WebFuzzing
diff --git a/‎.gitignore‎
Lines changed: 19 additions & 0 deletions b/‎.gitignore‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 47 additions & 32 deletions b/‎README.md‎
Lines changed: 47 additions & 32 deletions
diff --git a/‎jdk_11_maven/cs/rest/pay-publicapi/.secrets.baseline‎
Lines changed: 196 additions & 0 deletions b/‎jdk_11_maven/cs/rest/pay-publicapi/.secrets.baseline‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎jdk_11_maven/cs/rest/pay-publicapi/CONTRIBUTING.md‎
Lines changed: 11 additions & 0 deletions b/‎jdk_11_maven/cs/rest/pay-publicapi/CONTRIBUTING.md‎
Lines changed: 11 additions & 0 deletions
@@ -27,6 +27,7 @@ hs_err_pid*
 *.iml
 
 
+js_npm/evomaster-client-js
 
 /temp/
 /dist.zip
@@ -257,6 +258,24 @@ dotnet_3/em/embedded/rest/ScsDriver/generated-tests/
 /jdk_11_gradle/em/external/rest/reservations-api/build/
 /jdk_17_gradle/.gradle/
 /jdk_8_maven/em/embedded/graphql/spring-petclinic-graphql/target/
+/jdk_17_gradle/cs/rest/bibliothek/build/
+/jdk_17_gradle/em/external/rest/bibliothek/build
+/jdk_17_maven/cs/grpc/signal-registration/target/
+jdk_11_maven/cs/rest/pay-publicapi/target/
+jdk_11_maven/em/embedded/rest/pay-publicapi/target/
+jdk_11_maven/em/external/rest/ind1/target/
+jdk_17_maven/cs/rest/signal-server/event-logger/target/
+jdk_17_maven/cs/rest/signal-server/websocket-resources/target/
+jdk_17_maven/cs/rest/signal-server/integration-tests/target/
+jdk_17_maven/cs/rest/signal-server/service/target/
+jdk_17_maven/cs/rest/signal-server/api-doc/target/
+jdk_17_maven/em/embedded/rest/signal-server/target/
+jdk_17_maven/cs/rest/familie-tilbake/target/
+jdk_17_maven/em/embedded/rest/familie-tilbake/target/
+jdk_17_maven/cs/rest/familie-ba-sak/target/
+jdk_17_maven/cs/rest/tiltaksgjennomforing-api/target/
+jdk_17_maven/em/embedded/rest/familie-ba-sak/target/
+
 /jdk_8_maven/em/embedded/grpc/ncs/target/
 /jdk_8_maven/em/embedded/grpc/scs/target/
 /jdk_8_maven/em/external/grpc/ncs/target/
 
@@ -7,18 +7,17 @@
 [EvoMaster](http://evomaster.org) Benchmark (EMB): 
 a set of web/enterprise applications for scientific research in Software Engineering.
 
-We collected several different systems, in different programming languages, like
-Java, Kotlin, JavaScript and C#.
+We collected several different systems running on the JVM, in different programming languages such as  Java and Kotlin.
 In this documentation, we will refer to these projects as System Under Test (SUT).
-Currently, the SUTs are either _REST_ or _GraphQL_ APIs.
+Currently, the SUTs are either _REST_,  _GraphQL_ or _RPC_ APIs.
 
 For each SUT, we implemented _driver_ classes, which can programmatically _start_, _stop_ and _reset_ the state of SUT (e.g., data in SQL databases).
 As well as enable setting up different properties in a _uniform_ way, like choosing TCP port numbers for the HTTP servers. 
 If a SUT uses any external services (e.g., a SQL database), these will be automatically started via Docker in these driver classes. 
 
 
 This collection of SUTs was originally assembled for easing experimentation with the fuzzer called [EvoMaster](http://evomaster.org).
-However, finding this type of applications is not trivial among open-source projects. 
+However, finding this type of application is not trivial among open-source projects. 
 Furthermore, it is not simple to sort out all the technical details on how to set these applications up and start them in a simple, uniform approach. 
 Therefore, this repository provides the important contribution of providing all these necessary scripts for researchers that need this kind of case study.   
 
@@ -72,6 +71,10 @@ More details (e.g., #LOCs and used databases) on these APIs can be found [in thi
 
 ### REST: Java/Kotlin
 
+* Familie Ba Sak (MIT), [jdk_17_maven/cs/rest/familie-ba-sak](jdk_17_maven/cs/rest/familie-ba-sak), from [https://github.com/navikt/familie-ba-sak](https://github.com/navikt/familie-ba-sak)
+
+* Payments Public API (MIT), [jdk_11_maven/cs/rest/pay-publicapi](jdk_11_maven/cs/rest/pay-publicapi), from [https://github.com/alphagov/pay-publicapi](https://github.com/alphagov/pay-publicapi)
+
 * Session Service (not-known license), [jdk_8_maven/cs/rest/original/session-service](jdk_8_maven/cs/rest/original/session-service), from [https://github.com/cBioPortal/session-service](https://github.com/cBioPortal/session-service)
 
