ashearin · ashearin · Nov 24, 2024 · Nov 24, 2024
diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
@@ -0,0 +1,5 @@
+FROM gcr.io/oss-fuzz-base/base-builder-go:v1
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+COPY . $SRC/bomctl
+WORKDIR $SRC/bomctl
+COPY .clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
@@ -0,0 +1,13 @@
+#!/bin/bash -eu
+
+# build project
+# e.g.
+# ./autogen.sh
+# ./configure
+# make -j$(nproc) all
+
+# build fuzzers
+# e.g.
+# $CXX $CXXFLAGS -std=c++11 -Iinclude \
+#     /path/to/name_of_fuzzer.cc -o $OUT/name_of_fuzzer \
+#     $LIB_FUZZING_ENGINE /path/to/library.a
diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml
@@ -0,0 +1 @@
+language: go
diff --git a/.github/workflows/cflite-pr.yml b/.github/workflows/cflite-pr.yml
@@ -0,0 +1,69 @@
+# ------------------------------------------------------------------------
+# SPDX-FileCopyrightText: Copyright © 2024 bomctl a Series of LF Projects, LLC
+# SPDX-FileName: .github/workflows/cflite-pr.yaml
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: Apache-2.0
+# ------------------------------------------------------------------------
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------
+---
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - "**"
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+          - address
+          - undefined
+          - memory
+    steps:
+      - name: Build Fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: go
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sanitizer: ${{ matrix.sanitizer }}
+          # Optional but recommended: used to only run fuzzers that are affected
+          # by the PR.
+          # See later section on "Git repo for storage".
+          # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+          # storage-repo-branch: main   # Optional. Defaults to "main"
+          # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+      - name: Run Fuzzers (${{ matrix.sanitizer }})
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 600
+          mode: "code-change"
+          sanitizer: ${{ matrix.sanitizer }}
+          output-sarif: true
+          parallel-fuzzing: true
+          dry-run: true
+          # Optional but recommended: used to download the corpus produced by
+          # batch fuzzing.
+          # See later section on "Git repo for storage".
+          # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+          # storage-repo-branch: main   # Optional. Defaults to "main"
+          # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
diff --git a/.github/workflows/cflite_batch.yml b/.github/workflows/cflite_batch.yml
@@ -0,0 +1,37 @@
+name: ClusterFuzzLite batch fuzzing
+on:
+  schedule:
+    - cron: "0 0/6 * * *" # Every 6th hour. Change this to whatever is suitable.
+permissions: read-all
+jobs:
+  BatchFuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+          - address
+        # Override this with the sanitizers you want.
+        # - undefined
+        # - memory
+    steps:
+      - name: Build Fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: go # Change this to the language you are fuzzing.
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Run Fuzzers (${{ matrix.sanitizer }})
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 3600
+          mode: "batch"
+          sanitizer: ${{ matrix.sanitizer }}
+          output-sarif: true
+          # Optional but recommended: For storing certain artifacts from fuzzing.
+          # See later section on "Git repo for storage".
+          # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+          # storage-repo-branch: main   # Optional. Defaults to "main"
+          # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
diff --git a/.github/workflows/cflite_cron.yml b/.github/workflows/cflite_cron.yml
@@ -0,0 +1,49 @@
+name: ClusterFuzzLite cron tasks
+on:
+  schedule:
+    - cron: "0 0 * * *" # Once a day at midnight.
+permissions: read-all
+jobs:
+  Pruning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build Fuzzers
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: go # Change this to the language you are fuzzing
+      - name: Run Fuzzers
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 600
+          mode: "prune"
+          output-sarif: true
+          # Optional but recommended.
+          # See later section on "Git repo for storage".
+          # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-
6DB6
REPO-NAME.git
+          # storage-repo-branch: main   # Optional. Defaults to "main"
+          # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+  Coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build Fuzzers
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: go # Change this to the language you are fuzzing.
+          sanitizer: coverage
+      - name: Run Fuzzers
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 600
+          mode: "coverage"
+          sanitizer: "coverage"
+          # Optional but recommended.
+          # See later section on "Git repo for storage".
+          # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+          # storage-repo-branch: main   # Optional. Defaults to "main"
+          # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,8 @@
 # Whitelist patterns anchored to project root
 !/.adr-dir
 !/.commitlint.yaml
+!/.clusterfuzzlite/build.sh
+!/.clusterfuzzlite/project.yaml
 !/.editorconfig
 !/.gitattributes
 !/.github/dependabot.yml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		language: go
Check warning on line 1 in .clusterfuzzlite/project.yaml View workflow job for this annotation GitHub Actions / yamllint `1:1 [document-start] missing document start "---"`