Search This Blog

Monday, September 28, 2009

Overview of BPT in QC

Business Components module:
Location where components are stored.
Test Plan module:
Location where test scripts are created and stored.
Location where Components are requested.
Test Lab module:
Location where test scripts are executed.


Requesting Components:
Create a new test in QC’s Test Plan module.
Navigate to the “Test Script” tab.
Click the “New Component request” button.
Fill in the new component request form.
Wait for Component status to become “Ready”.

Who will be using BPT?

Groups of BPT Users:
1.Subject Matter Experts (SME)
2.Automation Experts

Subject Matter Experts (SME):This is defined as a tester who is very knowledgeable with the AUT and capable of writing highly detailed manual test cases.
The Role of the SME is to:
Write exact test steps required for the component to playback and verify steps (must include data to use).
Request for Components to be automated.
Create the BPT test script. This will be done by adding components to the test script.
Execute BPT test scripts.
Gather test results.

Automation Expert:This is the person who will be using QTP to automate Components.
The Role of the Automation Expert:
Convert Manual Components into Automated Components.
Update and Maintain Automated Components.

When Should Components Not be Created?

One time testing.
Need to test ASAP.
Steps will not be reused *.
Expected results are not predictable.
AUT’s objects/business rules keep changing.
Cosmetic verifications (color, font…)

When Should Components be Created?

When steps will be repeated - even if the data is different for each iteration. The more repeatable, the better.
When the AUT is stable.

What is BPT - Business Process Testing?

Business Process Testing (BPT) is Mercury’s tool and concept which allows inexperienced automaters to easily create automation test scripts by piecing together reusable business components.
Components are a group of test steps that can be used in multiple test cases as well as in the same test case.
Components are seen in QC as icons (that look like pieces from a jig saw puzzle) but they contain QTP code.
In general, each screen/page in the AUT (Application Under Test) will have just one component created for it.

Saturday, August 15, 2009

Learning basics of QTP automation tool and preparation of QTP interview questions

