SQL Password pattern #3237
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow performs dynamic analysis of the project with atheris fuzzing framework | |
# Coverage should not be less than with precommitted corpuses | |
# Otherweise fuzzing workaround has to be performed and new corpuses are committed | |
name: Fuzzing | |
on: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
permissions: | |
contents: read | |
jobs: | |
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # | |
fuzz: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Backup corpus | |
run: cp -r fuzz/corpus corpus.bak | |
- name: Set up Python | |
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 | |
with: | |
python-version: "3.11" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --requirement requirements.txt | |
python -m pip install --requirement fuzz/requirements.txt | |
- name: Run fuzzing test with COVERAGE | |
id: run_fuzz | |
run: | | |
fuzz/coveraging.sh | |
- name: Store coverage report | |
if: always() | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: htmlcov | |
path: htmlcov | |
- name: Check coverage of dynamic testing | |
if: always() | |
run: | | |
COVERAGE=$(tail -1 report.txt | awk '{print $6}' | tr --delete '%') | |
# additionally check correctness of the value - should be an integer | |
FUZZ_COVERAGE_LIMIT=75 | |
if ! [ ${FUZZ_COVERAGE_LIMIT} -le ${COVERAGE} ]; then | |
echo "Fuzzing coverage '${COVERAGE}' does not satisfy the limit ${FUZZ_COVERAGE_LIMIT}%" | |
exit 1 | |
fi | |
- name: Detect new corpus to upload as artifact | |
if: always() | |
run: | | |
ls fuzz/corpus | sort >corpus.txt | |
ls corpus.bak | sort >corpus.bak.txt | |
mkdir -vp new_corpus | |
for f in $(comm -3 corpus.txt corpus.bak.txt); do cp -vf fuzz/corpus/${f} new_corpus/; done | |
echo "NEW_CORPUS=$(ls new_corpus | wc -l)" >> $GITHUB_ENV | |
- name: New corpus upload | |
if: ${{ env.NEW_CORPUS > 0 }} | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: new_corpus | |
path: new_corpus | |
- name: Detect crash files | |
if: always() | |
id: crash_detect | |
run: | | |
mkdir -vp crash_corpus | |
CRASH_CORPUS=0 | |
for f in $(find . -maxdepth 1 -regextype 'posix-extended' -regex '.*-[0-9a-f]{40}'); do | |
mv -vf ${f} crash_corpus/ | |
CRASH_CORPUS=$(( 1 + ${CRASH_CORPUS} )) | |
done | |
echo "CRASH_CORPUS=${CRASH_CORPUS}" >> $GITHUB_ENV | |
if [ 0 -ne ${CRASH_CORPUS} ]; then | |
echo "${CRASH_CORPUS} crashes were found" | |
exit 1 | |
fi | |
- name: Crash corpus upload | |
if: ${{ env.CRASH_CORPUS > 0 }} | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: crash_corpus | |
path: crash_corpus | |
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # |