From 12a5dad491f16e194404171e698d5c5ccd8a769b Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Sat, 11 Nov 2023 15:47:24 +0000 Subject: [PATCH] Remove OneFuzz from fuzzing checks This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski --- checks/evaluation/fuzzing.go | 2 - checks/evaluation/fuzzing_test.go | 18 +--- checks/fuzzing_test.go | 6 +- checks/raw/fuzzing.go | 32 ------ checks/raw/fuzzing_test.go | 59 ----------- docs/checks.md | 1 - docs/checks/internal/checks.yaml | 1 - e2e/fuzzing_test.go | 2 +- probes/entries.go | 2 - probes/fuzzedWithOneFuzz/def.yml | 32 ------ probes/fuzzedWithOneFuzz/impl.go | 39 ------- probes/fuzzedWithOneFuzz/impl_test.go | 144 -------------------------- 12 files changed, 5 insertions(+), 333 deletions(-) delete mode 100644 probes/fuzzedWithOneFuzz/def.yml delete mode 100644 probes/fuzzedWithOneFuzz/impl.go delete mode 100644 probes/fuzzedWithOneFuzz/impl_test.go diff --git a/checks/evaluation/fuzzing.go b/checks/evaluation/fuzzing.go index 132dda90df3..4b8308eaa23 100644 --- a/checks/evaluation/fuzzing.go +++ b/checks/evaluation/fuzzing.go @@ -24,7 +24,6 @@ import ( "github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative" "github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer" "github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz" - "github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript" @@ -47,7 +46,6 @@ func Fuzzing(name string, fuzzedWithRustCargofuzz.Probe, fuzzedWithSwiftLibFuzzer.Probe, fuzzedWithJavaJazzerFuzzer.Probe, - fuzzedWithOneFuzz.Probe, fuzzedWithOSSFuzz.Probe, fuzzedWithPropertyBasedHaskell.Probe, fuzzedWithPropertyBasedJavascript.Probe, diff --git a/checks/evaluation/fuzzing_test.go b/checks/evaluation/fuzzing_test.go index 85018eadb25..5c06f49da73 100644 --- a/checks/evaluation/fuzzing_test.go +++ b/checks/evaluation/fuzzing_test.go @@ -64,10 +64,6 @@ func TestFuzzing(t *testing.T) { Probe: "fuzzedWithJavaJazzerFuzzer", Outcome: finding.OutcomeNegative, }, - { - Probe: "fuzzedWithOneFuzz", - Outcome: finding.OutcomeNegative, - }, { Probe: "fuzzedWithOSSFuzz", Outcome: finding.OutcomeNegative, @@ -87,7 +83,7 @@ func TestFuzzing(t *testing.T) { }, result: scut.TestReturn{ Score: checker.MinResultScore, - NumberOfWarn: 13, + NumberOfWarn: 12, }, }, { @@ -125,10 +121,6 @@ func TestFuzzing(t *testing.T) { Probe: "fuzzedWithJavaJazzerFuzzer", Outcome: finding.OutcomeNegative, }, - { - Probe: "fuzzedWithOneFuzz", - Outcome: finding.OutcomeNegative, - }, { Probe: "fuzzedWithOSSFuzz", Outcome: finding.OutcomeNegative, @@ -159,10 +151,6 @@ func TestFuzzing(t *testing.T) { Probe: "fuzzedWithClusterFuzzLite", Outcome: finding.OutcomeNegative, }, - { - Probe: "fuzzedWithOneFuzz", - Outcome: finding.OutcomeNegative, - }, { Probe: "fuzzedWithOSSFuzz", Outcome: finding.OutcomeNegative, @@ -196,10 +184,6 @@ func TestFuzzing(t *testing.T) { Probe: "fuzzedWithGoNative", Outcome: finding.OutcomePositive, }, - { - Probe: "fuzzedWithOneFuzz", - Outcome: finding.OutcomeNegative, - }, { Probe: "fuzzedWithOSSFuzz", Outcome: finding.OutcomeNegative, diff --git a/checks/fuzzing_test.go b/checks/fuzzing_test.go index dd2f3a17994..6b031fa5c30 100644 --- a/checks/fuzzing_test.go +++ b/checks/fuzzing_test.go @@ -53,7 +53,7 @@ func TestFuzzing(t *testing.T) { wantErr: false, expected: scut.TestReturn{ Error: nil, - NumberOfWarn: 13, + NumberOfWarn: 12, NumberOfDebug: 0, NumberOfInfo: 0, Score: 0, @@ -110,7 +110,7 @@ func TestFuzzing(t *testing.T) { wantFuzzErr: false, expected: scut.TestReturn{ Error: nil, - NumberOfWarn: 13, + NumberOfWarn: 12, NumberOfDebug: 0, NumberOfInfo: 0, Score: 0, @@ -121,7 +121,7 @@ func TestFuzzing(t *testing.T) { wantFuzzErr: true, expected: scut.TestReturn{ Error: nil, - NumberOfWarn: 13, + NumberOfWarn: 12, NumberOfDebug: 0, NumberOfInfo: 0, Score: 0, diff --git a/checks/raw/fuzzing.go b/checks/raw/fuzzing.go index efd61a53915..a260fcf42a5 100644 --- a/checks/raw/fuzzing.go +++ b/checks/raw/fuzzing.go @@ -30,7 +30,6 @@ import ( const ( fuzzerOSSFuzz = "OSSFuzz" fuzzerClusterFuzzLite = "ClusterFuzzLite" - oneFuzz = "OneFuzz" fuzzerBuiltInGo = "GoBuiltInFuzzer" fuzzerPropertyBasedHaskell = "HaskellPropertyBasedTesting" fuzzerPropertyBasedJavaScript = "JavaScriptPropertyBasedTesting" @@ -181,21 +180,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) { ) } - usingOneFuzz, e := checkOneFuzz(c) - if e != nil { - return checker.FuzzingData{}, fmt.Errorf("%w", e) - } - if usingOneFuzz { - fuzzers = append(fuzzers, - checker.Tool{ - Name: oneFuzz, - URL: asPointer("https://github.com/microsoft/onefuzz"), - Desc: asPointer("Enables continuous developer-driven fuzzing to proactively harden software prior to release."), - // TODO: File. - }, - ) - } - usingOSSFuzz, e := checkOSSFuzz(c) if e != nil { return checker.FuzzingData{}, fmt.Errorf("%w", e) @@ -251,22 +235,6 @@ func checkCFLite(c *checker.CheckRequest) (bool, error) { return result, nil } -func checkOneFuzz(c *checker.CheckRequest) (bool, error) { - result := false - e := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{ - Pattern: "^\\.onefuzz$", - CaseSensitive: true, - }, func(path string, content []byte, args ...interface{}) (bool, error) { - result = true - return false, nil - }, nil) - if e != nil { - return result, fmt.Errorf("%w", e) - } - - return result, nil -} - func checkOSSFuzz(c *checker.CheckRequest) (bool, error) { if c.OssFuzzRepo == nil { return false, nil diff --git a/checks/raw/fuzzing_test.go b/checks/raw/fuzzing_test.go index fc8651a3dc3..d2b855c30e1 100644 --- a/checks/raw/fuzzing_test.go +++ b/checks/raw/fuzzing_test.go @@ -103,65 +103,6 @@ func Test_checkOSSFuzz(t *testing.T) { } } -// Test_checkOneFuzz is a test function for checkOneFuzz. -func Test_checkOneFuzz(t *testing.T) { - t.Parallel() - //nolint - tests := []struct { - name string - want bool - wantErr bool - fileName []string - }{ - { - name: "Test_checkOneFuzz success", - want: true, - wantErr: false, - fileName: []string{".onefuzz"}, - }, - { - name: "Test_checkOneFuzz not found", - want: false, - wantErr: false, - fileName: []string{}, - }, - { - name: "Test_checkOneFuzz failure", - want: false, - wantErr: true, - fileName: []string{".onefuzz"}, - }, - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - ctrl := gomock.NewController(t) - defer ctrl.Finish() - mockFuzz := mockrepo.NewMockRepoClient(ctrl) - mockFuzz.EXPECT().ListFiles(gomock.Any()).Return(tt.fileName, nil).AnyTimes() - mockFuzz.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(f string) (string, error) { - if tt.wantErr { - //nolint - return "", errors.New("error") - } - return "", nil - }).AnyTimes() - req := checker.CheckRequest{ - RepoClient: mockFuzz, - } - got, err := checkOneFuzz(&req) - if (err != nil) != tt.wantErr { - t.Errorf("checkOneFuzz() error = %v, wantErr %v", err, tt.wantErr) - return - } - if got != tt.want { - t.Errorf("checkOneFuzz() = %v, want %v for test %v", got, tt.want, tt.name) - } - }) - } -} - // Test_checkCFLite is a test function for checkCFLite. func Test_checkCFLite(t *testing.T) { t.Parallel() diff --git a/docs/checks.md b/docs/checks.md index 88248e88d66..9a8fa379866 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -342,7 +342,6 @@ This check tries to determine if the project uses - currently only supports [Go fuzzing](https://go.dev/doc/fuzz/), - a limited set of property-based testing libraries for Haskell including [QuickCheck](https://hackage.haskell.org/package/QuickCheck), [Hedgehog](https://hedgehog.qa/), [validity](https://hackage.haskell.org/package/validity) or [SmallCheck](https://hackage.haskell.org/package/smallcheck), - a limited set of property-based testing libraries for JavaScript and TypeScript including [fast-check](https://fast-check.dev/). -4. if it contains a [OneFuzz](https://github.com/microsoft/onefuzz) integration [detection file](https://github.com/microsoft/onefuzz/blob/main/docs/getting-started.md#detecting-the-use-of-onefuzz); Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 5d08a6ce9a3..2ec49840581 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -402,7 +402,6 @@ checks: - currently only supports [Go fuzzing](https://go.dev/doc/fuzz/), - a limited set of property-based testing libraries for Haskell including [QuickCheck](https://hackage.haskell.org/package/QuickCheck), [Hedgehog](https://hedgehog.qa/), [validity](https://hackage.haskell.org/package/validity) or [SmallCheck](https://hackage.haskell.org/package/smallcheck), - a limited set of property-based testing libraries for JavaScript and TypeScript including [fast-check](https://fast-check.dev/). - 4. if it contains a [OneFuzz](https://github.com/microsoft/onefuzz) integration [detection