My Fellowship Journey : Sharif Magembe

Am Magembe Sharif , from Uganda ,Kampala, and i have been actively involved with OpenMRS for 2.5 years up to date

Am very Excited and happy to join the first OpenMRS fellowship 2021/2022 on Quality Assurance Project as a Quality Assurance Engineer in the area of development ,focusing better Quality Assurance of the product (Openmrs quality Assurance systems and Tools),By the end of this fellowship , i hope to have acquired more knowledge and gained more experience as a quality assurance Engineer who will be well acquitted with quality Assurance skills and QA tools in software development

Am glad that i will be working directly with @k.joseph as my Mentor along my fellowship journey and hope for the best :slightly_smiling_face:

In the First Month of April of the fellowship

  • i focused on learning more of Quality Assurance Tools and Languages like Selenium ,cucumber ,Gherkin language

  • Updating the QA wiki Pages to reflect current work and technical qa roadmap .

  • Understanding the existing code base which is openms-distro-referenceapplication-uitests,openmrs-module-Uitestframework, and openmrs-contrib-qaframework

  • Getting more familiar with Resolving more of broken Ui tests that were broken/ignored using selenium Java,Curated Tickets, Fixed and continuing to fix typo errors with the help of @k.joseph

  • Getting Familiar with automation Workflow of the system since i had a back ground of manual testing which this time had little changed with how simulations of automated scripts should flow .

  • Attended weekly QA Calls and helped others to get more familiar with tools to use



Last Two weeks of April as Openmrs Quality Assurance Engineer .

i have been working on broken/ un ignored automation Tests in refApp distro-uitests , with these last two weeks, i have really improved with debugging skills structure especially using bebugging tools , gained familiarity with more of selenium java methods and using already built automation tests with the help of my mentor @k.joseph .

  • Next Focus in the First two weeks of May
  1. Focus on cucumber , Gherkin frameworks and its integration with the ongoing quality assurance work and learning more of the selenium and cucumber frameworks

  2. Focus on handling/Fixing pull requests cucumber related and broken tests work and handling bamboo failures related efforts which have been recently being worked upon by @k.joseph and @dkayiwa

  3. Handling Automation Tests that might be of priority preparing the next release of refApp 2.12.0

  4. Have also been in sync with my mentor to define my fellowship plans as Qaulity Assurance engineer

  5. Attending Quality Assurance support calls and helping others who might be blocked

    Best Regards to my mentor @k.joseph,

    Thanks cc @jennifer @k.joseph @grace


Hello Everyone In the last weeks as a fellow,i continued to work towards the development and resolving broken failing tests with our working pipeline perhaps we are still in the line of resurrecting broken tests as much as we can, wrote a number of fixes involving writing selenium/cucumber gherkin feature files which are under review at the moment

Currently i have been working and getting more familiar with cucumber framework integration and selenium especially leveraging on how we can generate more readable and usable reports for non technical implementations, Still continuing to

  1. Focus on cucumber/Selenium tools , Gherkin frameworks and its integration with selenium, Resolving tickets and improving test cases

  2. Handle Automation Tests that might be of priority preparing the next release of refApp 2.12.0

3 .Attending Quality Assurance support calls, Had weekly meeting with my mentor @k.joseph to define weak areas continuing to aim higher in the next course of the week and helping others who might be blocked

  1. i came up with a blog that defines steps to follow to get someone interested acquitted or get an idea of how openmrs quality assurance support is using cucumber and selenium tools and overall technical experience

Thanks cc @k.joseph @jennifer @grace


Hello Community

In the past two weeks , i have been mainly working on Fixing broken Issues and debugging the server logs

  1. Fixing broken issues and understanding the logic of writing logical automated tests,

  2. Improved feature file folders in qaframework to cater for refapp2.x, refapp3.x and ocl-clients

  3. Fixed a number of feature files with in qa and looking at leveraging to use cucumber for documention test cases

  4. Debugging Technic expertise: Through these two weeks as i have been working on fixing on automated tests , Have been improving my debugging experience with the help of my mentor @k.joseph , While syncing with him, We have been looking at debugging in two perspective ways

