Usage_list refactored, password for doc #1614
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow performs dynamic analysis of the project with atheris fuzzing framework | |
# Coverage should not be less than with precommitted corpuses | |
# Otherweise fuzzing workaround has to be performed and new corpuses are committed | |
name: Fuzzing | |
on: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
jobs: | |
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # | |
fuzz: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Backup corpus | |
run: cp -r fuzz/corpus corpus.bak | |
- name: Set up Python | |
uses: actions/setup-python@v3 | |
with: | |
python-version: "3.10" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install -r requirements.txt | |
python -m pip install -r fuzz/requirements.txt | |
- name: Run fuzzing test with coverage | |
id: run_fuzz | |
run: | | |
add_runs=$(git log -1 --pretty=format:"%s" | sed 's|.*add_runs=\([0-9]\+\)|\1|') | |
if [ -z "${add_runs}" ] || ! [ 0 -lt ${add_runs} ]; then add_runs=1; fi | |
echo "Addition runs: add_runs=${add_runs}" | |
# additional args: -rss_limit_mb=2048 | |
python -m coverage run \ | |
--source=credsweeper \ | |
fuzz \ | |
-rss_limit_mb=2048 \ | |
-atheris_runs=$(( ${add_runs} + $(ls fuzz/corpus | wc -l) )) \ | |
-detect_leaks=0 \ | |
fuzz/corpus/ \ | |
; | |
- name: Create coverage report in HTML format | |
run: | | |
python -m coverage html | |
- name: COVERAGE report | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: htmlcov | |
path: htmlcov | |
- name: Coverage report in TEXT representation | |
if: always() | |
run: | | |
python -m coverage report >report.txt | |
# display the report in log instead putting it into artifacts | |
cat report.txt | |
- name: Check coverage of dynamic testing | |
if: always() | |
run: | | |
COVERAGE=$(tail -1 report.txt | awk '{print $6}' | tr --delete '%') | |
# additionally check correctness of the value - should be an integer | |
FUZZ_COVERAGE_LIMIT=75 | |
if ! [ ${FUZZ_COVERAGE_LIMIT} -le ${COVERAGE} ]; then | |
echo "Fuzzing coverage '${COVERAGE}' does not satisfy the limit ${FUZZ_COVERAGE_LIMIT}%" | |
exit 1 | |
fi | |
- name: Detect new corpus to upload as artifact | |
if: always() | |
run: | | |
ls fuzz/corpus | sort >corpus.txt | |
ls corpus.bak | sort >corpus.bak.txt | |
mkdir -vp new_corpus | |
for f in $(comm -3 corpus.txt corpus.bak.txt); do cp -vf fuzz/corpus/${f} new_corpus/; done | |
echo "NEW_CORPUS=$(ls new_corpus | wc -l)" >> $GITHUB_ENV | |
- name: New corpus upload | |
if: ${{ env.NEW_CORPUS > 0 }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: new_corpus | |
path: new_corpus | |
- name: Detect crash files | |
if: always() | |
id: crash_detect | |
run: | | |
mkdir -vp crash_corpus | |
CRASH_CORPUS=0 | |
for f in $(find . -maxdepth 1 -regextype 'posix-extended' -regex '.*-[0-9a-f]{40}'); do | |
mv -vf ${f} crash_corpus/ | |
CRASH_CORPUS=$(( 1 + ${CRASH_CORPUS} )) | |
done | |
echo "CRASH_CORPUS=${CRASH_CORPUS}" >> $GITHUB_ENV | |
if [ 0 -ne ${CRASH_CORPUS} ]; then | |
echo "${CRASH_CORPUS} crashes were found" | |
exit 1 | |
fi | |
- name: Crash corpus upload | |
if: ${{ env.CRASH_CORPUS > 0 }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: crash_corpus | |
path: crash_corpus | |
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # |