SATORI: Static Test Oracle Generation for REST APIs

TL;DR

SATORI is a static, LLM-based approach for generating test oracles for REST APIs from their OpenAPI specs, outperforming existing dynamic methods and uncovering real bugs.

Contribution

Introduces SATORI, a novel static oracle inference method using large language models for REST APIs, enhancing test automation and bug detection capabilities.

Findings

Achieved 74.3% F1-score, surpassing AGORA+ (69.3%).

Generated hundreds of valid oracles per API operation.

Discovered 18 bugs leading to documentation updates.

Abstract

REST API test case generation tools are evolving rapidly, with growing capabilities for the automated generation of complex tests. However, despite their strengths in test data generation, these tools are constrained by the types of test oracles they support, often limited to crashes, regressions, and noncompliance with API specifications or design standards. This paper introduces SATORI (Static API Test ORacle Inference), a black-box approach for generating test oracles for REST APIs by analyzing their OpenAPI Specification. SATORI uses large language models to infer the expected behavior of an API by analyzing the properties of the response fields of its operations, such as their name and descriptions. To foster its adoption, we extended the PostmanAssertify tool to automatically convert the test oracles reported by SATORI into executable assertions. Evaluation results on 17 operations from 12 industrial APIs show that SATORI can automatically generate up to hundreds of valid test oracles per operation. SATORI achieved an F1-score of 74.3%, outperforming the state-of-the-art dynamic approach AGORA+ (69.3%)-which requires executing the API-when generating comparable oracle types. Moreover, our findings show that static and dynamic oracle inference methods are complementary: together, SATORI and AGORA+ found 90% of the oracles in our annotated ground-truth dataset. Notably, SATORI uncovered 18 bugs in popular APIs (Amadeus Hotel, Deutschebahn, FDIC, GitLab, Marvel, OMDb and Vimeo) leading to documentation updates by the API maintainers.