  • Debugging using debugging tools like Eclipse, Intellij IDEA mainly using three approaches, How to use Step into,step Over, ,return,Resume,Applying breakpoints and what all these return on the code
  • How debugging skills help any coder to improve his/her skills and saving time
  1. .Attending Quality Assurance support calls, Had weekly meeting with my mentor @k.joseph to define areas continuing to aim higher in the next course of the week and helping others who might be blocked

In the Next coming two weeks, still i will continue fixing broken issues since we still have alot of coverage to take part and continuing to help release manager to define his goals

thanks cc @k.joseph @jennifer @grace


Hello community

In the past two weeks, i have been learning the idea behind E2E End To End Testing (User interface)for openmrs in quality Assurance and its based automation workflow . and have been working on two different E2E testing one for Search and Patient Registration and EditPatientRelationships which are under progress and review Ideally our main focus with current ongoing work on implementing E2E considers the following technical guidance

  1. Clear Description of End To End Automated Steps ,well these steps Should be parented by existing pages in referenceapplication distro or qaframework , These steps should be described to have full users experience according of an example of Test case because these are tasks that are building real automations behind scenes

  2. Well Formatted Feature file ;These are written human readable gherkin syntax behavior driven developement(BDD) which are used give structure and meaning of executable specifications , This is where cucumber comes into play, when cucumber executes a step in a single or multiple scenario , it will look for a matching step definition to execute and cucumber providers us a privilege to be able to generate a report in HTML ,XML ,JSON formats where we are able to view our automation tests, And this will help us run a number of tests in single click

Here is the diagram that shows the E2E FrontEnd test Process architecture, thanks to @grace and @k.joseph for amazing architechure

Through this period, we have picked up on a number of tickets that contributes to the development of E2E test based workflow @kdaud and i are working towards achieving a best E2E test based coverage. Have learnt how to set up Cucumber hook configurations while implementing E2E based workflow which is the main deal of writing stand alone based E2e test by default

Cucumber Hooks briefy cucumber hooks are blocks of code that run before and after each scenario , these hooks can be defined any where in the project especially in step definition classes, they help in better management of code workflow using methods like @Before and @After and probably reducing code redundancy . ideally they help us to perform our scenarios and steps, Feel free to checkout already built in hooks example thanks to @k.joseph for introducing to us to this awesome use case

Our main aim currently is to increase the development of E2E tests coverage still that will give confidence to the user experience in response to release of RefApp 2.12.0 as well .Thanks for qa support team that we confident our Automation test coverage is increasing daily which gives us assurance for release management to comprehend.

In the next couple of weeks, i shall still be focusing on writing / developing /improving new E2E test cases and fixing broken/ignored issues to have maximum test coverage.

Had weekly calls with my mentor @k.joseph every thursday to continue on the work improving fellowship plans and checking through mastering different technical skills both qa and out side qa

Have attended QA meetings,Helped others both on slack ,talk, irc , Helping the release manager for the next release of refApp Thanks for the support ,cc @jennifer @k.joseph @kdaud @grace @christine Cheers

cc @k.joseph @jennifer @grace


@sharif Well done. Quite rich blog.

1 Like

Hello Everyone

In the Past Two Weeks, i finished up some tasks in referenceapplication distro which included only broken selenium tests which some are still under code review and some got merged .

Am currently working on E2E testing that were recently added in the qa board which requires E2E for search and Patient registration and EditingPatientRelationships specifically ,Then still i continued to learn more of how we can re use some Step definitions methods while implementing E2E since en counting of step duplicates occur at some point, very important aspect.

Curated tickets and created some tickets to cater for next test cases automation testing.

In the Two weeks, i shall still continue to improve the broken issues which are not yet merged, develop new E2E automation Testing that might be needed, Getting a path to improving written automations that generate test reports using cucumber studio and also writing new feature files that are missing currently in qaframework board to increase the test coverage, i also plan to join OCL/MFEs to write automations using cypress .

