Our first review of the tests turned up some incorrectly defined tests.

Incorrectly defined tests

(So far I haven't found the below in the issues raised with test cases, hence, they may have been added during implementation. In one case this could be an area that the standard could improve, but doesn't currently cover (and hence can't be part of a compliance test).

1)

This directly contradicts the Standard: Joining User Channels in 2.0 and Joining Channels in 1.2:

If an app is not joined to a User channel fdc3.broadcast will be a no-op and handler functions added with fdc3.addContextListener will not receive any broadcasts.

Remove this test please.

2)

No such error exists in FDC3 1.2 or 2.0. See https://fdc3.finos.org/docs/1.2/api/ref/Errors

There is at present no statement of what should or should not happen when an invalid context object is passed. What is known is that it would not be delivered to a filtered context listener without a type, but that is all that's specified.

Remove this test please - or at least comment it out with a note that its not defined in the standard.

3)

No such error exists in FDC3 1.2 or 2.0. See https://fdc3.finos.org/docs/1.2/api/ref/Errors

Remove this test please - or at least comment it out with a note that its not defined in the standard.

4)

You didn't wait for it to do its broadcasts here as you do in other tests:

This is an example of a place where coordinating messages could be used instead of waits... see Implementation feedback #74.

5)

This test should/will never pass as the (malformed) context has no type, so it can't be routed to a typed context listener. Perhaps better to confirm it did get started by another means... However, behaviour with an invalid argument is not defined in the standard. Hence, I'd probably just go ahead and remove this test.

6)

Note that IntentResolution.source is of type TargetApp, which can be the string name or an AppMetadata object. Thats not why Finsemble fails this test - but led me to this error.
Note that this needs fixing in multiple tests in this file.

CVE-2022-29078 - High Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • chokidar-2.1.8.tgz
        • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

This is an initial test run against electron-fdc3, an open implementation of the FDC3 standard using Electron and an integrated App Directory.

Steps to run:

• clone this repo, and follow the build instructions
• clone electron-fdc3
• update the directory, adding a new entry for the conformance tests, hosted on http://locahost:3001
• build and run electron-fdc3 directory
• build and run electron-fdc3 app
• run the conformance tests (this will notice that electron-fdc3 app is using port 3000, and serve via 3001 instead)

Test results, 8/16 tests passed. There seem to be a couple of issues

• The unsubscribe method is missing from the listener
• A number of methods which return Promise<void> do not resolve the promise

fdc3.addContextListener - Method is callable (passed)

fdc3.addContextListener - "after each" hook for "Method is callable" (failed)
listener.unsubscribe is not a function

fdc3.addIntentListener - Method is callable (passed)

fdc3.addIntentListener - "after each" hook for "Method is callable" (failed)
listener.unsubscribe is not a function

fdc3.broadcast - Method is callable (passed)

fdc3.getCurrentChannel - Method is callable (passed)

fdc3.getInfo - Method is callable (passed)

fdc3.getOrCreateChannel - Method is callable (passed)

fdc3.getSystemChannels - Method is callable (passed)

fdc3.joinChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.leaveCurrentChannel - Method is callable (passed)

fdc3.findIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.open - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.raiseIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.raiseIntentForContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.findIntentsByContext - Method is callable (failed)
Expected error NoAppsFound not thrown
Exception thrown: Expected error NoAppsFound not thrown

as per issue title!

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-what/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

CVE-2022-24772 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

please refer to : https://github.com/finos/FDC3/blob/conformance2.0/toolbox/fdc3-conformance/FDC3-2.0-Conformance-Test-Cases.md#5-metadata--instance-test-cases

please refer to:https://github.com/finos/FDC3/blob/conformance2.0/toolbox/fdc3-conformance/FDC3-2.0-Conformance-Test-Cases.md#6-intents

Setup

You will need to pre-populate the AppDirectory with the following items:

Also we assume a fourth app D that is going to discover the intents in the other 3.

