How to Run Your Fuzz Tests Using CI Fuzz SaaS
The easiest way to do this is by using the CI Fuzz plugin for Visual Studio Code. You have to push your fuzz tests to your project repository.
$ git add .code-intelligence
$ git commit -m "Add ci-fuzz project setup and fuzz tests"
$ git push
The CI Fuzz server will pull the build docker image you configured in VS Code automatically. So make sure it is available at a docker registry like docker hub or gcr.io.
Sign In to the Web App
Open https://app.code-intelligence.com in your web browser. To sign in to the web app, you can use your GitHub, GitLab, or bitbucket account.
If you want to work on a project together with others, you can use an organization. To learn more about how organizations work, read Work Together Using Organizations.
Importing Your Project
When you click "New Project" you can decide if you want the project to be owned by your organization or if you want to create a personal project.
In the next step, you need to provide the git URL of your project repository.
This is needed for authentication if you want to check out from a private git repository. You can create a personal access token in your account settings in GitHub, GitLab, or BitBucket. For GitLab, using a deploy token is also supported. This feature is disabled in the SaaS since it is currently intended for open source projects only.
After the project has been initialized successfully, you see an overview showing the findings and the code coverage. Since we haven't run any fuzz tests, there are no findings yet.
If you tick off "Git Repository" (not recommended unless necessary), you can provide an arbitrary shell script.
This script should result in the project with the fuzzing configuration (.code_intelligence directory) ending up in the current working directory. Also, it should work if the project is already there but needs updating. An example of a working pull script (replace parts surrounded by <>):
git clone --depth=100 https://<username>:<githubtoken>@github.com/<yourproject>/<somerepo>.git . || git pull
In this example, a pull script is necessary, because git commit history is need when the SUT is being built, but by default, CI Fuzz does not clone older commits (it uses --depth=0).
This docker image will be used to spawn containers that will:
- Clone/pull the project repository or run the pull script. For this reason, the image must have git installed and if your git server's certificate is not signed by a public CA, then it's custom CA certificate must be in the system certificate store in the container. Example dockerfile:
FROM ubuntu 20.04
RUN apt-get -y install git
COPY git_server_ca_cert.crt /usr/local/share/ca-certificates/git/git_server_ca_cert.crt
- Build the SUT (with the exception of Java Web Application fuzz tests). For this reason, the image must contain all the dependencies needed to build your project.
- Run the fuzz tests (with the exception of Java Web Application fuzz tests)
Running fuzz tests
Choose which Test Collection you want to run in the left column. Clicking start will build and execute the corresponding fuzz tests. As an example project, we use the ZINT Barcode Generator, in which we found and reported several vulnerabilities.
For Java out of process fuzzing, you must first configure your Web App for fuzzing with CI-Fuzz server.
After the build is completed and the fuzz tests start running, you can watch the coverage increasing. The fuzz test runs until a bug is found or the configured time limit is reached.
Viewing findings and coverage reports
To view the details of the finding, click "All Findings". Here you can see a list of all findings. If you are only interested in findings of a specific type or severity, you can use the filters.
By selecting a finding, you see all details like the source file containing the bug, the crashing input, and the full address sanitizer log, which are very useful for further investigating the finding.
If you are interested in more details about the code coverage, click "Code Coverage" in the overview tab to get a list of all source files and their coverage.
You can continue with Continuous Fuzzing Setup.