Had weekly calls with my mentor @k.joseph , Helped others who joined qa support Team and also attending qa weekly meetings, here is the vedio and this of debugging selenium tips

Thanks cc @jennifer @grace @k.joseph


Hello Community

In the previous weeks, i finished up some tasks in both referenceapplication distro which were still pending and qaframework updating the E2E workflow based testing this include searchAndRegistration E2E Test and EditPatientRegistration, still this is progress due to clear workflows that need to be finished soon,

Refactored selenium Tests that needed clear workflows, especially Tests that need to be independent, this led to refactor of AddFormTest into single based test to cater for all the workflows came along with its test like edit,and delete thanks to @k.joseph ., LoginTest and ContactInfoTest as well.

Learning creteria: Am hooping some languages quickly especially cypress to have my hands dirty soon to snyc with OCL and MFE automations support teams.

Security Automations PipeLine:: We started on leveraging how we can also get started with handling security Xss vulnerabilities through automating the procedures, i already created a ticket in qa board here , thanks to @jennifer @k.joseph @isears @christine for spear heading this ,Looking forward to see how we shall manage this.

In the next coming weeks, i still continue to leverage all the tests that are not yet merged into master to increase our test coverage by fixing them, reviewing prs as well, thanks to @k.joseph @kdaud for interesting and remarkable reviews, Continue to meet with security team to get more going of security automation workflow,

Had weekly meetings with my mentor @k.joseph thanks for his advanced technical guidance , Helped others on talk, slack and attending weekly quality assurance meetings. Great thanks goes to all quality assurance Support team cc @k.joseph @christine @kdaud @irenyak1 @insookwa @gracebish @jayasanka for great work done the roll is still in our hands. cheers .

Thanks cc @k.joseph @jennifer @grace


Great job @sharif

1 Like

Well Done @sharif for great work and support

1 Like

Good job. @sharif ! :hugs:

1 Like

Well done Sir @sharif

1 Like

That’s great Sharif! If you need further support on RATEST-168 when you go back to it, @isears and @ibacher would probably be good contacts.

It’s great to see your continued growth Sharif! Keep up the good work.


Hello Community

The Rest of our Mentor: He has been so good to us, the meetings we usually had on one to one with my college @kdaud the knowledge and different ideas of handling issues, it was amazing experience , but there is hope for us, Want to thank the entire community for the love you showed to us ,the family as well, Nevertherless work should still continue because we have hope to see the man again :slightly_smiling_face:. Thanks to @ibacher @dkayiwa who are helping in reviews and guidance as well.

In the last couple of weeks, i have been able to finish most of the pending tasks which some were still failing on bamboo, i must say am still looking at the few which are breaking on bamboo after merge, but hopefully this should be resolved soon , Have been able to resolve a couple of tests and many got merged some are in code reviews.

Have also been able to update both E2E automated tasks that have been pending and both are in code review presumable they might get merged in master lately this week, Still looking forward to get more E2E tasks which can be created to add more Coverage .

Security Issue automated updates: For automated xss vulnerabilities, Am still working towards to have more xss issues written beginiging with RATEST-168 which is under review still and am hoping it might get merged soon this week, thanks to @ibacher @dkayiwa @isears who are reviewing this.

Some Pain Points to rectify while handling Each automated xss vulnerability
1. Handling xss vulnerabiity automated test require a new xss vulnerablity sheet: This means For an xss vulnerability to be automated , the vulnerability should be with in the system, Inotherowords it should not have been fixed.

  1. Handling these tests should require a clear description of an xss patch to have its pre written automated tests with in the system.If an xss is already patched it is tricky for us to be to patch that vulnerability, so the better way is to pick a new un patched vulnerability .

**Good News and Promising progress: We have already picked some xss patches we will be handling in the next couple of coming weeks, These patches are now clear to be handled since we can as well patch the already fixed xss vulnerability while following the procedures being given on specific patches.Thanks Again for Gsoc security Team who are working on some patches cc @gracebish who is working on xssPhoneNumber patch and some are looking forward to joining qa team , thanks to @dkayiwa @ibacher @isears for the reviews. cc @dkayiwa @jennifer @isears @ibacher @grace @christine , i still believe we need to have more conversations on this probably on our qa calls or Pm calls

More volunteers on board: We still need more volunteers who are interested in handling security vulnerability automated issues to get on qa board because our goal is to leverage automated xss patches to a require coverage.

