultCategory.LEAKED_STACK_TRACES in faults)
+            assertFalse(DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES in faults)
 
         }
     }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/anonymouswrite/SecurityAnonymousWriteEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.security.anonymouswrite
 
 import com.foo.rest.examples.spring.openapi.v3.security.anonymouswrite.AnonymousWriteController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.e2etests.spring.openapi.v3.SpringTestBase
@@ -42,11 +43,11 @@ class SecurityAnonymousWriteEMTest : SpringTestBase(){
             assertEquals(1, faultsCategories.size)
             assertEquals(3, faults.size)
 
-            assertTrue(ExperimentalFaultCategory.ANONYMOUS_MODIFICATIONS in faultsCategories)
+            assertTrue(DefinedFaultCategory.SECURITY_ANONYMOUS_MODIFICATIONS in faultsCategories)
 
             // PUT:/api/resources/201/{id}
             assertTrue(faults.none {
-                it.category == ExperimentalFaultCategory.ANONYMOUS_MODIFICATIONS
+                it.category == DefinedFaultCategory.SECURITY_ANONYMOUS_MODIFICATIONS
                         && it.operationId == "PUT:/api/resources/201/{id}"
             })
         }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/forgottenauthentication/ForgottenAuthenticationEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.security.forgottenauthentication
 
 import com.foo.rest.examples.spring.openapi.v3.security.forgottenauthentication.ForgottenAuthenticationController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.problem.rest.data.HttpVerb
@@ -44,7 +45,7 @@ class ForgottenAuthenticationEMTest : SpringTestBase(){
 
             val faults = DetectedFaultUtils.getDetectedFaultCategories(solution)
             assertEquals(1, faults.size)
-            assertEquals(ExperimentalFaultCategory.IGNORE_ANONYMOUS, faults.first())
+            assertEquals(DefinedFaultCategory.SECURITY_IGNORE_ANONYMOUS, faults.first())
         }
     }
 }

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/hiddenaccessible/HiddenAccessibleEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.security.hiddenaccessible
 
 import com.foo.rest.examples.spring.openapi.v3.security.hiddenaccessible.HiddenAccessibleController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.problem.rest.data.HttpVerb
@@ -46,7 +47,7 @@ class HiddenAccessibleEMTest : SpringTestBase(){
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
             assertTrue(faults.size >= 2)
 
-            val hidden = faults.filter{it.category == ExperimentalFaultCategory.HIDDEN_ACCESSIBLE_ENDPOINT}
+            val hidden = faults.filter{it.category == DefinedFaultCategory.SECURITY_HIDDEN_ACCESSIBLE_ENDPOINT}
             assertEquals(2, hidden.size)
 
             assertNotNull(hidden.find { it.operationId == "GET:/api/resources" })

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/stacktrace/StackTraceEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.security.stacktrace
 
 import com.foo.rest.examples.spring.openapi.v3.security.stacktrace.StackTraceController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.problem.rest.data.HttpVerb
@@ -43,11 +44,11 @@ class StackTraceEMTest : SpringTestBase(){
             val faultsCategories = DetectedFaultUtils.getDetectedFaultCategories(solution)
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
 
-            assertTrue(ExperimentalFaultCategory.LEAKED_STACK_TRACES in faultsCategories)
+            assertTrue(DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES in faultsCategories)
 
             // GET:/api/resources/null-pointer_not_stack_trace
             assertTrue(faults.none {
-                it.category == ExperimentalFaultCategory.LEAKED_STACK_TRACES
+                it.category == DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES
                         && it.operationId == "GET:/api/resources/null-pointer_not_stack_trace"
             })
 

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/stacktrace/StackTraceJSONEMTest.kt

@@ -1,6 +1,7 @@
 package org.evomaster.e2etests.spring.openapi.v3.security.stacktrace
 
 import com.foo.rest.examples.spring.openapi.v3.security.stacktrace.StackTraceJSONController
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.problem.rest.data.HttpVerb
@@ -41,15 +42,15 @@ class StackTraceJSONEMTest : SpringTestBase(){
             val faultsCategories = DetectedFaultUtils.getDetectedFaultCategories(solution)
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
 