1. What are the features and benefits of Quick Test Pro(QTP)?
1. Key word driven testing
2. Suitable for both client server and web based application
3. VB script as the script language
4. Better error handling mechanism
5. Excellent data driven testing features
2. How to handle the exceptions using recovery scenario manager in QTP?
You can instruct QTP to recover unexpected events or errors that occurred in your testing environment during test run. Recovery scenario manager provides a wizard that guides you through the defining recovery scenario. Recovery scenario has three steps
1. Triggered Events
2. Recovery steps
3. Post Recovery Test-Run
3. What is the use of Text output value in QTP?
Output values enable to view the values that the application talks during run time. When parameterized, the values change for each iteration. Thus by creating output values, we can capture the values that the application takes for each run and output them to the data table.
4. How to use the Object spy in QTP 8.0 version?
There are two ways to Spy the objects in QTP
1) Thru file toolbar: In the File ToolBar click on the last toolbar button (an icon showing a person with hat).
2) Thru Object repository Dialog: In Objectrepository dialog click on the button “object spy…” In the Object spy Dialog click on the button showing hand symbol. The pointer now changes in to a hand symbol and we have to point out the object to spy the state of the object. If at all the object is not visible or window is minimized then hold the Ctrl button and activate the required window to and release the Ctrl button.
5. What is the file extension of the code file and object repository file in QTP?
File extension of
Per test object rep: filename.mtr
Shared Object rep: filename.tsr
Code file extension id: script.mts
6. Explain the concept of object repository and how QTP recognizes objects?
Object Repository: displays a tree of all objects in the current component or in the current action or entire test( depending on the object repository mode you selected).
we can view or modify the test object description of any test object in the repository or to add new objects to the repository.
Quicktest learns the default property values and determines in which test object class it fits. If it is not enough it adds assistive properties, one by one to the description until it has compiled the unique description. If no assistive properties are available, then it adds a special Ordianl identifier such as objects location on the page or in the source code.
7. What are the properties you would use for identifying a browser and page when using descriptive programming?
“name” would be another property apart from “title” that we can use. OR
We can also use the property “micClass”.
ex: Browser(”micClass:=browser”).page(”micClass:=page”)
8. What are the different scripting languages you could use when working with QTP?
You can write scripts using following languages:
Visual Basic (VB), XML, JavaScript, Java, HTML
9. Tell some commonly used Excel VBA functions.
Common functions are:
Coloring the cell, Auto fit cell, setting navigation from link in one cell to other saving
10. Explain the keyword createobject with an example.
Creates and returns a reference to an Automation object
syntax: CreateObject(servername.typename [, location])
Arguments
servername:Required. The name of the application providing the object.
typename : Required. The type or class of the object to create.
location : Optional. The name of the network server where the object is to be created.
11. Explain in brief about the QTP Automation Object Model.
Essentially all configuration and run functionality provided via the QuickTest interface is in some way represented in the QuickTest automation object model via objects, methods, and properties. Although a one-on-one comparison cannot always be made, most dialog boxes in QuickTest have a corresponding automation object, most options in dialog boxes can be set and/or retrieved using the corresponding object property, and most menu commands and other operations have corresponding automation methods. You can use the objects, methods, and properties exposed by the QuickTest automation object model, along with standard programming elements such as loops and conditional statements to design your program.
12. How to handle dynamic objects in QTP?
QTP has a unique feature called Smart Object Identification/recognition. QTP generally identifies an object by matching its test object and run time object properties. QTP may fail to recognize the dynamic objects whose properties change during run time. Hence it has an option of enabling Smart Identification, wherein it can identify the objects even if their properties changes during run time.
Check out this:
If QuickTest is unable to find any object that matches the recorded object description, or if it finds more than one object that fits the description, then QuickTest ignores the recorded description, and uses the Smart Identification mechanism to try to identify the object.
While the Smart Identification mechanism is more complex, it is more flexible, and thus, if configured logically, a Smart Identification definition can probably help QuickTest identify an object, if it is present, even when the recorded description fails.
The Smart Identification mechanism uses two types of properties:
Base filter properties - The most fundamental properties of a particular test object class; those whose values cannot be changed without changing the essence of the original object. For example, if a Web link’s tag was changed from to any other value, you could no longer call it the same object. Optional filter properties - Other properties that can help identify objects of a particular class as they are unlikely to change on a regular basis, but which can be ignored if they are no longer applicable.
13. What is a Run-Time Data Table? Where can I find and view this table?
In QTP, there is data table used, which is used at runtime.
-In QTP, select the option View->Data table.
-This is basically an excel file, which is stored in the folder of the test created, its name is Default.xls by default.
14. How does Parameterization and Data-Driving relate to each other in QTP?
To data driven we have to parameterize. i.e. we have to make the constant value as parameter, so that in each interaction(cycle) it takes a value that is supplied in run-time data table. Through parameterization only we can drive a transaction (action) with different sets of data. You know running the script with the same set of data several times is not suggested, and it’s also of no use.
15. What is the difference between Call to Action and Copy Action.?
Call to Action: The changes made in Call to Action, will be reflected in the original action (from where the script is called). But where as in Copy Action , the changes made in the script ,will not effect the original script(Action)
16. Explain the concept of how QTP identifies object.
During recording qtp looks at the object and stores it as test object. For each test object QT learns a set of default properties called mandatory properties, and look at the rest of the objects to check whether this properties are enough to uniquely identify the object. During test run, QTP searches for the run time objects that matches with the test object it learned while recording.
17. Differentiate the two Object Repository Types of QTP.
Object repository is used to store all the objects in the application being tested.
Types of object repository: Per action and shared repository.
In shared repository only one centralized repository for all the tests. where as in per action for each test a separate per action repository is created.
18. What the differences are and best practical application of Object Repository?
Per Action: For Each Action, one Object Repository is created.
Shared: One Object Repository is used by entire application
19. Explain what the difference between Shared Repository and Per Action Repository
Shared Repository: Entire application uses one Object Repository , that similar to Global GUI Map file in WinRunner
Per Action: For each Action, one Object Repository is created, like GUI map file per test in WinRunner
20. Have you ever written a compiled module? If yes tell me about some of the functions that you wrote.
Sample answer (You can tell about modules you worked on. If your answer is Yes then You should expect more questions and should be able to explain those modules in later questions): I Used the functions for Capturing the dynamic data during runtime. Function used for Capturing Desktop, browser and pages.
21. Can you do more than just capture and playback?
Sample answer (Say Yes only if you worked on): I have done Dynamically capturing the objects during runtime in which no recording, no playback and no use of repository is done AT ALL.
-It was done by the windows scripting using the DOM(Document Object Model) of the windows.
22. How to do the scripting. Are there any inbuilt functions in QTP? What is the difference between them? How to handle script issues?
Yes, there’s an in-built functionality called “Step Generator” in Insert->Step->Step Generator -F7, which will generate the scripts as you enter the appropriate steps.
23. What is the difference between check point and output value?
An output value is a value captured during the test run and entered in the run-time but to a specified location.
EX:-Location in Data Table[Global sheet / local sheet]
24. How many types of Actions are there in QTP?
There are three kinds of actions:
Non-reusable action - An action that can be called only in the test with which it is stored, and can be called only once.
Reusable action - An action that can be called multiple times by the test with which it is stored (the local test) as well as by other tests.
External action - A reusable action stored with another test. External actions are read-only in the calling test, but you can choose to use a local, editable copy of the Data Table information for the external action.
25. I want to open a Notepad window without recording a test and I do not want to use System utility Run command as well. How do I do this?
You can still make the notepad open without using the record or System utility script, just by mentioning the path of the notepad “( i.e. where the notepad.exe is stored in the system) in the “Windows Applications Tab” of the “Record and Run Settings window.

