Automated security tests for OpenMRS 3 with CVSS vulnerability scoring.
- Python 3.9+
- Docker (for running local OpenMRS instance)
git clone https://github.com/openmrs/openmrs-contrib-cvss-scanning.git
cd openmrs-contrib-cvss-scanning
# Create virtual environment
python -m venv venv
# Activate virtual environment
# On macOS/Linux:
source venv/bin/activate
# On Windows:
venv\Scripts\activatepip install -r requirements.txtplaywright install chromiumcp .env.example .envEdit .env to change the target OpenMRS instance if needed:
# Default targets local Docker instance
O3_BASE_URL=http://localhost/openmrs/spa
# Or target the public demo server
O3_BASE_URL=https://o3.openmrs.org/openmrs/spa
For local testing, spin up an OpenMRS 3 Docker instance:
docker compose upWait for the container to fully start (this may take a few minutes). The instance will be available at http://localhost/openmrs/spa
Run all security tests:
pytest tests/ -vRun specific test categories:
# Authentication tests only
pytest tests/authentication/ -v
# Session management tests only
pytest tests/session_management/ -vGenerate HTML report:
pytest tests/ -v --html=report.html --json-report --json-report-file=report.jsonGenerate security dashboard:
pytest tests/ -v --json-report --json-report-file=report.json | tee test_output.log
python scripts/generate_security_dashboard.pyThis will generate an HTML file named security_dashboard.html in the project root.
tests/
├── authentication/ # Authentication security tests
│ ├── conftest.py # Shared fixtures and URL config
│ ├── test_01_username_enumeration.py
│ ├── test_02_credential_guessing.py
│ └── ...
└── session_management/ # Session management tests
| Variable | Default | Description |
|---|---|---|
O3_BASE_URL |
http://localhost/openmrs/spa |
Base URL of the OpenMRS O3 instance |
CI |
- | Set automatically in CI environments for headless browser mode |