-            assertTrue(ExperimentalFaultCategory.LEAKED_STACK_TRACES in faultsCategories)
+            assertTrue(DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES in faultsCategories)
 
             assertTrue(faults.any {
-                it.category == ExperimentalFaultCategory.LEAKED_STACK_TRACES
+                it.category == DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES
                         && it.operationId == "GET:/api/resources/null-pointer-json"
             })
 
             assertTrue(faults.any {
-                it.category == ExperimentalFaultCategory.LEAKED_STACK_TRACES
+                it.category == DefinedFaultCategory.SECURITY_LEAKED_STACK_TRACES
                         && it.operationId == "GET:/api/resources/null-pointer-json-not-list"
             })
 

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/html/XSSStoredEMTest.kt

@@ -38,7 +38,7 @@ class XSSStoredEMTest : SpringTestBase() {
 
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
 
-            Assertions.assertTrue(faults.size == 3)
+            Assertions.assertTrue(faults.size >= 3)
 
             val faultCategories = DetectedFaultUtils.getDetectedFaultCategories(solution)
 

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONEMTest.kt

@@ -38,7 +38,7 @@ class XSSStoredJSONEMTest : SpringTestBase() {
 
             val faults = DetectedFaultUtils.getDetectedFaults(solution)
 
-            Assertions.assertTrue(faults.size == 3)
+            Assertions.assertTrue(faults.size >= 3)
 
             val faultCategories = DetectedFaultUtils.getDetectedFaultCategories(solution)
 

core-tests/jdk-8/spring-rest-openapi-v2-tests/src/test/java/org/evomaster/e2etests/spring/examples/db/crossfks/CrossFkEMTest.java

@@ -18,12 +18,12 @@ public static void initClass() throws Exception {
         SpringTestBase.initClass(new CrossFkController());
     }
     @Test
-    public void testEnableTaintSampleEM() throws Throwable {
+    public void testEnableTaintSampleEM_CrossFk() throws Throwable {
         forceSqlAllColumnInsertion(true);
     }
 
     @Test
-    public void testDisableTaintSampleEM() throws Throwable {
+    public void testDisableTaintSampleEM_CrossFk() throws Throwable {
         forceSqlAllColumnInsertion(false);
     }
 

core-tests/jdk-8/spring-rest-openapi-v2-tests/src/test/java/org/evomaster/e2etests/spring/examples/endpointfilter/EndpointFilterEMTest.java

@@ -20,16 +20,19 @@ public static void initClass() throws Exception {
     }
 
     @Test
-    public void testRunEM() throws Throwable {
+    public void testRunEM_EndpointFilter() throws Throwable {
 
         runTestHandlingFlakyAndCompilation(
                 "EndpointFilterEM",
                 "org.foo.EndpointFilterEM",
                 50,
                 (args) -> {
 
-                    args.add("--endpointTagFilter");
-                    args.add("Foo");
+                    setOption(args, "endpointTagFilter", "Foo");
+
+                    setOption(args, "security", "false");
+                    setOption(args, "schemaOracles", "false");
+                    setOption(args, "httpOracles", "false");
 
                     Solution<RestIndividual> solution = initAndRun(args);
 

core-tests/jdk-8/spring-rest-openapi-v2-tests/src/test/java/org/evomaster/e2etests/spring/examples/endpointfocusandprefix/EndpointFocusAndPrefixTest.java

@@ -51,6 +51,8 @@ public void testWithoutFocusOrPrefix() throws Throwable {
                     args.add(baseUrlOfSut);
                     args.add("--bbSwaggerUrl");
                     args.add(baseUrlOfSut + "/v2/api-docs");
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -122,6 +124,8 @@ public void testRunBlackboxWithFocusWithoutParameters() throws Throwable {
                     args.add(baseUrlOfSut + "/v2/api-docs");
                     args.add("--endpointFocus");
                     args.add(endpointFocus);
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -164,6 +168,8 @@ public void testRunBlackboxWithFocusWithParameters() throws Throwable {
                     args.add("--endpointFocus");
                     args.add(endpointFocus);
                     setOption(args, "advancedBlackBoxCoverage", "false");
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -204,6 +210,8 @@ public void testRunBlackboxWithFocusOneEndpoint() throws Throwable {
                     args.add(baseUrlOfSut + "/v2/api-docs");
                     args.add("--endpointFocus");
                     args.add(endpointFocus);
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -244,6 +252,8 @@ public void testRunBlackboxWithPrefixWithoutParameters() throws Throwable {
                     args.add(baseUrlOfSut + "/v2/api-docs");
                     args.add("--endpointPrefix");
                     args.add(endpointPrefix);
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -285,6 +295,8 @@ public void testRunBlackboxWithPrefixWithParameters() throws Throwable {
                     args.add("--endpointPrefix");
                     args.add(endpointPrefix);
                     setOption(args, "advancedBlackBoxCoverage", "false");
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);
@@ -326,6 +338,8 @@ public void testRunBlackboxPrefixNonExistingFocusValidPrefix() throws Throwable
                     args.add("--endpointPrefix");
                     args.add(endpointPrefix);
                     setOption(args, "advancedBlackBoxCoverage", "false");
+                    setOption(args, "security", "false");
+                    setOption(args, "httpOracles", "false");
 
