Merge pull request #21 from svevia/new-vuln-reporting-feature

AIML-212 - New capabilities to get all vulns and attacks events

Author: ChrisEdwards

.env.integration-test.template

@@ -0,0 +1,11 @@
+# Integration Test Environment Variables
+# Copy this file to .env.integration-test and fill in your Contrast credentials
+# Then source it before running integration tests: source .env.integration-test
+
+export CONTRAST_HOST_NAME=app.contrastsecurity.com
+export CONTRAST_API_KEY=your-api-key-here
+export CONTRAST_SERVICE_KEY=your-service-key-here
+export CONTRAST_USERNAME=your-username-here
+export CONTRAST_ORG_ID=your-org-id-here
+
+# Note: .env.integration-test is in .gitignore to prevent committing credentials

.gitignore

@@ -36,3 +36,7 @@ build/
 .DS_Store
 .AppleDouble
 .LSOverride
+.env.integration-test
+
+### Beads ###
+.beads/

CLAUDE.md

@@ -80,4 +80,30 @@ This codebase handles sensitive vulnerability data. The README contains critical
 
 - Default log location: `/tmp/mcp-contrast.log`
 - Debug logging: Add `--logging.level.root=DEBUG` to startup arguments
-- Console logging is minimal by design for MCP protocol compatibility
+- Console logging is minimal by design for MCP protocol compatibility
+
+## Beads Workflow Requirements
+
+This project uses Beads (bd) for issue tracking. See the MCP resource `beads://quickstart` for usage details.
+
+### Managing Bead Dependencies
+
+**Command syntax:** `bd dep add <dependent-task> <prerequisite-task>`
+
+Example: If B must be done after A completes, use `bd dep add B A` (not `bd dep add A B`).
+
+Verify with `bd show <task-id>` - dependent tasks show "Depends on", prerequisites show "Blocks".
+
+### Testing Requirements Before Closing Beads
+
+**CRITICAL: Before closing any bead, you MUST:**
+
+1. **Write tests for ALL code changes** - No exceptions
+2. **Run unit tests** - `mvn test` must pass with 0 failures
+3. **Run integration tests** - `mvn verify` must pass (requires credentials in `.env.integration-test`)
+   - If credentials unavailable, verify integration tests pass in CI/CD
+4. **Verify new tests are included** - Ensure your tests ran and passed
+
+All code changes require corresponding test coverage. Do not close beads without tests.
+
+See INTEGRATION_TESTS.md for integration test setup and credentials.

INTEGRATION_TESTS.md

@@ -0,0 +1,101 @@
+# Integration Tests
+
+This project includes integration tests that run against a real Contrast TeamServer instance.
+
+## Setup
+
+1. **Copy the environment template:**
+   ```bash
+   cp .env.integration-test.template .env.integration-test
+   ```
+
+2. **Fill in your Contrast credentials:**
+   Edit `.env.integration-test` with your actual credentials:
+   - `CONTRAST_HOST_NAME` - Your TeamServer host (e.g., `app.contrastsecurity.com`)
+   - `CONTRAST_API_KEY` - Your API key
+   - `CONTRAST_SERVICE_KEY` - Your service key
+   - `CONTRAST_USERNAME` - Your username
+   - `CONTRAST_ORG_ID` - Your organization ID
+
+3. **Source the environment file:**
+   ```bash
+   source .env.integration-test
+   ```
+
+## Running Integration Tests
+
+### Run integration tests only:
+```bash
+mvn verify
+```
+
+### Run all tests (unit + integration):
+```bash
+mvn clean verify
+```
+
+### Skip integration tests:
+```bash
+mvn verify -DskipITs
+```
+
+### Run only unit tests (default):
+```bash
+mvn test
+```
+
+## How It Works
+
+- **Unit tests** (`*Test.java`) run during the `test` phase via Maven Surefire
+- **Integration tests** (`*IT.java`) run during the `verify` phase via Maven Failsafe
+- Integration tests only execute if `CONTRAST_HOST_NAME` environment variable is set
+- If environment variables are missing, integration tests are automatically skipped
+
+## GitHub Actions / CI
+
+For GitHub Actions, add these secrets to your repository:
+- `CONTRAST_HOST_NAME`
+- `CONTRAST_API_KEY`
+- `CONTRAST_SERVICE_KEY`
+- `CONTRAST_USERNAME`
+- `CONTRAST_ORG_ID`
+
+Example GitHub Actions workflow:
+
+```yaml
+- name: Run integration tests
+  run: mvn verify
+  env:
+    CONTRAST_HOST_NAME: ${{ secrets.CONTRAST_HOST_NAME }}
+    CONTRAST_API_KEY: ${{ secrets.CONTRAST_API_KEY }}
+    CONTRAST_SERVICE_KEY: ${{ secrets.CONTRAST_SERVICE_KEY }}
+    CONTRAST_USERNAME: ${{ secrets.CONTRAST_USERNAME }}
+    CONTRAST_ORG_ID: ${{ secrets.CONTRAST_ORG_ID }}
+```
+
+## Current Integration Tests
+
+### EnvironmentsIT.java
+
+Tests that environments and tags are properly populated from TeamServer API:
+- `testEnvironmentsAndTagsArePopulated()` - Verifies vulnerability responses include environments and tags
+- `testVulnerabilitiesHaveBasicFields()` - Verifies basic vulnerability fields are present
+
+## Adding New Integration Tests
+
+1. Create a new test class in `src/test/java` with the `IT` suffix (e.g., `MyFeatureIT.java`)
+2. Annotate with `@EnabledIfEnvironmentVariable(named = "CONTRAST_HOST_NAME", matches = ".+")`
+3. Use real Contrast SDK calls (no mocking)
+4. Run with `mvn verify` to execute
+
+## Troubleshooting
+
+**Integration tests don't run:**
+- Verify environment variables are set: `echo $CONTRAST_HOST_NAME`
+- Make sure you're running `mvn verify` (not just `mvn test`)
+- Check that test class name ends with `IT.java`
+
+**Tests fail with authentication errors:**
+- Verify your credentials are correct
+- Check that your API key has appropriate permissions
+- Ensure your organization ID is correct

