Taxonomy is the practice and science (study) of classification of things and concepts, including the principles that underlie such classification [source Wikipedia]. First time when I herd of how to apply taxonomy in software testing was in BBST Test Design course. You can find more details in Dr. Cem Kaner paper, Bug Taxonomies: Use Them to Generate Better Tests.

In my testing I often have to test CRUD functionality. I searched for CRUD (create, retrieve, update, delete) bug taxonomy list, but Google did not list any relevant result.

In this post I will try to do bug taxonomy for CRUD acronym. CRUD acronym is often used and I think that many testers would found that list very useful. In the end, I will map CRUD acronym on REST API methods.

In this example we have object with mandatory and optional attributes. One of the attributes must have unique value. Client side could create any Object (no any check is performed) and server has to do all checks. Context of bug taxonomy are object attribute values.

Create object:

  • missing mandatory attribute
  • attribute does not belong to object
  • duplicate attribute
  • wrong attribute value type
  • wrong attribute value range
  • wrong attribute value format
  • existing value for unique attribute value

Retrieve object:

  • missing unique attribute value
  • unique attribute value does not exist
  • wrong type of unique attribute value
  • missing attribute in response

Update object:

  • missing unique attribute value
  • unique attribute value does not exist
  • update of unique attribute value to existing value
  • wrong type of unique attribute value
  • duplicate attribute
  • wrong attribute value type
  • wrong attribute value range
  • wrong attribute value format
  • attribute does not belong to object

    Delete object:

    • missing unique attribute value
    • unique attribute value does not exist
    • wrong type of unique attribute value
    • object already deleted

    Notice the redundancy in Retrieve, Update and Delete.

    This could be easily mapped to REST API:
    Create -> POST
    Retrieve -> GET
    Update -> PUT
    Delete -> DELETE

    When I start testing RSET API, I first automate tests for CRUD bug taxonomy. But that taxonomy must be also used by project management in order to negotiate REST API protocol. For every object, we must know:

    • attributes
    • mandatory attributes
    • unique attributes
    • attribute value type
    • attribute value range
    • attribute value format

    Otherwise,  RSET API could easily be used for malicious data manipulation. If you found that I missed some bug taxonomy, please let me know and I will add it to the list.