                     // no endpointFocus or endpointPrefix is provided
                     Solution<RestIndividual> solution = initAndRun(args);

core/src/main/kotlin/org/evomaster/core/EMConfig.kt

@@ -2872,27 +2872,22 @@ class EMConfig {
     var security = true
 
 
-    @Experimental
     @Cfg("To apply SSRF detection as part of security testing.")
     @DependsOnTrueFor("security")
-    var ssrf = false
+    var ssrf = true
 
-    @Experimental
     @Cfg("To apply XSS detection as part of security testing.")
     @DependsOnTrueFor("security")
-    var xss = false
+    var xss = true
 
-    @Experimental
     @Cfg("To apply SQLi detection as part of security testing.")
     @DependsOnTrueFor("security")
-    var sqli = false
+    var sqli = true
 
-    @Experimental
     @Cfg("Injected sleep duration (in seconds) used inside the malicious payload to detect time-based vulnerabilities.")
     @DependsOnTrueFor("sqli")
     var sqliInjectedSleepDurationMs = 5000
 
-    @Experimental
     @Cfg("Maximum allowed baseline response time (in milliseconds) before the malicious payload is applied.")
     @DependsOnTrueFor("sqli")
     var sqliBaselineMaxResponseTimeMs = 2000

core/src/main/kotlin/org/evomaster/core/problem/enterprise/ExperimentalFaultCategory.kt

@@ -15,15 +15,6 @@ enum class ExperimentalFaultCategory(
     //Likely this one is not really viable
     //SECURITY_ALLOW_MODIFICATION_BY_ALL(985, "Resource Created By An User Can Be Modified By All Other Users", "createdResourceCanBeModifiedByEveryone",
     //  "TODO")
-    IGNORE_ANONYMOUS(900, "A Protected Resource Is Accessible Without Providing Any Authentication",
-        "ignoreAnonymous",
-        "TODO"),
-    ANONYMOUS_MODIFICATIONS(901, "Anonymous Modifications",
-        "anonymousModifications",
-        "TODO"),
-    LEAKED_STACK_TRACES(902, "Leaked Stack Trace",
-        "leakedStackTrace",
-        "TODO"),
     HIDDEN_ACCESSIBLE_ENDPOINT(903, "Hidden Accessible Endpoint",
         "hiddenAccessible",
         "TODO"),

core/src/main/kotlin/org/evomaster/core/problem/rest/data/RestCallAction.kt

@@ -114,18 +114,8 @@ class RestCallAction(
         if(!isPotentialActionForCreation()){
             throw IllegalStateException("Location Ids are meaningful only for POST operations")
         }
-        //return  path.lastElement()
-        /*
-            previous was problematic, as ids were not unique. it wasn't an issue for chains, but it
-            became major issue for cleanups.
-            but, using local ids has its own issues (only defined once mounted into an individual).
-            TODO will need to check for side-effects, might require some more refactoring
-         */
-        if(weakReference != null){
-            throw IllegalStateException("'weakReference' has not been handled yet   ")
-        }
         if(!hasLocalId()){
-            throw IllegalStateException("Location ID must be present when computing a creationLocationId")
+            throw IllegalStateException("Local ID must be present when computing a creationLocationId")
         }
         val k = getLocalId()
         // TODO could skip k if non-ambiguous. otherwise, counter could start from 0 (ie need a map for k values)