README.md

@@ -26,6 +26,9 @@ Contrast's MCP server allows you as a developer or security professional to quic
   - [For the Security Professional](#for-the-security-professional)
 - [Data Privacy](#data-privacy)
 - [Build](#build)
+- [Testing](#testing)
+  - [Unit Tests](#unit-tests)
+  - [Integration Tests](#integration-tests)
 - [Run](#run)
 - [Docker](#docker)
   - [Build Docker Image](#build-docker-image)
@@ -86,6 +89,33 @@ Requires Java 17+
 
 `mvn clean install`
 
+## Testing
+
+### Unit Tests
+Run unit tests during development:
+```bash
+mvn test
+```
+
+### Integration Tests
+Integration tests validate against a real TeamServer instance. See [INTEGRATION_TESTS.md](INTEGRATION_TESTS.md) for detailed setup instructions.
+
+Quick start:
+```bash
+# 1. Set up credentials
+cp .env.integration-test.template .env.integration-test
+# Edit .env.integration-test with your credentials
+
+# 2. Run integration tests
+source .env.integration-test
+mvn verify
+
+# 3. Skip integration tests
+mvn verify -DskipITs
+```
+
+Integration tests only run when `CONTRAST_HOST_NAME` environment variable is set.
+
 ## Run
 To add the MCP Server to your local AI system, modify the config.json file and add the following
 

pom.xml

@@ -39,13 +39,19 @@
 		<dependency>
 			<groupId>com.contrastsecurity</groupId>
 			<artifactId>contrast-sdk-java</artifactId>
-			<version>3.4.2</version>
+			<version>3.4.4</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.ai</groupId>
 			<artifactId>spring-ai-starter-mcp-server</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<scope>provided</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
@@ -88,6 +94,29 @@
 					<goals>install</goals>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-failsafe-plugin</artifactId>
+				<version>3.5.3</version>
+				<executions>
+					<execution>
+						<goals>
+							<goal>integration-test</goal>
+							<goal>verify</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<systemPropertyVariables>
+						<!-- Pass environment variables to tests -->
+						<CONTRAST_HOST_NAME>${env.CONTRAST_HOST_NAME}</CONTRAST_HOST_NAME>
+						<CONTRAST_API_KEY>${env.CONTRAST_API_KEY}</CONTRAST_API_KEY>
+						<CONTRAST_SERVICE_KEY>${env.CONTRAST_SERVICE_KEY}</CONTRAST_SERVICE_KEY>
+						<CONTRAST_USERNAME>${env.CONTRAST_USERNAME}</CONTRAST_USERNAME>
+						<CONTRAST_ORG_ID>${env.CONTRAST_ORG_ID}</CONTRAST_ORG_ID>
+					</systemPropertyVariables>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>