 * Bibliothek (MIT), [jdk_17_gradle/cs/rest/bibliothek](jdk_17_gradle/cs/rest/bibliothek), from [https://github.com/PaperMC/bibliothek](https://github.com/PaperMC/bibliothek)
@@ -189,11 +192,45 @@ There are 2 main use cases for EMB:
 * Run experiments with other tools
 
 Everything can be setup by running the script `scripts/dist.py`.
-Note that you will need installed at least JDK 8, JDK 11, NPM and .NET 3.x, as well as Docker.
-Also, you will need to setup environment variables like `JAVA_HOME_8` and `JAVA_HOME_11`.
+Note that you will need installed at least Maven, Gradle, JDK 8, JDK 11, JDK 17, NPM, as well as Docker.
+Also, you will need to setup environment variables like `JAVA_HOME_8`, `JAVA_HOME_11` and `JAVA_HOME_17`.
 The script will issue error messages if any prerequisite is missing.
 Once the script is completed, all the SUTs will be available under the `dist` folder, and a `dist.zip` will be created as well (if `scripts/dist.py` is run with `True` as input).
 
+Regarding Maven, most-third party dependencies are automatically downloaded from Maven Central. 
+However, some dependencies are from GitHub, which unfortunately require authentication to be able to download such dependencies.
+Unfortunately, they have [no intention](https://github.com/orgs/community/discussions/26634) to fix this huge usability issue :(
+In your home folder, you need to create a configuration file for Maven, in particular `.m2/settings.xml`, with the following configurations:
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" 
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+<servers>
+    <server>
+        <id>github</id>
+		<!-- Old pre Maven 3.9.0 version -->
+        <username>YOURUSERNAME</username>
+		<password>???</password>
+		<!-- New post Maven 3.9.0 version -->
+		<configuration>
+			<httpHeaders>
+			<property>
+				<name>Authorization</name>
+				<value>Bearer ???</value>
+			</property>
+			</httpHeaders>
+		</configuration>
+    </server>
+</servers>
+</settings>
+```
+Which configuration to use depends on the version of Maven (it was changed in version 3.9.0).
+In latest versions of Maven, you need to create an authorization token in GitHub (see more info directly on [GitHub documentation pages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)), and put it instead of `???`.
+
+
+
 [//]: # (There is also a Docker file to run `dist.py`, named `build.dockerfile`.)
 
 [//]: # (It can be built with:)
@@ -210,20 +247,14 @@ Once the script is completed, all the SUTs will be available under the `dist` fo
 
 
 
-Note that here the drivers will be built as well besides the SUTs, and the SUT themselves will also have an instrumented version (for white-box testing heuristics) for _EvoMaster_ (this is for JavaScript and .NET, whereas instrumentation for JVM is done at runtime, via an attached JavaAgent). 
-
 In the built `dist` folder, the files will be organized as follows:
-
-* For JVM: `<name>-sut.jar` will be the non-instrumented SUTs, whereas their executable drivers will be called `<name>-evomaster-runner.jar`.
+ `<name>-sut.jar` will be the non-instrumented SUTs, whereas their executable drivers will be called `<name>-evomaster-runner.jar`.
  Instrumentation can be done at runtime by attaching the `evomaster-agent.jar` JavaAgent. If you are running experiments with EvoMaster, this will be automatically attached when running experiments with `exp.py` (available in the EvoMaster's repository). Or it can be attached manually with JVM option `-Devomaster.instrumentation.jar.path=evomaster-agent.jar` when starting the driver.
-* For NodeJS: under the folder `<name>` (for each NodeJS SUT), the SUT is available under `src`, whereas the instrumented version is under `instrumented`. If the SUT is written in TypeScript, then the compiled version will be under `build`.
-* For .NET: currently only the instrumented version is available (WORK IN PROGRESS)
 
 
 
 For running experiments with EvoMaster, you can also "start" each driver directly from an IDE (e.g., IntelliJ).
 Each of these drivers has a "main" method that is running a REST API (binding on default port 40100), where each operation (like start/stop/reset the SUT) can be called via an HTTP message by EvoMaster.
-For JavaScript, you need to use the files `em-main.js` under the `instrumented/em` folders.
 
 
 
@@ -237,18 +268,12 @@ Each folder represents a set of SUTs (and drivers) that can be built using the s
 For example, the folder `jdk_8_maven` contains all the SUTs that need JDK 8 and are built with Maven.
 On the other hand, the SUTs in the folder `jdk_11_gradle` require JDK 11 and Gradle.
 
-For JVM and .NET, each module has 2 submodules, called `cs` (short for "Case Study") and `em` (short for "EvoMaster").
+For thr JVM, each module has 2 submodules, called `cs` (short for "Case Study") and `em` (short for "EvoMaster").
 `cs` contains all the source code of the different SUTs, whereas `em` contains all the drivers.
 Note: building a top-module will build as well all of its internal submodules. 
 
