Wow thanks @elder16 , we would love to explore more about sonarqube in more detailed way such that we can see if it can help us identify xss vulnerabilities perhaps it can help us in writing automated ones
Per previous - the version of sonarqube that we ran did not find XSS. There is a related discussion on the sonarqube site (Trying to use SonarQube to detect XSS vulnerabilities in JS - #2 by Alexandre_Gigleux - SonarQube - SonarSource Community) that suggests they MAY have added rules for XSS sometime in 2020. I would recommend testing the sonarqube rules before relying on them (e.g. running sonarqube on a version of a module that you KNOW has XSS vulnerabilities to see if any new rules find them).
Wow thats so nice @elder16 , thanks for the recommendations, Perhaps we might need to dive into sonaqube use case. and see if we can leverage it in future, we will be having a call tomorrow, glad you attend the call to discuss more about this if time allows.
Sorry to miss this. Happy to attend in the future if I can.
Hello Community .
In the last couple of weeks, Have been able to finish up broken issues that were pending and got merged last week . thanks to @kdaud @dkayiwa @ibacher for tremendous reviews, this as well increased the test coverage.
Figuring out how we can get rid of cucumber duplicate exceptions using two method step definitions. This involded handling a fix searchAndRegistration where by i needed to write a single class that can serve as a parent class to depend on written classes, this required refactoring of other classes, Learned some good lessons here with cucumber and selenium Dependency injection.
Continued to handle security issues., As fur as security automated vulnerability is concerned, Am still looking forward to create a number of tickets however one main limitation is that a number of issue have been fixed , However still we are continuing to learn more from security GSOC Team, We are also privileged that GSOC security team students will be joining the squal after their final evaluations to spear head security automations cc @isears @parth59 @elder16 @jnsereko @katebelson .
Shared a quick short video about how we can get started with security xss vulnerabilities short overview of reproducing a bug using an iframe .
In the next coming of weeks
Will be getting started on handling RefApp 3.x issues for MFE and part of OCL
Leading the security automated pipeline with GSOC students and quality assurance team to team up and grow the security automated part.
Continue to handle E2E test based workflows to make sure we have also increased the E2E workflow coverage, Thanks to @kdaud for awesome job done in qaframework .
Check all the entire system to confirm whether each part or apps have been tested. This involved fixing typo errors with in elements. Fix un resolved broken issues which have not been tackled .
Have helped others on talk, IRC , slack , who had challenges with quality assurance tech skills. Have attended qa meetings which happen weekly.
great work @sharif
It will be an honor.
Thank you for the good work you are doing @sharif
In the last two weeks, Have finished a number reference application distro tests that have been pending and they got merged. Worked on a number of improvements with qaframework module . This included refactoring of the workflows to meet quality assurance based standards and Improving code quality .
We are still continuing to leverage security issues and count their future prospects.Every Tuesday we usually have discussion on normal qa meeting .Thanks to @elder16 @isears @grace who will be guiding us in leveraging security tracking using sonaqube and securty cross citing roadmap.
Things That i will be focusing on in the coming month.
Working on RefApp 3.x automated tests with cypress in order to get acquitted with cypress framework as well. This will include increase test coverage for cypress as well working along @bistenes @jayasanka @kdaud .
Updating and improving all the workflows in qaframework module to have a standard practical use on the level of an implementer…This will include check all the feature files whether thy correspond to already written selenium code. updating badges on dashboards where necessary. improving code readability in RefApp distro.
3 .Leveraging security automations.As i stated above this is still in pipeline and we will still continue having startups tickets to handle. thanks to @isears @elder16 @jnsereko whom we will be working along with on this part.
- Another area am looking into is way of handling database automations using structured Querry language SQL . this area will be handling database querries and how we can improve that area. This include leveraging db tools like mysql, postre sql ,H2 db in regards to handling automations, we will be looking deeply into this with the help of @dkayiwa @ibacher .
Have attended community engaged calls to keep updated with the current and ongoing fellowship process , Helped others who have been blocked .Thanks everyone for great support and improvement we have achieved. cc @grace @bistenes @jayasanka @kdaud @insookwa @gracebish @irenyak1 @jnsereko @mherman22 . Thanks alot Lets keep it burning
Greatstuff @sharif. This Is the particular area I hope to Learn a thing or two from you
Great work @sharif ! Its indeed a privilege to work along side you
This is awesome !
@sharif do we have tickets on our Jira board that captures these security automation so that contributors can as well pick them up? I guess @jnsereko @jonathan @mherman22 and other already have interested in that field.
Am working along with @jnsereko to have them on board. Those two have been fixed for now.
Nice work @sharif
Thanks @kdaud waiting…to get started
@sharif would be great to have them on board soon! Intro tickets are a good start for those getting into the amazing security automation.
Dear @jonathan , feel free to check in https://issues.openmrs.org/projects/RATEST/issues/RATEST-198?filter=allopenissues to get started on ready for work issues to keep moving please
In the last two weeks of September, Have been fixing Tasks that were lacking some implementation information like Registration and FindPatients Workflows which are happily running the master, Resolved Tasks in refapp distro to do with pages to cater for e2e workflow in qaframework, Have also tried to leverage on ticket handling , this helped our new friends to get started on them
Have also started on working of RefApp 3.x issues where am trying to get hands dirty on real cypress automated testing and getting cling on MFE project and have a ticket that is in progress thanks to @jayasanka for help
For security issue Part: This area is still not attended too as expected, However we have @elder16 @jnsereko who joined the team and we are looking forward to continue sync together especially on our qa meetings to have discussions on handling this. We are also looking into leveraging on using sonaqube for security vulnerability tracking, Ticket logged in here to cater for sonaqube in platform core and I hope to dive into it as soon as possible
Things that I will be working on in the Next two weeks
1.Continue to work on RefApp 3.x issues with cypress and hopefully increase SPA server automation coverage.
Handle automated tests that are still remaining especially those that have been created recently include, Handling Report E2E Automations.And others residing from manage Configure metadata part, Handling Open Concept Lab picked by @jwnasambu and other issues. This will also increase our coverage of the application as well
Have already started on handling Openmrs Automated Rest API . This being brought about by the community and suprisingly its one of my interest of learning area, So i will also be looking forward to handle Rest Api end points.Thanks to @grace @dkayiwa @ibacher @tendomart for bringing out this part of work into light and thanks to @dkayiwa @ibacher clarifying the point here, because i had done it differently but it was so clear for me
Have also attended community calls to keep updated with the current process, Have Helped others on talk, slack ,private slack channel in reviewing Prs ticket handling and technical support as large and those who have been blocked. Great Thanks for qa support squad Team. cc @christine @kdaud @grace @jnsereko @insookwa @mherman22 @irenyak1 @gracebish @jwnasambu @jonathan. Am so happy seeing qa support Team growing day by day. Looking forward to continuing work with you. Thanks a lot Keep up the automations, Write automation and save peoples Lives
Congratulation for this milestone and am really grateful for your desire to see others grow. I must admit I have benefited a lot from the QA squad. You and @kdaud you have made me believe everything is possible and the sky is the limit.
Thanks @sharif for this initiative. Do we have enough such tickets READY FOR WORK on the QA-Dashboard to cater for those getting started with our modules? I have seen @jonathan @jnsereko @ndacyayisenga @gracebish @mherman22 @kmuwanga @jwnasambu and others having interest to pick on such tickets and work on them.