Find Intent From AppD

• IntentAppD: Calls fdc3.findIntent(‘aTestingIntent’). Receives promise containing an appIntent with metadata containing aTestingIntent and only A app metadata.
• WrongIntentAppD: Calls fdc3.findIntent(‘nonExistentIntent’). Rejects with no apps found error https://fdc3.finos.org/docs/api/ref/Errors#resolveerror
• IntentAppDRightContext: Calls fdc3.findIntent(‘aTestingIntent’, ‘fdc3.testContextX’). Receives promise containing an appIntent with metadata containing aTestingIntent and only A app metadata.
• IntentAppDWrongContext: Calls fdc3.findIntent(‘aTestingIntent’, ‘fdc3.testContextY’). Rejects with no apps found error https://fdc3.finos.org/docs/api/ref/Errors#resolveerror
• IntentAppDMultiple1: Calls fdc3.findIntent(‘sharedTestingIntent1’). Receives promise containing an appIntent with metadata containing sharedTestingIntent and only A and B app metadata.
• IntentAppDMultiple2: Calls fdc3.findIntent(‘sharedTestingIntent1’, 'testContextX). Receives promise containing an appIntent with metadata containing sharedTestingIntent` and only A and B app metadata.
• IntentAppDMultiple2: Calls fdc3.findIntent(‘sharedTestingIntent1’, 'testContextY). Receives promise containing an appIntent with metadata containing sharedTestingIntent` and only B app metadata.

Find Intents By Context

• SingleContext: Call fdc3.findIntentsByContext(‘fdc3.testContextX’). Should return aTestingIntent (app A), sharedTestingIntent (A, B) and cTestingIntent (C) AND nothing else.
• NoContext: Call fdc3.findIntentsByContext(). Throws error of some kind?

Raise Intent

• SingleResolve1: Perform above test
• TargetedResolve1: Use fdc3.raiseIntent(‘aTestingIntent’, {testContextX}, <A’s App Name>) to 
start app A, otherwise, as above
• TargetedResolve2,3,4 Use the other ways of addressing apps (via ID, metadata) as described at the start of #18
• FailedResolve1-4 As above, but use fdc3.raiseIntent(‘aTestingIntent’, {testContextY}, <A’s App Name>) and variations. You will receive No Apps Available Resolve Error
• FailedResolve5-8 As above, but use fdc3.raiseIntent(‘aTestingIntent’, {testContextX}, <C’s App Name>) and variations. You will receive No Apps Available Resolve Error

At the moment the mocha test are executed within the 'browser' with some very simple formatting:

Currently this doesn't include the test suite names (i.e. the 'describes'), and the order to tests is a bit surprising. I'm pretty sure other test runners (e.g. Jasmine) have a browser-based test runner, but I couldn't find one for mocha.

Ideally we'd have a simple way to run the tests, understand the stricture, watch progress and understand errors ... without having to write much code!

Uncaught SyntaxError: Identifier 'channelType' has already been declared (at channelService-2_0.js:1:1)

Both channel services declare the same constant.

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • mini-css-extract-plugin-0.11.3.tgz
      • ❌ normalize-url-1.9.1.tgz (Vulnerable Library)

normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • optimize-css-assets-webpack-plugin-5.0.4.tgz
      • cssnano-4.1.11.tgz
        • cssnano-preset-default-4.0.8.tgz
          • postcss-normalize-url-4.0.1.tgz
            • ❌ normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewNews

While investigating test failure we collected up some initial feedback on the implementation of the test suite:

1) Getting started

App Directory configuration is in an inconsistent location for different containers:

• Finsemble: https://github.com/finos/FDC3-conformance-framework/blob/main/mock/fdc3-app-config-examples/finsemble.app-d-snippet.txt
• OpenFin: https://github.com/finos/FDC3-conformance-framework/blob/main/app/openfin_app.json
  And there are no generic set-up instructions.

Ideally, the following should be provided:

• generic app directory records in a JSON file
  • configurations for specific containers are also useful, but a secondary concern (there is a sentence introducing this in the readme but then no content)
• a description of the components of the tests and layout of the repository (currently split between readme and mock readme)
• generic instructions for setup
  • specific instructions for particular containers are also useful, but a secondary concern
• A description of how the tests are initiated and what to expect from them.

2) Multiple app servers

Its not clear why multiple servers are started for the different apps, different tours on a single server or at most two should suffice. Minor issue.

3) Some tests are hard to grok

Tests involving the mocks can be hard to follow as the implementation is split across the test and the mock (necessary but can be made much easier to follow) and some of the function names don't tell you whats going to happen, e.g. AppChannelService.addContextListener does indeed add a listener... but it will always immediately leave the channel after receiving its first message. This could be a more specific name that links better to the addition of that listener here and the broadcast to it here.