What is VLDB

The perception of what constitutes a VLDB continues to grow. A one terabyte database would normally be considered to be a VLDB

What is ETL

ETL is a short for Extract, Transform and Load. It is a data integration function that involves extracting the data from outside sources , transforming it into business needs and ultimately loading it into a datawarehouse

ETL is an abbreviation for "Extract, Transform and Load".This is the process of extracting data from their operational data sources or external data sources, transforming the data which includes cleansing, aggregation, summarization, integration, as well as basic transformation and loading the data into some form of the data warehouse.

E: Extraction of data from the homogeneous/heterogenous sources.
T: Transforming/modifying the source data by applying some transformations like Filter, Expression, Router, Joiner, Union (or) Lookup.
L: Loading the Transformed data into corresponding Target tables.

What is the Difference between OLTP and OLAP

OLTP

Current data
Short database transactions
Online update/insert/delete
Normalization is promoted
High volume transactions
Transaction recovery is necessary


OLAP
Current and historical data
Long database transactions
Batch update/insert/delete
Denormalization is promoted
Low volume transactions
Transaction recovery is not necessary



OLTP is nothing but OnLine Transaction Processing ,which contains a normalised tables and online data,which have frequent insert/updates/delete.
But OLAP(Online Analtical Programming) contains the history of OLTP data, which is, non-volatile ,acts as a Decisions Support System and is used for creating forecasting reports.

Index
OLTP : FEW
OLAP : MANY
JOINS
OLTP : MANY
OLAP : FEW
oltp:


1.current data only

2.insert,update,delete operations are possible

3.continous changing of data

4.1 year data is present

5.only one record is processed at a time


6.data is present in 2d format


olap:

1.current+historical data

2.used for reprting and analysis

3.non volatile in nature

4.5-30 yrs of data is stored

5.group of records processed at a time

6.data is present in muti dim format

What is ER Diagram?

ER - Stands for entitity relationship diagrams. It is the first step in the design of data model which will later lead to a physical database design of possible a OLTP or OLAP database

The Entity-Relationship (ER) model was originally proposed by Peter in 1976 [Chen76] as a way to unify the network and relational database views.

Simply stated the ER model is a conceptual data model that views the real world as entities and relationships. A basic component of the model is the Entity-Relationship diagram which is used to visually represents data objects.

Since Chen wrote his paper the model has been extended and today it is commonly used for database design For the database designer, the utility of the ER model is:

it maps well to the relational model. The constructs used in the ER model can easily be transformed into relational tables.
it is simple and easy to understand with a minimum of training. Therefore, the model can be used by the database designer to communicate the design to the end user.

In addition, the model can be used as a design plan by the database developer to implement a data model in a specific database management software.

How to Run Scripts/Cases in QC

Firstly we got to download Mercury Quality Center Connectivity Addin and QuickTest Professional Addin

Open QC,
Create a new Subject in Test Plan

Then place all your QTP scripts in folder
Open QTP and file - > Quality Center Connection
Enter url
Connect
Enter QC UserID and Password
Project : Domain & Project
Open the script you wish to run, click on File - > Save As ....select Quality Center button in the right botton corner
Seelct the relevant subject folder created before in QC
Click on OK


Login to QC, in Test lab, select the testscripts uploaded and click on Run

Framework for Automation

Framework is set of rules defined for developping and organising the test scripts.There are diffrent types of Framework are available namely modularized type of framework, library based, data driven, keyword driven and hybrid framework.

You can use any of these Framework for automation. It depends on the project and its criticality.

Hybrid Framework represents combination of other different framework in order to maintain code/scripts. You can choose some external files for updation of fields in the projects/application(say excel sheets or text files) and you need to import the file to the script, so whenever u want to update the script by different set of value you just need to update the external files which will effect on the automation script

Keyword based Framework

Keyword-driven Framework separates much of the programming work from the actual test steps so that the test steps can be developed earlier and can often be maintained with only minor updates, even when the application or testing needs change significantly.
It consists of driver, control scripts etc.

