From bcf75b0bd41390106737f8a74f25133b44e855d7 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Sat, 13 Jan 2024 16:01:12 +0100 Subject: [PATCH 1/7] added workflow to execute fuzz test on pull request to main --- .github/workflows/main.yaml | 84 +++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/main.yaml diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 0000000..1139ed0 --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,84 @@ +name: CI Fuzz +# Set an action secret called "CI_FUZZ_API_TOKEN" with an API token +# generated in CI Fuzz web interface. + +on: + workflow_dispatch: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +env: + # The fuzzing server gRPC URL. + FUZZING_SERVER_ADDRESS: grpc.code-intelligence.com:443 + # The fuzzing server HTTP URL. + WEB_APP_ADDRESS: https://app.code-intelligence.com + # Directory in which the repository will be cloned. + CHECKOUT_DIR: checkout-dir/ + CIFUZZ_DOWNLOAD_URL: "https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_linux_amd64" + CIFUZZ_INSTALL_DIR: ./cifuzz + FUZZING_ARTIFACT: fuzzing-artifact.tar.gz +jobs: + fuzz_tests: + runs-on: ubuntu-latest + # Configure your build environment here + # container: example/docker_image + steps: + - id: checkout + name: Checkout Repository + uses: actions/checkout@v2 + with: + path: ${{ env.CHECKOUT_DIR }} + - id: install-cifuzz + name: Install cifuzz + run: | + curl --fail --silent --show-error --location -o cifuzz_installer "$CIFUZZ_DOWNLOAD_URL" + chmod u+x cifuzz_installer + ./cifuzz_installer --install-dir $CIFUZZ_INSTALL_DIR + - id: build-fuzzers + name: Build Fuzzers + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + run: | + export cifuzz_DIR="$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/share/cmake" + cd $CHECKOUT_DIR/ + $GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \ + --commit $GITHUB_SHA \ + --branch $BRANCH_NAME \ + --output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT + shell: "bash" + - id: start-fuzzing + name: Start Fuzzing + uses: CodeIntelligenceTesting/github-actions/start-fuzzing@v5 + with: + ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} + fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} + fuzzing_artifact: ${{ env.CHECKOUT_DIR }}/${{ env.FUZZING_ARTIFACT }} + checkout_directory: ${{ env.CHECKOUT_DIR }} + - id: monitor-fuzzing + name: Fuzzing + uses: CodeIntelligenceTesting/github-actions/monitor-fuzzing@v5 + with: + ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} + test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} + fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} + dashboard_address: ${{ env.WEB_APP_ADDRESS }} + - id: save-results + name: Save Fuzz Test Results + uses: CodeIntelligenceTesting/github-actions/save-results@v5 + if: ${{ success() || failure() }} + with: + ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} + test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} + fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} + dashboard_address: ${{ env.WEB_APP_ADDRESS }} + - id: upload-artifact + uses: actions/upload-artifact@v2 + if: ${{ (success() || failure()) }} + with: + name: ci_fuzz_results + path: | + findings.json + coverage.json + web_app_address.txt \ No newline at end of file From 83c17449ff11797ccfa2006b903f968e66bcea61 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Sat, 13 Jan 2024 16:15:43 +0100 Subject: [PATCH 2/7] fixed security exception issue in simple example --- src/main/java/com/demo/libraries/SimpleExample.