In the next coming weeks:

  1. Continue to check the unfinished work with in reference applicationdistribution-uitests to increase our testing coveragewhile handling them , Handle and fix all the un written feature files with the help of our qa support technical team with in qaframework ,Pull request to handle this is already on our qa board RATEST-171

  2. Start on handling MFE automated tests using cypress language thanks to @jayasanka @jwnasambu @hadijah315 @suruchi for great work and great improvements on these written tests.

Have attended weekly calls for quality assurance support Team , Participated in the last mini showcase thanks to @kdaud whom we gathered our presentations together, Helped others on talk ,slack, and irc ,Helping the release manager to finish his work and am confident he is pushing on well cc @herbert24 .

Thanks to the quality assurance support Team for the mile stone and support cc @kdaud @insookwa @gracebish @jayasanka @hadijah315 @suruchi @irenyak1 @jwnasambu @parth59 @jnsereko for the awesome contributions Looking forward to continue work together .Thanks

cc @jennifer @grace


Very helpful to know this level of detail, thanks Sharif :slight_smile: For others who are curious, the link is @bistenes you left a recent comment about pros/cons with using frontend testing for security - thought you might like to take a look at the test plan mentioned here.

Very nice to hear! I wonder when/where/how we can call attention so some of the recent fixes. Where would someone look to see a list of recent security fixes?

It’s been a hard time indeed. Thank you Sharif for your thoughtfulness in this challenging time :bouquet:

1 Like

For security reasons i might not publicly share the full NCSU report; which currently is the one that is being used to track most of the xss vulnerabilities with in the system ,

However we can try to use legacyui module here Pull requests · openmrs/openmrs-module-legacyui · GitHub where there is a number of security fixed issues and their defined procedures ,Gsoc Patch security vulnerablity.this might give us a hint. Am always available for this incase anything isnt clear . thanks


Right, I’m not sure that such specific tests are actually useful. This is like, a thing we fixed one time, in this one place, and it’s not likely to come un-fixed. The utility/overhead ratio of this test would be very close to zero.

Also note that this is an E2E test of 1.x or 2.x code, so it would be a Selenium test. XSS problems like this are very difficult to produce when using a framework like React, anyway.

I’d suggest focusing DevSecOps efforts toward getting our linting game strong. As I’ve mentioned elsewhere, we should be linting all our code with every PR that makes it very visible when issues are being introduced. I’d be interested in what @isears thinks.


Maybe writing a Selenium test for every XSS vulnerability we’ve patched in the past is a bit much. But there are a few high-yield areas that we could target to get a lot of value out of one or two Selenium tests. For example, stored XSS in a patient name comes up fairly frequently (and is also probably one of the easiest exploit vectors). So if we had a Selenium test that just created an “evil” patient (e.g. Mr. <script>alert(1)</script>) and then rapidly checked 10-15 views where patient names show up in the refapp to ensure that name is properly escaped, that could potentially be a huge security win.

This shouldn’t detract from linting for detecting other issues. It’s just that in the specific case of XSS in .gsp templates, I don’t think there’s a way for static analysis alone to detect problems. Although maybe @elder16 has some ideas on this? I know you’ve spent a lot of time thinking about automated vulnerability detection. Do you see any way to detect the introduction of an XSS vulnerability that stops short of a full Selenium test?


Awesome, we are currently writing those that have been patched, However still if we can figure out those xss vulnerabilities that are really not complex , i would think its worth diving into

Thanks @bistenes for clarification, i would think we first take care of xss vulnerabilities for selenium based framework if possible for the moment

I think someone mentioned you all use Sonar/Sonarqube? As part of that project we ran Sonarqube on the modules that are part of the Reference Application. Sonarqube found a lot of security-related issues. However, a gap with Sonarqube was that it did NOT find any XSS vulnerabilities, or many input validation vulnerabilities generally. It may be possible to create rules in Sonarqube to find XSS, I don’t know. We just used the default settings.

OWASP ZAP (listed in the link from @bistenes) is a fuzzer, not static analysis. If you are looking to use a fuzzer, in our experience it found more XSS, although not as effectively as manual testing.

1 Like