Data - Driven Frameworks

Test scripts are executed and verified based on the data values stored in one or more central data sources or databases. These databases can range from datapools, odbc sources, csv files, excel files, dao objects, ado objects, etc.
The establishment of several interacting test scripts together with their related data results in a Framework used for the methodology. In this Framework, variables are used for both input values and output verification values: navigation through the program, reading of the data sources, and logging of test status and information are all coded in the test script.
Thus, the logic executed in the script is also dependant on the data values.

Test script modularity Framework

The test script modularity Framework requires the creation of small, independent scripts that represent modules, sections, and functions of the application-under-test. These small scripts are then used in a hierarchical fashion to construct larger tests, realizing a particular test case.
It is called as modular since we are breaking the scripts into modules - a few of which are compile modules or reusable. This is the simplest of all Frameworks.

What is FrameWork in QTP

1)Framework defines how to approach for scripting .Framework may change form company to company & project to project.
It may be recording or descriptive
…………………………………….
Automation Framework is nothing but Common Name Conviction where all the team members should follow same names(like OK ...)while updating in the object repository in order to
avoid confusion.
……………………….
Automation Framework is nothing but the way we r doing automation is represented in a systematic way with proper planning like Initial Setup(setting up shared
repository..), Tool configuration,Test Data files,library
files,Script generation,Enhancements,Synchronisation,Exception
handling,Batch test,maintaning the scripts....all whichever
related to our automation plan.
…………………………………
Automation Framework is nothing but a set of guidelines designed by expert to accomplish a task in an
effective,eficcient and an optimised way. there are 4 different types of Framework 1)linear 2)
modular 3)keyword 4)hybrid max we follow keyword Framework
keyword Framework is nothing but creating a software
structure like
1)scripts 2)object repository 3)test data 4)recovery
scenario 5)log files 6)library files etc
1)create scripts and save it in scripts component
2)create shared o.r and save it in o.r component
3)create test data and save it in test data component
Etc after creating all these components include the files or
components to script or qtp and execte the script
………………………………….
Automation Framework is one....it is a test plan for automation testing which drives entire automation testing
in a sytemamatic and scientific manner to execute the test script like Main Script--->DriverScripts--->Environment variables, Library files, Functions, Test Data(data table -
Parameterization.

Here MainTest Script will call the DriverScripts
DriverScripts will call the required Env, Lib files,
Func.....etc.
So the entire test will be executed/carried out in a flow like explained above.(This comes under Keyword Driven Framework).
………………………………………….

In real time projects, we use to call, Framework as a folder. This folder contains the components such as ,
Object Repository, logs ,test data,script,result...etc. so whatever files are created to develop a script are stored
in a separate folder, which is nothing but a Framework.
…………………………………….


It basically depends upon the type of Framework being used - datadriven, modular, keyword based or hybrid Framework.

Test automation Framework is a set of assumptions, concepts and practices that provide support for automated software testing.

Common Error Message Description in QTP

Error Number Description
429 ActiveX component can't create object
507 An exception occurred
449 Argument not optional
17 Can't perform requested operation
430 Class doesn't support Automation
506 Class not defined
11 Division by zero
48 Error in loading DLL
5020 Expected ')' in regular expression
5019 Expected ']' in regular expression
432 File name or class name not found during Automation
operation
92 For loop not initialized
5008 Illegal assignment
51 Internal error
505 Invalid or unqualified reference
481 Invalid picture
5 Invalid procedure call or argument
5021 Invalid range in character set
94 Invalid use of Null
448 Named argument not found
447 Object doesn't support current locale setting
445 Object doesn't support this action
438 Object doesn't support this property or method
451 Object not a collection
504 Object not safe for creating
503 Object not safe for initializing
502 Object not safe for scripting
424 Object required
91 Object variable not set
7 Out of Memory
28 Out of stack space
14 Out of string space
6 Overflow
35 Sub or function not defined
9 Subscript out of range
5017 Syntax error in regular expression
462 The remote server machine does not exist or is
unavailable
10 This array is fixed or temporarily locked
13 Type mismatch
5018 Unexpected quantifier
500 Variable is undefined
458 Variable uses an Automation type not supported in
VBScript
450 Wrong number of arguments or invalid property
assignment

Checklist for web services

Design Considerations
Check Description

Design chunky interfaces to reduce round trips.

Prefer message-based programming over remote procedure call (RPC) style.

Use literal message encoding for parameter formatting.

Prefer primitive types for Web service parameters.

Avoid maintaining server state between calls.

Consider input validation for costly Web methods.

Consider your approach to caching.

Consider approaches for bulk data transfer and attachments.

Avoid calling local Web Services.
Connections
Check Description

Configure the maxconnection attribute.

