From 258c1d78951e00de5e84e498cf53d52cd2cbc8e0 Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Thu, 21 Dec 2023 09:06:40 +0100 Subject: [PATCH 1/5] Configure cifuzz maven extension --- pom.xml | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/pom.xml b/pom.xml index 0bf276f..cfcc840 100644 --- a/pom.xml +++ b/pom.xml @@ -57,12 +57,6 @@ spring-boot-starter-test test - - com.code-intelligence - jazzer-junit - 0.19.0 - test - com.opencsv opencsv @@ -76,26 +70,14 @@ - - - cifuzz - - - - org.jacoco - jacoco-maven-plugin - - ${cifuzz.report.format} - ${cifuzz.report.output} - - - - - - - - + + + com.code-intelligence + cifuzz-maven-extension + 1.1.0 + + org.jacoco @@ -122,5 +104,16 @@ - + + + code-intelligence + https://gitlab.code-intelligence.com/api/v4/projects/89/packages/maven + + + + + code-intelligence + https://gitlab.code-intelligence.com/api/v4/projects/89/packages/maven + + From a850925e9756a6ab6e8cb6f4747a05d08db6f817 Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Thu, 21 Dec 2023 09:13:43 +0100 Subject: [PATCH 2/5] WIP: github action with fuzz container --- .github/workflows/main.yml | 87 +++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 39 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1524706..3d824fe 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,6 +1,7 @@ name: CI Fuzz -# Set an action secret called "CI_FUZZ_API_TOKEN" with an API token -# generated in CI Fuzz web interface. +# Set a CI/CD variable called "CI_SENSE_API_TOKEN" with an API token +# generated in CI Fuzz web interface and a variable called "CI_FUZZ_DOWNLOAD_TOKEN" +# with a download token from https://downloads.code-intelligence.com. on: workflow_dispatch: @@ -10,67 +11,75 @@ on: branches: [ main ] env: - # The fuzzing server gRPC URL. - FUZZING_SERVER_ADDRESS: grpc.code-intelligence.com:443 - # The fuzzing server HTTP URL. - WEB_APP_ADDRESS: https://app.code-intelligence.com + # Timeout until the pipeline is marked as 'success' + # if during that time no failing findings are found. + TIMEOUT: "5m" + # Minimum severity for findings that causes the pipeline to fail. + # Findings with lower severity are still reported but do not fail + # the pipeline. + # Possible values: 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL' + MIN_FINDINGS_SEVERITY: MEDIUM + # The CI Sense URL. + CI_SENSE_URL: https://app.staging.code-intelligence.com + # The CI Sense project name. + PROJECT: prj-NOdgyF6GBeOE # Directory in which the repository will be cloned. CHECKOUT_DIR: checkout-dir/ - CIFUZZ_DOWNLOAD_URL: "https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_linux_amd64" - CIFUZZ_INSTALL_DIR: ./cifuzz - FUZZING_ARTIFACT: fuzzing-artifact.tar.gz + CI_FUZZ_DOWNLOAD_URL: "https://downloads.code-intelligence.com/download/cifuzz/linux_amd64/latest?token=${{ secrets.CI_FUZZ_DOWNLOAD_TOKEN }}" + CI_FUZZ_INSTALL_DIR: ./cifuzz jobs: fuzz_tests: runs-on: ubuntu-latest - container: maven:3.9.2-eclipse-temurin-17 steps: - id: checkout name: Checkout Repository uses: actions/checkout@v2 with: path: ${{ env.CHECKOUT_DIR }} + - uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + - uses: s4u/maven-settings-action@v2.8.0 + with: + servers: '[{"id": "code-intelligence", "username": "Code-Intelligence-Internal", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' - id: install-cifuzz name: Install cifuzz run: | - curl --fail --silent --show-error --location -o cifuzz_installer "$CIFUZZ_DOWNLOAD_URL" + curl --fail --silent --show-error --location -o cifuzz_installer "$CI_FUZZ_DOWNLOAD_URL" chmod u+x cifuzz_installer - ./cifuzz_installer --install-dir $CIFUZZ_INSTALL_DIR - - id: build-fuzzers - name: Build Fuzzers + ./cifuzz_installer --install-dir $CI_FUZZ_INSTALL_DIR + - id: run-fuzz-tests + name: Run Fuzz Tests + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: | - export cifuzz_DIR="$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/share/cmake" + export CI_FUZZ="$GITHUB_WORKSPACE/$CI_FUZZ_INSTALL_DIR/bin/cifuzz" + # Login to CI Sense + echo "${{ secrets.CI_SENSE_API_TOKEN }}" | ${CI_FUZZ} login --server "${CI_SENSE_URL}" + + # Tell cmake where to find the cifuzz cmake functions. + export cifuzz_DIR="$GITHUB_WORKSPACE/$CI_FUZZ_INSTALL_DIR/share/cmake" + cd $CHECKOUT_DIR/ - $GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \ - --commit $GITHUB_SHA \ - --branch $GITHUB_REF_NAME \ - --output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT + # Start remote run using fuzz containers and wait $TIMEOUT for findings. + ${CI_FUZZ} container remote-run com.example.app.GreetEndpointTests::fuzzTestGreet \ + --monitor \ + --monitor-duration="${TIMEOUT}" \ + --min-finding-severity="${MIN_FINDINGS_SEVERITY}" \ + --project="${PROJECT}" \ + --server="${CI_SENSE_URL}" \ + --branch="${BRANCH_NAME}" \ + -v shell: "bash" - - id: start-fuzzing - name: Start Fuzzing - uses: CodeIntelligenceTesting/github-actions/start-fuzzing@v5 - with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - fuzzing_artifact: ${{ env.CHECKOUT_DIR }}/${{ env.FUZZING_ARTIFACT }} - checkout_directory: ${{ env.CHECKOUT_DIR }} - project: "projects/api-testing-spring-boot-e8a299e2" - - id: monitor-fuzzing - name: Fuzzing - uses: CodeIntelligenceTesting/github-actions/monitor-fuzzing@v5 - with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} - test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - dashboard_address: ${{ env.WEB_APP_ADDRESS }} - id: save-results name: Save Fuzz Test Results uses: CodeIntelligenceTesting/github-actions/save-results@v5 if: ${{ success() || failure() }} with: - ci_fuzz_api_token: ${{ secrets.CI_FUZZ_API_TOKEN }} + ci_fuzz_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} - fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} - dashboard_address: ${{ env.WEB_APP_ADDRESS }} + dashboard_address: ${{ env.CI_SENSE_URL }} - id: upload-artifact uses: actions/upload-artifact@v2 if: ${{ (success() || failure()) }} From 66b7abc6e769002992f9839612eddc794d1152e2 Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Fri, 29 Dec 2023 14:02:49 +0100 Subject: [PATCH 3/5] use action to install cifuzz --- .github/workflows/main.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3d824fe..6e36b28 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,7 +26,6 @@ env: # Directory in which the repository will be cloned. CHECKOUT_DIR: checkout-dir/ CI_FUZZ_DOWNLOAD_URL: "https://downloads.code-intelligence.com/download/cifuzz/linux_amd64/latest?token=${{ secrets.CI_FUZZ_DOWNLOAD_TOKEN }}" - CI_FUZZ_INSTALL_DIR: ./cifuzz jobs: fuzz_tests: runs-on: ubuntu-latest @@ -45,25 +44,24 @@ jobs: servers: '[{"id": "code-intelligence", "username": "Code-Intelligence-Internal", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' - id: install-cifuzz name: Install cifuzz - run: | - curl --fail --silent --show-error --location -o cifuzz_installer "$CI_FUZZ_DOWNLOAD_URL" - chmod u+x cifuzz_installer - ./cifuzz_installer --install-dir $CI_FUZZ_INSTALL_DIR + uses: CodeIntelligenceTesting/github-actions/install-cifuzz@v6 + with: + download_token: ${{ secrets.CI_FUZZ_DOWNLOAD_TOKEN }} + version: 'latest' - id: run-fuzz-tests name: Run Fuzz Tests env: BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: | - export CI_FUZZ="$GITHUB_WORKSPACE/$CI_FUZZ_INSTALL_DIR/bin/cifuzz" # Login to CI Sense - echo "${{ secrets.CI_SENSE_API_TOKEN }}" | ${CI_FUZZ} login --server "${CI_SENSE_URL}" + echo "${{ secrets.CI_SENSE_API_TOKEN }}" | cifuzz login --server "${CI_SENSE_URL}" # Tell cmake where to find the cifuzz cmake functions. export cifuzz_DIR="$GITHUB_WORKSPACE/$CI_FUZZ_INSTALL_DIR/share/cmake" cd $CHECKOUT_DIR/ # Start remote run using fuzz containers and wait $TIMEOUT for findings. - ${CI_FUZZ} container remote-run com.example.app.GreetEndpointTests::fuzzTestGreet \ + cifuzz container remote-run com.example.app.GreetEndpointTests::fuzzTestGreet \ --monitor \ --monitor-duration="${TIMEOUT}" \ --min-finding-severity="${MIN_FINDINGS_SEVERITY}" \ From 3e88189f7b414d05dc2db044f06f73965f378df1 Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Fri, 29 Dec 2023 14:37:15 +0100 Subject: [PATCH 4/5] run fuzz tests in github action --- .github/workflows/main.yml | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6e36b28..87db4c7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,26 +50,15 @@ jobs: version: 'latest' - id: run-fuzz-tests name: Run Fuzz Tests - env: - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} - run: | - # Login to CI Sense - echo "${{ secrets.CI_SENSE_API_TOKEN }}" | cifuzz login --server "${CI_SENSE_URL}" - - # Tell cmake where to find the cifuzz cmake functions. - export cifuzz_DIR="$GITHUB_WORKSPACE/$CI_FUZZ_INSTALL_DIR/share/cmake" - - cd $CHECKOUT_DIR/ - # Start remote run using fuzz containers and wait $TIMEOUT for findings. - cifuzz container remote-run com.example.app.GreetEndpointTests::fuzzTestGreet \ - --monitor \ - --monitor-duration="${TIMEOUT}" \ - --min-finding-severity="${MIN_FINDINGS_SEVERITY}" \ - --project="${PROJECT}" \ - --server="${CI_SENSE_URL}" \ - --branch="${BRANCH_NAME}" \ - -v - shell: "bash" + uses: CodeIntelligenceTesting/github-actions/run-fuzz-tests@v6 + with: + ci_sense_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} + project_name: ${{ env.PROJECT }} + repository_dir: ${{ env.CHECKOUT_DIR }} + timeout: ${{ env.TIMEOUT }} + min_findings_severity: ${{ env.MIN_FINDINGS_SEVERITY }} + ci_sense_url: ${{ env.CI_SENSE_URL }} + fuzz_tests: "com.example.app.GreetEndpointTests::fuzzTestGreet" - id: save-results name: Save Fuzz Test Results uses: CodeIntelligenceTesting/github-actions/save-results@v5 From f26c6b355cde2db7c2a8ba5b5738a0a070cf355c Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Fri, 29 Dec 2023 15:13:00 +0100 Subject: [PATCH 5/5] use new save-results github action --- .github/workflows/main.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 87db4c7..e7dbe3c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -2,6 +2,9 @@ name: CI Fuzz # Set a CI/CD variable called "CI_SENSE_API_TOKEN" with an API token # generated in CI Fuzz web interface and a variable called "CI_FUZZ_DOWNLOAD_TOKEN" # with a download token from https://downloads.code-intelligence.com. +# To download the CI Fuzz maven extension or gradle plugin set the secrets +# MAVEN_REGISTRY_USERNAME and MAVEN_REGISTRY_PASSWORD with the credentials +# from https://downloads.code-intelligence.com. on: workflow_dispatch: @@ -20,12 +23,12 @@ env: # Possible values: 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL' MIN_FINDINGS_SEVERITY: MEDIUM # The CI Sense URL. - CI_SENSE_URL: https://app.staging.code-intelligence.com + CI_SENSE_HTTP_URL: https://app.staging.code-intelligence.com + CI_SENSE_GRPC_URL: grpc.staging.code-intelligence.com:443 # The CI Sense project name. - PROJECT: prj-NOdgyF6GBeOE + PROJECT: prj-tSg6cwlCgIil # Directory in which the repository will be cloned. CHECKOUT_DIR: checkout-dir/ - CI_FUZZ_DOWNLOAD_URL: "https://downloads.code-intelligence.com/download/cifuzz/linux_amd64/latest?token=${{ secrets.CI_FUZZ_DOWNLOAD_TOKEN }}" jobs: fuzz_tests: runs-on: ubuntu-latest @@ -41,7 +44,7 @@ jobs: distribution: 'temurin' - uses: s4u/maven-settings-action@v2.8.0 with: - servers: '[{"id": "code-intelligence", "username": "Code-Intelligence-Internal", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' + servers: '[{"id": "code-intelligence", "username": "${{ secrets.MAVEN_REGISTRY_USERNAME }}", "password": "${{ secrets.MAVEN_REGISTRY_PASSWORD }}"}]' - id: install-cifuzz name: Install cifuzz uses: CodeIntelligenceTesting/github-actions/install-cifuzz@v6 @@ -57,16 +60,18 @@ jobs: repository_dir: ${{ env.CHECKOUT_DIR }} timeout: ${{ env.TIMEOUT }} min_findings_severity: ${{ env.MIN_FINDINGS_SEVERITY }} - ci_sense_url: ${{ env.CI_SENSE_URL }} + ci_sense_http_url: ${{ env.CI_SENSE_HTTP_URL }} fuzz_tests: "com.example.app.GreetEndpointTests::fuzzTestGreet" - id: save-results name: Save Fuzz Test Results - uses: CodeIntelligenceTesting/github-actions/save-results@v5 + uses: CodeIntelligenceTesting/github-actions/save-results@v6 if: ${{ success() || failure() }} with: - ci_fuzz_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} - test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} - dashboard_address: ${{ env.CI_SENSE_URL }} + ci_sense_api_token: ${{ secrets.CI_SENSE_API_TOKEN }} + ci_sense_http_url: ${{ env.CI_SENSE_HTTP_URL }} + ci_sense_grpc_url: ${{ env.CI_SENSE_GRPC_URL }} + project_name: ${{ env.PROJECT }} + started_run: ${{ steps.run-fuzz-tests.outputs.started_run }} - id: upload-artifact uses: actions/upload-artifact@v2 if: ${{ (success() || failure()) }}