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/demo/libraries/SimpleExample.java b/src/main/java/com/demo/libraries/SimpleExample.java index e3402f4..1f108df 100644 --- a/src/main/java/com/demo/libraries/SimpleExample.java +++ b/src/main/java/com/demo/libraries/SimpleExample.java @@ -19,7 +19,8 @@ public void simpleExampleFunction(int a, int b, String c) { if (b >= 2000000) { if (b - a < 100000) { if (c.equals("Attacker")) { - throw new SecurityException(); + // "fixed" security issue + //throw new SecurityException(); } } } From c0b52fd29bf43e7dacbc2f610cdc953ed27fd721 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Wed, 24 Jan 2024 15:14:55 +0100 Subject: [PATCH 3/7] updating pom file and gitignore to be up to date with the newest ci maven extention --- .gitignore | 3 ++- pom.xml | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 88684f3..66fc7bc 100644 --- a/.gitignore +++ b/.gitignore @@ -40,4 +40,5 @@ crash-* Crash* **/src/test/resources/**/*Inputs*/** fuzz_tests -fuzz_tests.tar.gz \ No newline at end of file +fuzz_tests.tar.gz +**/*.tar.gz \ No newline at end of file diff --git a/pom.xml b/pom.xml index 83861d3..de43fdf 100644 --- a/pom.xml +++ b/pom.xml @@ -65,6 +65,12 @@ json-sanitizer 1.2.1 + + org.jetbrains + annotations + RELEASE + compile + @@ -73,7 +79,7 @@ com.code-intelligence cifuzz-maven-extension - + 1.3.0 From d938159adda61cd2bab6aeb155ccdef6ad4900fa Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Wed, 24 Jan 2024 15:19:39 +0100 Subject: [PATCH 4/7] made sure test/resource folder is synced for Jazzer findings --- src/test/resources/.gitkeep | 1 + 1 file changed, 1 insertion(+) create mode 100644 src/test/resources/.gitkeep diff --git a/src/test/resources/.gitkeep b/src/test/resources/.gitkeep new file mode 100644 index 0000000..8e34e6d --- /dev/null +++ b/src/test/resources/.gitkeep @@ -0,0 +1 @@ +Empty file to make sure the test/resources folder is synced. \ No newline at end of file From f3021b4362e66b88cba20e2ce6498a4af0f634f9 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Wed, 24 Jan 2024 15:22:23 +0100 Subject: [PATCH 5/7] updated gitignore to also exclude crash files located in the test/resource directory --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 66fc7bc..9bd6577 100644 --- a/.gitignore +++ b/.gitignore @@ -36,8 +36,8 @@ build/ ### CI ### /.cifuzz-* -crash-* -Crash* +**/*crash-* +**/*Crash* **/src/test/resources/**/*Inputs*/** fuzz_tests fuzz_tests.tar.gz From ffc4d112adf9e8d30b97f1bff4fe9b44b5ff6e49 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Wed, 24 Jan 2024 16:03:51 +0100 Subject: [PATCH 6/7] updated workflow to execute in new environment --- .github/workflows/main.yaml | 87 +++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 46 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 1139ed0..b837af9 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,6 +1,10 @@ name: CI Fuzz -# Set an action secret called "CI_FUZZ_API_TOKEN" with an API token -# generated in CI Fuzz web interface. +# Set a CI/CD variable called "CI_SENSE_API_TOKEN" with an API token +# generated in CI Fuzz web interface and a variable called "CI_FUZZ_DOWNLOAD_TOKEN" +# with a download token from https://downloads.code-intelligence.com. +# To download the CI Fuzz maven extension or gradle plugin set the secrets +# MAVEN_REGISTRY_USERNAME and MAVEN_REGISTRY_PASSWORD with the credentials +# from https://downloads.code-intelligence.com. on: workflow_dispatch: @@ -10,69 +14,60 @@ on: branches: [ main ] env: - # The fuzzing server gRPC URL. - FUZZING_SERVER_ADDRESS: grpc.code-intelligence.com:443 - # The fuzzing server HTTP URL. - WEB_APP_ADDRESS: https://app.code-intelligence.com + # Timeout until the pipeline is marked as 'success' + # if during that time no failing findings are found. + TIMEOUT: "30m" + # Minimum severity for findings that causes the pipeline to fail. + # Findings with lower severity are still reported but do not fail + # the pipeline. + # Possible values: 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL' + MIN_FINDINGS_SEVERITY: MEDIUM + # The CI Sense URL. + CI_SENSE_HTTP_URL: https://app.code-intelligence.com + CI_SENSE_GRPC_URL: grpc.code-intelligence.com:443 + # The CI Sense project name. + PROJECT: prj-StG2L2ulTwL2 # Directory in which the repository will be cloned. CHECKOUT_DIR: checkout-dir/ - CIFUZZ_DOWNLOAD_URL: "https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_linux_amd64" - CIFUZZ_INSTALL_DIR: ./cifuzz - FUZZING_ARTIFACT: fuzzing-artifact.tar.gz jobs: fuzz_tests: runs-on: ubuntu-latest - # Configure your build environment here - # container: example/docker_image steps: - id: checkout name: Checkout Repository uses: actions/checkout@v2 with: path: ${{ env.CHECKOUT_DIR }} + # Uncomment to configure access to CI Fuzz maven repository. + # - uses: s4u/maven-settings-action@v2.8.0 + # with: + # servers: '[{"id": "code-intelligence", "username": "${{ secrets.MAVEN_REGISTRY_USERNAME }}", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' - id: install-cifuzz name: Install cifuzz - run: | - curl --fail --silent --show-error --location -o cifuzz_installer "$CIFUZZ_DOWNLOAD_URL" - chmod u+x cifuzz_installer - ./cifuzz_installer --install-dir $CIFUZZ_INSTALL_DIR - - id: build-fuzzers - name: Build Fuzzers - env: - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} - run: | - export cifuzz_DIR="$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/share/cmake" - cd $CHECKOUT_DIR/ - $GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \ - --commit $GITHUB_SHA \ - --branch $BRANCH_NAME \ - --output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT - shell: "bash" - - id: start-fuzzing - name: Start Fuzzing - uses: CodeIntelligenceTesting/github-actions/start-fuzzing@v5 + uses: CodeIntelligenceTesting/github-actions/install-cifuzz@v6 with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - fuzzing_artifact: ${{ env.CHECKOUT_DIR }}/${{ env.FUZZING_ARTIFACT }} - checkout_directory: ${{ env.CHECKOUT_DIR }} - - id: monitor-fuzzing - name: Fuzzing - uses: CodeIntelligenceTesting/github-actions/monitor-fuzzing@v5 + download_token: ${{ secrets.CI_FUZZ_DOWNLOAD_TOKEN }} + version: 'latest' + - id: run-fuzz-tests + name: Run Fuzz Tests + uses: CodeIntelligenceTesting/github-actions/run-fuzz-tests@v6 with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} - test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - dashboard_address: ${{ env.WEB_APP_ADDRESS }} + ci_sense_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} + project_name: ${{ env.PROJECT }} + repository_dir: ${{ env.CHECKOUT_DIR }} + timeout: ${{ env.TIMEOUT }} + min_findings_severity: ${{ env.MIN_FINDINGS_SEVERITY }} + ci_sense_http_url: ${{ env.CI_SENSE_HTTP_URL }} - id: save-results name: Save Fuzz Test Results - uses: CodeIntelligenceTesting/github-actions/save-results@v5 + uses: CodeIntelligenceTesting/github-actions/save-results@v6 if: ${{ success() || failure() }} with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} - test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - dashboard_address: ${{ env.WEB_APP_ADDRESS }} + ci_sense_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} + ci_sense_http_url: ${{ env.CI_SENSE_HTTP_URL }} + ci_sense_grpc_url: ${{ env.CI_SENSE_GRPC_URL }} + project_name: ${{ env.PROJECT }} + started_run: ${{ steps.run-fuzz-tests.outputs.started_run }} - id: upload-artifact uses: actions/upload-artifact@v2 if: ${{ (success() || failure()) }} From b1babcfd26aa609dd55e8d0aa2a66c61a8eded70 Mon Sep 17 00:00:00 2001 From: Philip Betzler Date: Wed, 24 Jan 2024 16:32:01 +0100 Subject: [PATCH 7/7] fixed workflow file --- .github/workflows/main.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index b837af9..6eda0ba 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -39,9 +39,9 @@ jobs: with: path: ${{ env.CHECKOUT_DIR }} # Uncomment to configure access to CI Fuzz maven repository. - # - uses: s4u/maven-settings-action@v2.8.0 - # with: - # servers: '[{"id": "code-intelligence", "username": "${{ secrets.MAVEN_REGISTRY_USERNAME }}", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' + - uses: s4u/maven-settings-action@v2.8.0 + with: + servers: '[{"id": "code-intelligence", "username": "${{ secrets.MAVEN_REGISTRY_USERNAME }}", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' - id: install-cifuzz name: Install cifuzz uses: CodeIntelligenceTesting/github-actions/install-cifuzz@v6