Prioritize and allocate connections across discrete Web services.

Use a single identity for outbound calls.

Consider UnsafeAuthenticatedConnectionSharing with Windows Integrated Authentication.

Use PreAuthenticate with Basic authentication.
Threading
Check Description

Tune the thread pool using the formula for reducing contention.

Consider minIoThreads and minWorkerThreads for intermittent burst load.
One Way (Fire and Forget) Communication
Check Description

Consider using the OneWay attribute if you do not require a response.
Asynchronous Web Methods
Check Description

Use asynchronous Web methods for I/O operations.

Do not use asynchronous Web methods when you depend on worker threads.
Asynchronous Invocation
Check Description

Consider calling Web services asynchronously when you have additional parallel work.

Use asynchronous invocation to call multiple unrelated Web services.

Call Web services asynchronously for UI responsiveness.
Timeouts
Check Description

Set your proxy timeout appropriately.

Set your ASP.NET timeout greater than your Web service timeout.

Abort connections for ASP.NET pages that timeout before a Web services call completes.

Consider the responseDeadlockInterval attribute.
WebMethods
Check Description

Prefer primitive parameter types.

Consider buffering.

Consider caching responses.

Enable session state only for Web methods that need it.
Serialization
Check Description

Reduce serialization with XmlIgnore.

Reduce round trips.

Consider XML compression.
Caching
Check Description

Consider output caching for less volatile data.

Consider providing cache-related information to clients.

Consider perimeter caching.
State Management
Check Description

Use session state only where it is needed.

Avoid server affinity.
Attachments
Check Description

Prefer Base64 encoding. Direct Internet Message Encapsulation (DIME) is a supported part of Web Services Enhancements (WSE), but Microsoft® is not investing in this approach long-term. DIME is limited because the attachments are outside the SOAP envelope.
COM Interop
Check Description

Avoid single-threaded apartment (STA) COM objects.

Folder Structure in QTP Package

The high level explanation could be as follows:

1.

2.
a. Action folders : , , ....

b. Files inside the :
1. .cfg file -
This holds the run time information like addins loaded, user information, etc.

2. .prm file -
Hlds the information about the number of iterations and the parameters that are used within the script / action.

3. .usr file -
This will be generated to hold the name of the script, the object repository info, etc.

4. .lck file -
This is a lock file.

5. .mtr file -
(No idea)

6. .xls sheet -
The default sheet that holds the parameters used within the script.

7. .prm.bak file -
backup file.

8. .usp file -
Stores some RUnLogic information for the script.

9. thin_usr.dat file -
similar to the thick usr file. The diff is not clear exactly.

10. thick_usr.dat file -
Stores high level info about all the above and below files indicating what set of files was created, etc.

11. .tsp file -
??

3. folder:
This is a default folder that is created to hold the following:

a. folder:
This will hold all the active screen files which are zipped, pertaining to that action.

b. Resource.mtr file -
This file holds info regarding the object rep used, the shared libraries used, and possibly maitains a track of how the script is being accessed through the code. Ie. the call chain.

c. Script.mts -
This is the script file actually.

d. .tsr -
The object rep file if used in per action mode.

e. The result file.

f. The action excel sheets.

The subsequent action folders hold similar set of files.

What is QTP 9.2?

• HP Quick Test Pro 9.2 is a functional automation and regression testing tool
• QTP provides record and playback of events
• Uses VBScript as the scripting Language
• Provides keyword view and expert view to view test cases.
• Latest versions of QTP is 9.5 (launched in mid Jan 2008)
• Previous version of QTP: 6.5, 8.0, 8.1, 8.2, 9.0, 9.1
• QTP was previously owned by Mercury Interactive®

Procedure 2

Installing QTP 9.5 on Clean Machines
• Click on Setup.exe file to install QTP 9.5 s/w
• Once installation is complete Create a Folder “License Manager” under C:\Program Files\Common Files\Mercury Interactive\
• Double click the Crack “l-mqt82.exe”. This would create a “lservrc” file under “C:\Program Files\Common Files\Mercury Interactive\License Manager”
• Open the lservrc file with any editor (Notepad) and Copy everything before "QuickTestPro" version "6.0" and manually enter it when QTP asks for the new license key.
• Once done enjoy using QTP 9.5.