-Regarding JavaScript, unfortunately NodeJS does not have a good handling of multi-module projects.
-Each SUT has to be built separately.
-However, for each SUT, we put its source code under a folder called `src`, whereas all the code related to the drivers is under `em`.
-Currently, both NodeJS `14` and `16` should work on these SUTs.
-
-The driver classes for Java and .NET are called `EmbeddedEvoMasterController`.
-For JavaScript, they are in a script file called `app-driver.js`.
-Note that Java also a different kind of driver called `ExternalEvoMasterController`.
+The driver classes for Java  are called `EmbeddedEvoMasterController`.
+Note that Java also has a different kind of driver called `ExternalEvoMasterController`.
 The difference is that in External the SUT is started on a separated process, and not running in the same JVM of the driver itself.
 
 
@@ -292,13 +317,3 @@ Branch *develop* is using the most recent SNAPSHOT version of _EvoMaster_.
 As that is not published online, you need to clone its repository, and build
 it locally (see its documentation on how to do it).
 
-To handle JavaScript, unfortunately there is the need for some manual settings.
-However, it needs to be done just once. 
-
-You need to create _symbolic_ link inside `EMB\js_npm` that points to the `evomaster-client-js` folder in _EvoMaster_.
-How to do this, depends on the Operating System.
-Note that in the following, `<some-path>` should be replaced with the actual real paths of where you cloned the _EvoMaster_ and _EMB_ repositories. 
-
-Windows: `mklink /D  C:\<some-path>\EMB\js_npm\evomaster-client-js  C:\<some-path>\EvoMaster\client-js\evomaster-client-js`
-
-Mac: `ln -s /<some-path>/EvoMaster/client-js/evomaster-client-js  /<some-path>/EMB/js_npm/evomaster-client-js`
 
@@ -0,0 +1,196 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "openapi/publicapi_spec.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "openapi/publicapi_spec.json",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 602
+      }
+    ],
+    "src/main/java/uk/gov/pay/api/model/CreateCardPaymentRequest.java": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/main/java/uk/gov/pay/api/model/CreateCardPaymentRequest.java",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 202
+      }
+    ],
+    "src/main/java/uk/gov/pay/api/resources/PaymentsResource.java": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/main/java/uk/gov/pay/api/resources/PaymentsResource.java",
+        "hashed_secret": "0ca33fee4444c18265ffce030b9e327b54f05ae0",
+        "is_verified": false,
+        "line_number": 241
+      }
+    ],
+    "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java",
+        "hashed_secret": "70abceeb20d82fc2d55e8934d1ad05ad17609752",
+        "is_verified": false,
+        "line_number": 36
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/java/uk/gov/pay/api/filter/AuthorizationValidationFilterTest.java",
+        "hashed_secret": "a0936a38d2c31ad225d670f529a82319fc5bb915",
+        "is_verified": false,
+        "line_number": 87
+      }
+    ],
+    "src/test/resources/config/empty-elevated-accounts-test-config.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/resources/config/empty-elevated-accounts-test-config.yaml",
+        "hashed_secret": "3d4478f77d368235803ceb52bbd45b7240e6af62",
+        "is_verified": false,
+        "line_number": 48
+      }
+    ],
+    "src/test/resources/config/test-config.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/test/resources/config/test-config.yaml",
+        "hashed_secret": "3d4478f77d368235803ceb52bbd45b7240e6af62",
+        "is_verified": false,
+        "line_number": 50
+      }
+    ],
+    "src/test/resources/pacts/publicapi-connector-get-payment-refund.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/test/resources/pacts/publicapi-connector-get-payment-refund.json",
+        "hashed_secret": "4c39a6a28507c3d7ea6de26da0bd1d27cff4a4af",
+        "is_verified": false,
+        "line_number": 25
+      }
+    ],
+    "src/test/resources/pacts/publicapi-ledger-get-one-agreement.json": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/test/resources/pacts/publicapi-ledger-get-one-agreement.json",
+        "hashed_secret": "2d893b1b122fa0a884e02bb0a5b20764a80ef6e4",
+        "is_verified": false,
+        "line_number": 22
+      }
+    ]
+  },
+  "generated_at": "2023-09-06T14:26:21Z"
+}
@@ -0,0 +1,11 @@
+# GOV.UK Pay contributing guide
+
+This guide covers the basics of how to contribute to the GOV.UK Pay project.
+
+## Pull requests
+The team's pull request checklist can be found [here](https://github.com/alphagov/pay-team-manual/blob/master/docs/development-processes/pull-request-checklist.md)
+
+## Contributions from beyond the team
+If you have an idea to share or a feature to request to raise please contact the GOV.UK Pay team govuk-pay-support@digital.cabinet-office.gov.uk. 
+
+If this is a security issue please do not submit a pull request or raise a GitHub issue, instead, please read the disclosure process [here](/README.md#responsible-disclosure).