Further, it would be better if the channelsAppContext (used to drive the mock app's behavior) defined the name of the app channel that's being joined and what it will do once it's joined it, rather than that being baked in the the object's defaults and the mock implementation:

To confirm what this test is doing you currently have to seek out the ChannelsApp implementation (which involves reading the appD config to get the port, then package.json to figure out which command ran on that port and how it was built, then find the right folder, dig through the files and find a script tag in an HTML file and read it).

To make this more penetrable:

• The javascript code for the mock should be in a JS or TS file,
• Comments should describe the behaviour created by the settings in the context object,
• Channel names and behaviors should be explicitly defined in each test - rather than split between the test and the mock app implementation
  • e.g. channel joined on one end is defined in the test, the other end is implicit in the implementation of the mock app and its handling of an argument on the channel type.
• A function, imported into the tests from the mock app implementation, could be used to create the context object based on parameters passed to it (rather than resetting the same object for each test and mostly relying on its default settings with a few tweaks).
• The code implementing the app's behaviour doesn't need to be split across multiple files (i.e. broadcastContextItems in the index.html and AppChannelService.broadcast in channelService.js), could make use of typescript to provide interfaces (governing the polymorphism of the ChannelServices) and should include comments.
  • A better approach might be to just implement all the behaviour in (for example) broadcastContextItems based on explicit arguments to the function (pulled from the context object passed in).

4) Wait times and total runtime.

The use of wait times also makes me nervous. Where possible these could/should be replaced with an exchange of ready messages - although I grant you it's not ideal doing such coordination of the comms mechanism being tested.
However, timeouts like this:

5) Window closing

This is again dependent on a wait time (could reply first then close immediately and shorten the wait right down)...
Also the close method is Finsemble specific currently - probably because FDC3 doesn't contemplate a standard way to close a window (which it perhaps could...). You could use [window.close()}(https://developer.mozilla.org/en-US/docs/Web/API/Window/close) to do this as its part of the HTML standard (although it doesn't work in Finsemble browserview windows I note - which we'll address - due to the fact that the content pane doesn't own the window). It does work if you set finsemble.appd[].manifest.foreign.components.Window Manager.titlebarType = "injected" in the individual component config or finsemble.Window Manager.titlebarType = "injected" in the whole desktop config.

CVE-2022-24771 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

The fdc3 object may not be immediately available in some implementations. As a result, the mock applications should await the fdc3Ready event before interacting with the API:

https://fdc3.finos.org/docs/1.2/api/ref/Globals#fdc3ready-event

App Channels Broadcast (Basic)

• AC Basic Usage 1 Perform above test
• AC Basic Usage 2 Perform above test, but join channel first and then testChannel.addContextListener()
• AC Basic Usage 3 Do the app B steps first but in reverse order to populate the channel with context, check that A will receive the context after joining

App Channels Broadcast (Filtered Context)

• AC Filtered Context 1: Perform above test

• AC Filtered Context 2: Perform above test, except joining a different channel. Check that you don't receive anything.

• AC Unsubscribe: Perform above test, except that after joining, A then unsubscribe()s the channel. Check that A doesn't receive anything.

• AC Filtered Context 3: Perform above test, except that after joining, A changes channel with a further different channel. Check that A doesn't receive anything.

• AC Filtered Context 4: Perform above test, except that after joining, A calls fdc3.leaveChannel() and doesn't receive anything.

• AC Invalid Broadcast 1 (1.2 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, no other errors.

• AC Invalid Broadcast 2 (2.0 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, promise is rejected.

App Channel History

• AC Context History Typed: Perform above test.
• AC Context History Multiple: B Broadcasts multiple history items of both types. Only the last version of each type is received by A.
• AC Context History Last: A calls testChannel.getCurrentContext() retrieves the last broadcast context item

User Channels Broadcast (Basic)

• UC Basic Usage 1 Perform above test
• UC Basic Usage 2 Perform above test, but join channel first and then fdc3.addContextListener()
• UC Basic Usage 3 Do the app B steps first to populate the channel with context, check that A will receive the context after joining
• UC Basic Usage 4 Do the app B steps first but in reverse order to populate the channel with context, check that A will receive the context after joining

User Channels Broadcast (Filtered Context)

• UC Filtered Context 1: Perform above test

• UC Filtered Context 2: Perform above test
• UC Filtered Context 3: Perform above test, except joining a different channel. Check that you don't receive anything.
• UC Unsubscribe: Perform above test, except that after joining, A then unsubscribe()s the channel. Check that A doesn't receive anything.
• UC Filtered Context 4: Perform above test, except that after joining, A changes channel with a further different channel. Check that A doesn't receive anything.
• UC Filtered Context 5: Perform above test, except that after joining, A calls fdc3.leaveChannel() and doesn't receive anything.
• UC Invalid Broadcast 1 (1.2 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, no other errors.
• UC Invalid Broadcast 2 (2.0 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, promise is rejected.
• UC Current Channel: A call to fdc3.getCurrentChannel() returns null if called prior to any joinChannel.