Note: You can create scripts in QTP 9.5 but those scripts cannot be accessed in QTP 9.2 version. Install the Patch “QTP_00538 (Patch for QTP 9.2 to Open 9.5 scripts).EXE.” on machines with QTP 9.2 and you can open the scripts in only Read-Only Mode (Cannot edit the scripts)

QTP 9.5 Installation Procedure

Procedure1:
Removing previous installations of QTP
• Uninstall QTP from Add/Remove Programs
• Delete Mercury Interactive folder from C:\Program Files
• Delete Mercury Interactive folder from C:\Program Files\Common Files
• Open Regedit Expand HKEY_CURRENT_USER, Expand Software and Delete the entire Mercury Interactive Folder (Perform the same operation for HKEY_LOCAL_MACHINE)
• Restart the Machine and click on Setup.exe file to install QTP 9.5 s/w
• Once installation is complete Create a Folder “License Manager” under C:\Program Files\Common Files\Mercury Interactive\
• Double click the Crack “l-mqt82.exe”. This would create a “lservrc” file under “C:\Program Files\Common Files\Mercury Interactive\License Manager”
• Open the lservrc file with any editor (Notepad) and Copy everything before "QuickTestPro" version "6.0" and manually enter it when QTP asks for the new license key.
• Once done enjoy using QTP 9.5.

STEPS TO UPLOAD MANUAL TEST CASES into QUALITY CENTER

1. Login to the Quality center.
2. Click on Help->Add-ins page.
3. Click on more HP Quality Center Add-ins from Quality center-Add- INS page.
4. Click on Microsoft excel Add in under Microsoft Add-ins.
5. Download excel add-in for Quality center 9.2.
6. Install it.
7. Create Test cases in Excel sheet with the columns.
• Application Type
• Descriptive Test Name
• Product
• Subject
• Test Category
• Test Name
• Step name
• Description
• Expected Result
• Starting Screen
• Ending Screen
• Call to reusable
8. Select one test Case rows(steps under the test case) and click on export to Quality Center under Add-ins tab.
9. Enter Quality Center URL and click next.
10. Enter Username and Password click on next.
11. Select Domain name (Default) and Project name (SmokeTest_RollOut) and click on next.
12. Select “Tests” from specify the type of data you would like to export: Dialog and click on next.
13. Type any map name (Ex: Rofous,WAB etc) in “Type a new map name” Edit field and click on next.
14. Map the Excel columns with the Quality Center columns and click on next.
15. User will get confirmation message, successfully exported to Quality Center.

Defining user permissions in QC

Girish's: Defining user permissions

Girish's: OTA, an API for extending Quality Center

Girish's: OTA, an API for extending Quality Center

Password checking

This week, I will make a short article regarding how to ensure the user has set a password long enough.
As you know, there is no password checking in Quality Center, and even a blank password is still considered as a valid password. If you have already installed the Quality Center Demo project, you are aware that the default users ‘alice_qc’, ‘cecil_qc’ and al. all have a blank password.
If you have some system administration background, you also certainly know that this is bad practice (very bad, to be exact).
So, now, the question is ‘How to check a user’s password?’ Good question and I will answer that in the next paragraphs.
If you remember from last week, the workflow provides a set of event functions where you can control the behavior of Quality Center. The one that interest us today is Project_CanLogin. Indeed, this function has the following prototype:

Function Project_CanLogin(DomainName, ProjectName, UserName)
where:
• DomainName: Name of the domain the user is trying to log in
• ProjectName: Name of the project the user is trying to log in
• UserName: Name of the user who is trying to log in
• and more importantly, this function returns a boolean value that indicates if you accept or not this user. False, for stay away from my project
Now, we can deny access to a user but we still cannot check his password. But this can be quickly resolved. There is an object called TDConnection (nearly the same as in the OTA API) that has an interesting property called Password.
If you try to do the following in Project_CanLogin then you will see your password:

MsgBox TDConnection.Password
We now have all the building blocks for solving the issue:

Function Project_CanLogin(DomainName, ProjectName, UserName)
‘ First Check the password.
If TDConnection.Password = “” Then
MsgBox “Your user id does not have any password defined. Please contact the project administrator.”, 0, “Error”
Project_CanLogin = False
Else
Project_CanLogin = True
End If
End Function
OK, not too bad but maybe we can go a little bit further. Now, we can even enforce a length of minimum 8 characters and force the user to change his or her password if the size is incorrect. The full script is below:

