Skip to content

SQL Password pattern #3237

SQL Password pattern

SQL Password pattern #3237

Workflow file for this run

# This workflow performs dynamic analysis of the project with atheris fuzzing framework
# Coverage should not be less than with precommitted corpuses
# Otherweise fuzzing workaround has to be performed and new corpuses are committed
name: Fuzzing
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
permissions:
contents: read
jobs:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
fuzz:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Backup corpus
run: cp -r fuzz/corpus corpus.bak
- name: Set up Python
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: "3.11"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install --requirement requirements.txt
python -m pip install --requirement fuzz/requirements.txt
- name: Run fuzzing test with COVERAGE
id: run_fuzz
run: |
fuzz/coveraging.sh
- name: Store coverage report
if: always()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: htmlcov
path: htmlcov
- name: Check coverage of dynamic testing
if: always()
run: |
COVERAGE=$(tail -1 report.txt | awk '{print $6}' | tr --delete '%')
# additionally check correctness of the value - should be an integer
FUZZ_COVERAGE_LIMIT=75
if ! [ ${FUZZ_COVERAGE_LIMIT} -le ${COVERAGE} ]; then
echo "Fuzzing coverage '${COVERAGE}' does not satisfy the limit ${FUZZ_COVERAGE_LIMIT}%"
exit 1
fi
- name: Detect new corpus to upload as artifact
if: always()
run: |
ls fuzz/corpus | sort >corpus.txt
ls corpus.bak | sort >corpus.bak.txt
mkdir -vp new_corpus
for f in $(comm -3 corpus.txt corpus.bak.txt); do cp -vf fuzz/corpus/${f} new_corpus/; done
echo "NEW_CORPUS=$(ls new_corpus | wc -l)" >> $GITHUB_ENV
- name: New corpus upload
if: ${{ env.NEW_CORPUS > 0 }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: new_corpus
path: new_corpus
- name: Detect crash files
if: always()
id: crash_detect
run: |
mkdir -vp crash_corpus
CRASH_CORPUS=0
for f in $(find . -maxdepth 1 -regextype 'posix-extended' -regex '.*-[0-9a-f]{40}'); do
mv -vf ${f} crash_corpus/
CRASH_CORPUS=$(( 1 + ${CRASH_CORPUS} ))
done
echo "CRASH_CORPUS=${CRASH_CORPUS}" >> $GITHUB_ENV
if [ 0 -ne ${CRASH_CORPUS} ]; then
echo "${CRASH_CORPUS} crashes were found"
exit 1
fi
- name: Crash corpus upload
if: ${{ env.CRASH_CORPUS > 0 }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: crash_corpus
path: crash_corpus
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #