EvoMaster: A Tool For Automatically Generating System-Level Test Cases

Maven Central javadoc CI codecov DOI License: LGPL v3 Github All Releases

Summary

AI-generated mascot, with Bing

EvoMaster (www.evomaster.org) is the first (2016) open-source AI-driven tool that automatically generates system-level test cases for web/enterprise applications. This is related to Fuzzing. In particular, EvoMaster can fuzz APIs such as REST, GraphQL and RPC. Not only EvoMaster can generate inputs that find program crashes, but also it generates small effective test suites (e.g., in Python, JavaScript and Java/Kotlin JUnit format) that can be used for regression testing.

EvoMaster is an AI driven tool. In particular, internally it uses an Evolutionary Algorithm and Dynamic Program Analysis to be able to generate effective test cases. The approach is to evolve test cases from an initial population of random ones, trying to maximize measures like code coverage and fault detection. EvoMaster uses several kinds of AI heuristics to improve performance even further, building on decades of research in the field of Search-Based Software Testing.

1-Minute Example

Since version 6.0.0, the recommended way to install EvoMaster is through PyPi:

pip install evomaster

You can then run it on the command-line with evomster <args>, like for example:

evomaster --schema https://petstore.swagger.io/v2/swagger.json

It will fuzz the PetClinic example API from Swagger, for 60 seconds.

If you prefer, you can rather use Docker, as shown in the following video.

docker run -v "$(pwd)/generated_tests":/generated_tests webfuzzing/evomaster  --schema  https://petstore.swagger.io/v2/swagger.json

Note the video is old, using version 3.4.0, with some parameters that are no longer necessary.

Using Docker on Different Shells

Note that, depending on which shell and operating system you are using, you might need slightly different commands when mounting folders with the -v option.

For example, if run in a MSYS shell on Windows like Git Bash, there is the need of an extra / before the $.

docker run -v "/$(pwd)/generated_tests":/generated_tests webfuzzing/evomaster  --schema  https://petstore.swagger.io/v2/swagger.json

If you are rather using a Command Prompt (Cmd.exe) terminal, you need to use %CD% instead of $(pwd) to refer to the current folder:

docker run -v %CD%/generated_tests:/generated_tests webfuzzing/evomaster  --schema  https://petstore.swagger.io/v2/swagger.json

On the other hand, on a PowerShell you need ${PWD}:

docker run -v ${PWD}/generated_tests:/generated_tests webfuzzing/evomaster  --schema  https://petstore.swagger.io/v2/swagger.json

Troubleshooting

If you encounter issues running the command:

Generated Output

Once the command is executed, you can inspect the generated files under generated_tests folder.

Note, since version 4.0.0, now EvoMaster by default also creates an interactive web report.

Key features

Known Limitations

Use in Industry

Several enterprises use EvoMaster to fuzz their Web APIs. We do few academia-industry collaborations (see more info here), where we help test engineers to apply EvoMaster on their systems, as long as we can then report on such experience. Examples of Fortune 500 companies using EvoMaster are:

Videos

Alternatives

In the last few years, several few tools have been proposed in the academic literature and in the open-source community. You can read more details in this 2023 survey on REST API testing.

Existing open-source tools for REST API fuzzing, with at least 100 stars on GitHub, are for example (in alphabetic order): CATS, Dredd, Fuzz-lightyear, ResTest, Restler, Schemathesis and WuppieFuzz.

Apart from WuppieFuzz, all these tools are black-box, i.e., they do not analyze the source-code of the tested APIs to generate more effective test data. As we are the authors of EvoMaster, we are too biased to compare it properly with those other black-box tools. However, different independent studies (e.g., in 2022 and 2024) shows that EvoMaster is among the best performant. Furthermore, if your APIs are running on the JVM (e.g., written in Java or Kotlin), then EvoMaster has clearly an advantage, as it supports white-box testing.

Documentation

If you are trying to use EvoMaster, but the instructions in this documentation are not enough to get you started, or they are too unclear, then it means it is a bug in the documentation, which then would need to be clarified and updated. In such cases, please create a new issue.

Also, feel free to start new discussion topics in the Discussions forum. If you have time, please consider answering the polls there.

If you are working on an open-source API, you can drop us a message if you have problems using EvoMaster on it. Otherwise, if you are working in industry on closed-source APIs, we have options for academia-industry collaborations (see more info here).

Funding

EvoMaster has been funded by:

This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 864972).

License

EvoMaster's source code is released under the LGPL (v3) license. For a list of the used third-party libraries, you can directly see the root pom.xml file. For a list of code directly imported (and then possibly modified/updated) from other open-source projects, see here.