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewAnalysis

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

We should add the javascript actions from this:

https://github.com/maoo/security-scanning

• One for dependency scanning
• One for static code analysis

WS-2021-0153 - High Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/StartChat

CVE-2022-24773 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewChart

There are a number of refinements that should be made to the test framework to make it more usable:

1) Add a clear indication that tests are complete.

(superceded by #240)

Adding a 'done' message in the main view after all tests have run would:

• Ensure that its easy to determine when tests are complete
  • if errors occur in before or after hooks not all tests will run, leading to the progress % stopping at less than 100%
• Allow the test framework to be more easily installed in a CI system and the results extracted at the end of the run~

2) Add an easy way to re-run the tests.

Adding a restart or refresh button after all tests have run would make it easier to re-run tests without closing and reopening. This functionality is partially available in that clicking on a group heading in the tests will navigate the framework to grep URL (e.g. http://localhost:3001/v1.2/app/index.html?grep=fdc3%5C.getOrCreateChannel) that will allow you to run just that group. However, there is no way to navigate back to the beginning and re-run all tests.

3) Refine or replace the test selection menu to work with Mocha's built-in grep functionality.

If you click on group heading in the test report, the framework navigates to a grep URL (e.g. http://localhost:3001/v1.2/app/index.html?grep=fdc3%5C.getOrCreateChannel) which will run just that set of tests. However, the menu is not aware of this and will indicate that all tests are being re-run - when they will not be.

https://mochajs.org/#grep

The menu should be aware of the current filter (so it can select the appropriate entry from the menu) and should be able to override/change it. This may mean rebuilding that functionality using Mocha's own filtering support.

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.14.2.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • react-dev-utils-11.0.4.tgz
      • ❌ browserslist-4.14.2.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

This will be done by utilizing the /v1/apps/search in the app directory to get all the applications that is registered in the app directory.

We've run into an issue with the tests while testing that we think will affect most other desktop agents and needs fixing in the test framework:

The broadcast/User channel tests are using the system/user channels to send control messages to the mock apps, specifically a 'close' message here:

• FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts

  Line 42 in 10a7db6

  await broadcastSystemChannelCloseWindow();

• FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts

  Lines 802 to 805 in 10a7db6

  	const broadcastSystemChannelCloseWindow = async () => {
  	await window.fdc3.broadcast({ type: "closeWindow" });
  	return new Promise<void>((resolve) => setTimeout(() => resolve(), 3000)); // Wait until close window event is handled
  	};

However, if the channel retains context (which many implementations do), that context will already be present and will be received in the second broadcast test, breaking it (and no doubt a few others). I.e. it will immediately be received here:

• FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts

  Lines 50 to 53 in 10a7db6

  	listener = await window.fdc3.addContextListener(null, (context) => {
  	expect(context.type).to.be.equal("fdc3.instrument", errorMessage);
  	resolve();
  	});

You can replicate this by opening another component and putting it on the first system/user channel before you start the test as this will stop Finsemble draining the channel of state:

To fix, move these messages off of the system channels and onto a dedicated app channel (which the mocks should always independently listen for).

@ColinEberhardt @Joe-Dunleavy

CVE-2021-23436 - High Severity Vulnerability

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • react-dev-utils-11.0.4.tgz
      • ❌ immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution: immer - 9.0.6

CVE-2021-3757 - High Severity Vulnerability

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • react-dev-utils-11.0.4.tgz
      • ❌ immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution: immer - 9.0.6

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/StartCall

https://github.com/finos/FDC3/blob/conformance2.0/toolbox/fdc3-conformance/FDC3-2.0-Conformance-Test-Cases.md#4-open-api

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewContact

This directory (mock/fdc3-app-config-examples), currently containing a Finsemble config example, probably should not live under the 'mock' directory. Rather it should move up a level and be referred to from the README.

Both the README file and these examples should be deployed with the framework (copied into the same location as the app builds) so that they can be referenced from the deployed location. Internal links from the README to the examples should use relative paths to ensure that these work post-deployment.

Must update the Readme files on how to setup and start the project and tests.

