-
Notifications
You must be signed in to change notification settings - Fork 36
104 lines (85 loc) · 2.9 KB
/
fuzz.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# This workflow performs dynamic analysis of the project with atheris fuzzing framework
# Coverage should not be less than with precommitted corpuses
# Otherweise fuzzing workaround has to be performed and new corpuses are committed
name: Fuzzing
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
fuzz:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Backup corpus
run: cp -r fuzz/corpus corpus.bak
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
python -m pip install -r fuzz/requirements.txt
- name: Run fuzzing test with COVERAGE
id: run_fuzz
run: |
fuzz/coveraging.sh
- name: Store coverage report
if: always()
uses: actions/upload-artifact@v4
with:
name: htmlcov
path: htmlcov
- name: Check coverage of dynamic testing
if: always()
run: |
COVERAGE=$(tail -1 report.txt | awk '{print $6}' | tr --delete '%')
# additionally check correctness of the value - should be an integer
FUZZ_COVERAGE_LIMIT=75
if ! [ ${FUZZ_COVERAGE_LIMIT} -le ${COVERAGE} ]; then
echo "Fuzzing coverage '${COVERAGE}' does not satisfy the limit ${FUZZ_COVERAGE_LIMIT}%"
exit 1
fi
- name: Detect new corpus to upload as artifact
if: always()
run: |
ls fuzz/corpus | sort >corpus.txt
ls corpus.bak | sort >corpus.bak.txt
mkdir -vp new_corpus
for f in $(comm -3 corpus.txt corpus.bak.txt); do cp -vf fuzz/corpus/${f} new_corpus/; done
echo "NEW_CORPUS=$(ls new_corpus | wc -l)" >> $GITHUB_ENV
- name: New corpus upload
if: ${{ env.NEW_CORPUS > 0 }}
uses: actions/upload-artifact@v4
with:
name: new_corpus
path: new_corpus
- name: Detect crash files
if: always()
id: crash_detect
run: |
mkdir -vp crash_corpus
CRASH_CORPUS=0
for f in $(find . -maxdepth 1 -regextype 'posix-extended' -regex '.*-[0-9a-f]{40}'); do
mv -vf ${f} crash_corpus/
CRASH_CORPUS=$(( 1 + ${CRASH_CORPUS} ))
done
echo "CRASH_CORPUS=${CRASH_CORPUS}" >> $GITHUB_ENV
if [ 0 -ne ${CRASH_CORPUS} ]; then
echo "${CRASH_CORPUS} crashes were found"
exit 1
fi
- name: Crash corpus upload
if: ${{ env.CRASH_CORPUS > 0 }}
uses: actions/upload-artifact@v4
with:
name: crash_corpus
path: crash_corpus
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #