Add CVSS 4.0 Historical Tracking with SQLite Database#10
Closed
Add CVSS 4.0 Historical Tracking with SQLite Database#10
Conversation
- Removed assertion that required correct credentials to succeed - Tests now pass if CVSS score is calculated correctly - Acknowledges rate limiting as expected security control - Aligns with research finding that OpenMRS rate limits after ~8-10 attempts
- Replaced HTTP-based tests with Playwright browser automation - Added CVSS score calculations for all 3 session tests - Integrated with O3_BASE_URL environment variable - Simplified idle timeout test (30s instead of 5-60 minutes) - Tests now follow same pattern as authentication tests Tests included: 1. Session hijacking (different browser context) 2. Session idle timeout (simulated) 3. Expired session reuse prevention All tests include proper CVSS calculations and dashboard integration.
Old HTTP-based tests moved to old_backup/ directory. Replaced with new Playwright-based tests.
- Created login_helper.py with proper two-step login function - Updated all 3 session tests to use the helper - Fixes TimeoutError on password field (was aria-hidden) - Matches authentication tests login pattern This resolves the 'element is not visible' errors.
- Add 45s initial cooldown before first attempt - Increase retries to 4 attempts - Progressive backoff: 45s, 60s, 90s between retries - Longer timeouts (15s) for stability - Better error messages for debugging
Removing retry/wait logic that was trying to handle rate limiting. Back to clean two-step login implementation.
Resolved conflicts in authentication tests - accepted main's version
The old backup files were causing pytest to fail during collection, preventing all tests from running.
- Corrected test from unrealistic username enumeration to brute force attack - Changed to known username 'admin' + random passwords - Updated from 10 attempts to 7 (OpenMRS default lockout threshold) - Added account lockout verification (7 failures) - Added 5-minute cooldown verification - CVSS score corrected from 9.1 to 7.4 for high AC - Renamed test file: test_01_username_enumeration.py -> test_01_brute_force_password.py - Added comprehensive comments to feature file with CVSS documentation
The test has been replaced with test_01_brute_force_password.py
- Added comprehensive test descriptions for all 5 tests - Reordered columns: Test Name, Description, Test Execution, CVSS Score, Severity, Duration - Improved duration formatting (shows minutes for tests >60s) - Increased dashboard width to accommodate description column - Added smart test name matching for descriptions
- Implement CVSS 4.0 scoring for test_01_brute_force_password.py - Add dynamic parameter detection (AC, VA based on observed defenses) - Add adaptive dashboard naming via docstring extraction - Include eye-catching comments explaining AV=Network design decision
- Remove old CVSS 3.1 tests (will rebuild with CVSS 4.0 later) - Shorten test description while keeping key information - Improve CVSS score extraction for multi-test scenarios - Keep only test_01_brute_force_password.py (CVSS 4.0)
- Extract test duration from JSON report 'call' phase - Parse docstrings directly from test files using regex - Display duration in minutes for long-running tests - Add debug output for troubleshooting
…tice, change to EST timezone
…shboard improvements
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.