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewInstrument

This should ensure reproducible builds!

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1

These are the tests results for an initial run again Finsemble.

Instructions to reproduce:

• clone and build Finsemble seed
• add the conformance tests to the app directory
• run both the conformance tests and finsemble seed

Test results 14 pass, 1 fail.

The failure occurs because our fdc3.open tests relies on the desktop agent throwing AppNotFound for the given appId. Finsemble throws ErrorOnLaunch instead.

fdc3.addContextListener - Method is callable (passed)

fdc3.addIntentListener - Method is callable (passed)

fdc3.broadcast - Method is callable (passed)

fdc3.getCurrentChannel - Method is callable (passed)

fdc3.getInfo - Method is callable (passed)

fdc3.getOrCreateChannel - Method is callable (passed)

fdc3.getSystemChannels - Method is callable (passed)

fdc3.joinChannel - Method is callable (passed)

fdc3.leaveCurrentChannel - Method is callable (passed)

fdc3.findIntent - Method is callable (passed)

fdc3.open - Method is callable (failed)
Expected error AppNotFound not thrown
Exception thrown: ErrorOnLaunch

fdc3.raiseIntent - Method is callable (passed)

fdc3.raiseIntentForContext - Method is callable (passed)

fdc3.findIntentsByContext - Method is callable (passed)

https://github.com/finos/FDC3/blob/conformance2.0/toolbox/fdc3-conformance/FDC3-2.0-Conformance-Test-Cases.md#2-user-channels

https://github.com/finos/FDC3/blob/conformance2.0/toolbox/fdc3-conformance/FDC3-2.0-Conformance-Test-Cases.md#3-app-channels

The FDC3 Desktop Agent is a Chrome Extension implementation of FDC3.

Test instructions:

• install the FDC3 desktop agent chrome extension as per the instructions
• build and run the FDC3 compliance framework, and load the React-based hosting app in the browser (http://localhost:3000/).

It currently passes 4 of the 15 tests.

Most failures seem to relate to unresolved promises.

fdc3.addContextListener - Method is callable (passed)

fdc3.addIntentListener - Method is callable (passed)

fdc3.broadcast - Method is callable (passed)

fdc3.getCurrentChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.getInfo - Method is callable (passed)

fdc3.getOrCreateChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.getSystemChannels - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.joinChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.joinChannel - "after each" hook for "Method is callable" (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.leaveCurrentChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.findIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.open - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.raiseIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.raiseIntentForContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

fdc3.findIntentsByContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

NOTE: The above is the text output from #23

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• @fdc3-conformance-framework/app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.3.tgz
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.14.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.

https://fdc3.finos.org/docs/intents/ref/ViewQuote

When a failure occurs, an Error should be returned, with a defined string message. For example, with open:

If opening errors, it returns an Error with a string from the OpenError enumeration.

Currently our tests check whether a promise is rejected with a string message, see for example:

https://github.com/finos/FDC3-conformance-framework/blob/main/tests/src/test/fdc3.open.ts#L89

Notably container implementation seem to reject with string, e.g.

finos/FDC3-Sail#53
InteropIO/finsemble-seed#773

However, they should reject with an Error with the given string message.

A Opens B

• AOpensB1: [ ] A calls fdc3.open(‘app B Name’), check app B opens
• AOpensB1: [ ] A calls fdc3.open({name: “<app B Name>”}), check app B opens
• AOpensB1: [ ] A calls fdc3.open({name: “<app B Name>”, appId: “<app B ID”}), check app B opens
• AOpensB1: [ ] A calls {appID: “<app ID>”}, check app **B** opens. (FDC3 2.0`)

A Fails To Open B

• AFailsToOpenB: Run the above 4 tests again with a non-existent app name/app id. Should return “App Not Found” Error from https://fdc3.finos.org/docs/api/ref/Errors#openerror

A Opens B With Context

• AOpensBWithContext: Perform above tests
• AOpensBWithSpecificContext: Perform above but replace Bs call with fdc3.addContextListener('fdc3.instrument)`

Specific Context

• AOpensBWithWrongContext: As above
• AOpensBNoListen: Skip `fdc3.addContextListener() above.
• AOpensBMultipleListen: B performs fdc3.addContextListener('fdc3.instrument') prior to the existing addContextListener`. The correct context listener should receive the context, and the promise completes successfully
• AOpensBMalformedContext: A tries to pass malformed context to B. Context listener receives nothing, promise completes successfully.