Function Project_CanLogin(DomainName, ProjectName, UserName)
‘ First Check the password.
If TDConnection.Password = “” Then
MsgBox “Your user id does not have any password defined. Please contact the project administrator.”, 0, “Error”
Project_CanLogin = False
Exit Function
ElseIf Len(TDConnection.Password) < 8 Then
MsgBox “Your password length is too short. You have to change your password now and log in again.”, 0, “Error”
Project_PasswordChange UserName
Project_CanLogin = False
Exit Function
End If
Project_CanLogin = True
End Function
Sub Project_PasswordChange(UserName)
OldPassword = InputBox(“Type in your old password:”, “Password Change”)
Select Case OldPassword
Case “”
MsgBox “You will not be allowed to log into this project.”
Exit Sub
End Select
NewPassword1 = InputBox(“Type a new password with 8 or more characters:”, “Password Change”)
Select Case NewPassword1
Case “”
MsgBox “You will not be allowed to log into this project.”
Exit Sub
Case Else
If Len(NewPassword1) < 8 Then
MsgBox “Your password is too short, please type a longer password.”, 0, “Error”
Project_PasswordChange UserName
Exit Sub
End If
End Select
NewPassword2 = InputBox(“Retype your new password:”, “Password Change”)
If NewPassword1 = NewPassword2 Then
On Error Resume Next
TDConnection.ChangePassword OldPassword, NewPassword1
If Err.Number <> 0 Then
MsgBox “Your password was not changed:” & vbNewLine & Err.Description, 0, “Error”
Else
MsgBox “Your password has been successfully changed”, 0, “Information”
End If
On Error GoTo 0
Else
MsgBox “Password is invalid.”, 0, “Error”
End If
End Sub
That’s it for today. One last remark: anything you define in the workflow only applies to 1 project. So, if you want to impose this rule to all your projects, you have to copy this code in all the workflows.

Quality Center API

The manipulation API is called Quality Center API and allows the interaction with Quality Center. It also allows you to interact with the database through the API making the interactions more secure. Also, it avoids your DBA (DataBase Administrator) having to provide an access to the database server(s) hosting the Quality Center database(s).
The API has only 1 entry point which is the TDConnection object. From this object, you can access a lot of Quality Center functionalities. The API functions are accessible through VBScript and any COM aware programming languages. It means that you can use this API as a standalone .VBS application, a macro in an Excel file, a script in QuickTest Professional or any other application where you would like to integrate such functionalities.
As an example, we are going to download all the defects that are stored on a Quality Center project using the Excel application.
The steps involve:
1. Connect to the project
2. Run a query to retrieve a list of defects
3. Store the result in an Excel worksheet
1. Connect to the project
Each project stored in a Quality Center server is identified by its pair Domain/Project and a project is accessible only if the user belongs to this project. The connection to a server can be done by using only 4 lines of code:

Dim QCConnection
‘ Return the TDConnection object.
Set QCConnection = CreateObject(“TDApiOle80.TDConnection”)
QCConnection.InitConnectionEx “http:///qcbin”
QCConnection.login “”, “
‘ DEFAULT = Domain, QualityCenter_Demo = Project
QCConnection.Connect “DEFAULT”, “QualityCenter_Demo”
2. Execute a query
To execute a query in Quality Center, you have several options available.
The first one is to use the Command object. This object can run SQL queries for any Quality Center table. However, you need to be aware of what table to query and make sure you know what you do because you can mess up Quality Center. Also, this Command object can be used only if you are part of the TDAdmin group in this project.
The second one is to use a Factory object. The factory object returns objects that are part of the API, restricting the user from making mistakes. This is the method we’ll be using in this article. To access the defects, we are using the BugFactory:

Dim BugFactory, BugList
Set BugFactory = QCConnection.BugFactory
Set BugList = BugFactory.NewList(“”) ‘ Get a list of all the defects.
3. Store the result in an Excel worksheet.
We assume that you are running this script from a VBS file. Consequently, we have to open Excel first, then store the data in an Excel worksheet:

Dim Bug, Excel, Sheet
Set Excel = CreateObject(“Excel.Application”) ‘ Open Excel
Excel.WorkBooks.Add() ‘ Add a new workbook
‘ Get the first worksheet.
Set Sheet = Excel.ActiveSheet
Dim Bug, Row
Row = 1
‘ Iterate through all the defects.
For Each Bug In BugList
‘ Save a specified set of fields.
Sheet.Cells(Row, 1).Value = Bug.Field(“BG_BUG_ID”)
Sheet.Cells(Row, 2).Value = Bug.Summary
Sheet.Cells(Row, 3).Value = Bug.DetectedBy
Sheet.Cells(Row, 4).Value = Bug.Priority
Sheet.Cells(Row, 5).Value = Bug.Status
Sheet.Cells(Row, 6).Value = Bug.AssignedTo
Row = Row + 1
Next
‘ Save the newly created workbook and close Excel.
Excel.ActiveWorkbook.SaveAs(“c:\QualityCenter_Demo_DEFECTS.xls”)
Excel.Quit

QC Architecture

The QC Client/Server architecture is a 3-tier architecture (web server, application server and database server). The figure below shows the interaction between the components. They consist of:
• Client application: the QC GUI front-end that you use when accessing Quality Center through your browser. Or any other application that communicates with QC using the API;
• Web server: the QC communication between the client and the server are performed using the HTTP protocol;
• Application server: by default, the JBOSS application server is installed with Quality Center. the QC application is built using Java and requires a J2EE application server. The J2EE platform is particularly well designed for client/server applications over the Internet
• Quality Center application: developed to be executed on a J2EE application server;
• Database Server: the database that holds the Quality Center information.

OTA, an API for extending Quality Center

OTA is:
1. An integration API that allows the integration of any third-party tool within Quality Center;
2. A manipulation API that permits the interaction with the Quality Center application without having to use the GUI frontend.
We will not talk about the integration API so if you are interested in learning more, log on your QC server then select Help > Documentation and read the OTA Guide.

Quality Center security issue

A severe security issue in Quality Center has been discovered by Exposit Limited. This issue can be used to corrupt Quality Center data or gain project administrator privileges.
The problem has been discovered in version 9.0 of Quality Center and it affects all the releases up to public patch 16. The issue also exists in version 9.2 up to latest public patch 3. We haven’t tested earlier releases of the product but we strongly believe that they are affected by the same issue.
Customers using Quality Center 9.0 or below are advised to upgrade to at least Quality Center 9.0 patch 16 in order to minimize the impact of this issue. Patch 16 and patch 18 limit the effect of the defect.
Customers using Quality Center 9.2 are also at risk of data corruption and should wait for a patch from HP Customer Support.
The issue has been reported to security instances under reference CVE-2007-5289 and vulnerability disclosure is being coordinated with the vendor (HP).
We will keep you updated as soon as a patch becomes available.

QC Project Management version 2.00

A new version of QC Project Management has been released today.
The existing features have been improved especially regarding performance. Also, you will find some new handy functionalities such as:
• Email preview: now when preparing an email for mailing the Quality Center users, you can preview and send a test email;
• Export: you can now export the list of Quality Center users to an Excel spreadsheet;
• Import: instead of manually adding new users, you can use an Excel spreadsheet and import the users automatically;
• Groups: to avoid having to use the Quality Center customization after creating users, you can now assign users to groups directly from the QC Project Management application;
• Locks removal: if a resource gets locked, you can now remove it without the help of the Site Administrator.
Not yet a user, download a 10 days evaluation license from here.
Please note that this new release replaces the QC User Management v1.x application.

Vulnerability in Quality Center

Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center). It is referenced as CVE-2007-5289 (VU#898865).
To solve this issue, it is advised to upgrade to version 9.2 of Quality Center and apply the latest patch.
Note that Quality Center 10.0 is vulnerable to this issue.
Introduction
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
There exists 1 VBScript workflow file per feature. Those are:
• Login/Logout (common.tds)
• Defects module (defects.tds)
• Manual Test Execution (manrun.tds)
• Test Requirements module (req.tds)
• Test Lab module (testlab.tds)
• Test Plan module (testplan.tds)
The customization feature of Quality Center is often used for:
• Controlling password compliance (no blank password, more than 8 letters, etc.)
• Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value)
• Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields)
• Hidding information depending on the user’s group (used when a project is shared with different vendors)
• Others
The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center.
Issue
When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised.
There are 2 main points that make this workflow highly vulnerable:
1. Those files are written in plain text;
2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them.
If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows:
• Quality Center 10.0 Patch 1 or below (Tested)
- Severity High: user has higher capability than defined by their profile
• Quality Center 9.2 (Unconfirmed)
- Severity High: user has higher capability than defined by their profile;
- Patch 14 contains the fix, earlier patches is unknown
• Quality Center 9.0 Patch < 17
- Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
• Quality Center 8.2 / 8.0 (Unconfirmed)
- Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile
• TestDirector (Any Version)
- TestDirector is the former name of Quality Center
- Potentially the same issues as for Quality Center 9.0 Patch < 17
Please note that HP has released a patch that fixes this issue, please contact HP support for further details.
Example
This really short example shows how a user can simply change the content of all the defects to some meaningless values:
Please, do not try the following example as it will permanently damage you Quality Center data.
Sub Defects_Bug_MoveTo
Set objCommand = TDConnection.Command
objCommand.CommandText = "UPDATE BUG SET BG_SUMMARY='Useless', BG_DESCRIPTION='Useless'"
objCommand.Execute
End Sub
Notes
You can find your patch level by login into a Quality Center project, selecting the menu option Help > About HP Quality Center Software… and clicking the Additional Information button.
Patches for Quality Center are available at http://support.openview.hp.com/selfsolve/patches (login required).