Coverage Report

Aggregated Coverage Report

We can use cictl to get the project code coverage data in different formats from local or remote projects.

To get an aggregated report for all source file of a project you can use:

cictl get coverage -p <project-name>

The output of your command should look similar tocictl_get_coverage


Hint: You can check your project name with:

cictl list projects


Jacoco Coverage Report

It is possible to dump raw coverage profile files such as Jacoco exec files or llvm-profdata indexed files from your fuzzing runs to investigate the covered lines of source code by fuzzing.  

For Jacoco exec files there are different IDEs such as Intelij which support the analysis of Jacoco files. Thus, the user is able to investigate the coverage of his application in his favorite IDE.

The following cictl command can be used to generate Jacoco files for a project:

cictl get coverage -p <project-name> --dump-raw-profiles

The output should look similar to:



The covered lines in source code can also be investigated with jacococli. You will need the compiled java classes + source code to generate for example so-called html jacoco reports. The following jacococli command can be used to generate the report:

 java -jar lib/jacococli.jar report profile-test-test- \
--html ./<report-folder> \
--sourcefiles <source-code-path \
--classfiles <compiled-java-classes-path>

This will generate a html report in the specified report folder. The report can be browsed afterwards with any browser. There you click to the desired java classes and observe the covered lines of your source code by fuzzing.