file](https://github.com/microsoft/onefuzz/blob/main/docs/getting-started.md#detecting-the-use-of-onefuzz); Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect diff --git a/e2e/fuzzing_test.go b/e2e/fuzzing_test.go index 25935731092..c93c951e497 100644 --- a/e2e/fuzzing_test.go +++ b/e2e/fuzzing_test.go @@ -192,7 +192,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() { expected := scut.TestReturn{ Error: nil, Score: checker.MinResultScore, - NumberOfWarn: 13, + NumberOfWarn: 12, NumberOfInfo: 0, NumberOfDebug: 0, } diff --git a/probes/entries.go b/probes/entries.go index c83e7338365..daec6474ce6 100644 --- a/probes/entries.go +++ b/probes/entries.go @@ -24,7 +24,6 @@ import ( "github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative" "github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer" "github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz" - "github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript" @@ -73,7 +72,6 @@ var ( } Fuzzing = []ProbeImpl{ fuzzedWithOSSFuzz.Run, - fuzzedWithOneFuzz.Run, fuzzedWithGoNative.Run, fuzzedWithPythonAtheris.Run, fuzzedWithCLibFuzzer.Run, diff --git a/probes/fuzzedWithOneFuzz/def.yml b/probes/fuzzedWithOneFuzz/def.yml deleted file mode 100644 index 8fb87a8f5ea..00000000000 --- a/probes/fuzzedWithOneFuzz/def.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: fuzzedWithOneFuzz -short: Check that the project is fuzzed using OneFuzz -motivation: > - Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. - Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws. -implementation: > - The implementation checks if the file '.onefuzz' is present in the source code files. -outcome: - - If the file is found, one finding is returned with OutcomePositive (1). - - If the file is not found, one finding with OutcomeNegative (0) is returned. -remediation: - effort: High - text: - - Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. - - Over time, try to add fuzzing for more functionalities of your project. - markdown: - - Follow the steps in [https://github.com/microsoft/onefuzz](https://github.com/microsoft/onefuzz) to start fuzzing for your project. - - Over time, try to add fuzzing for more functionalities of your project. \ No newline at end of file diff --git a/probes/fuzzedWithOneFuzz/impl.go b/probes/fuzzedWithOneFuzz/impl.go deleted file mode 100644 index bcc3645b3ff..00000000000 --- a/probes/fuzzedWithOneFuzz/impl.go +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// nolint:stylecheck -package fuzzedWithOneFuzz - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/fuzzing" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -var Probe = "fuzzedWithOneFuzz" - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - //nolint:wrapcheck - return fuzzing.Run(raw, fs, Probe, "OneFuzz") -} diff --git a/probes/fuzzedWithOneFuzz/impl_test.go b/probes/fuzzedWithOneFuzz/impl_test.go deleted file mode 100644 index f71fefda910..00000000000 --- a/probes/fuzzedWithOneFuzz/impl_test.go +++ /dev/null @@ -1,144 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// nolint:stylecheck -package fuzzedWithOneFuzz - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -func Test_Run(t *testing.T) { - t.Parallel() - // nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "fuzzer present", - raw: &checker.RawResults{ - FuzzingResults: checker.FuzzingData{ - Fuzzers: []checker.Tool{ - { - Name: "OneFuzz", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "fuzzer present twice", - raw: &checker.RawResults{ - FuzzingResults: checker.FuzzingData{ - Fuzzers: []checker.Tool{ - { - Name: "OneFuzz", - }, - { - Name: "OneFuzz", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - finding.OutcomePositive, - }, - }, - { - name: "fuzzer present and other present", - raw: &checker.RawResults{ - FuzzingResults: checker.FuzzingData{ - Fuzzers: []checker.Tool{ - { - Name: "OneFuzz", - }, - { - Name: "not-OneFuzz", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "fuzzer not present", - raw: &checker.RawResults{ - FuzzingResults: checker.FuzzingData{ - Fuzzers: []checker.Tool{ - { - Name: "not-OneFuzz", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - { - name: "no fuzzer", - raw: &checker.RawResults{}, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - { - name: "nil raw", - err: uerror.ErrNil, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - if diff := cmp.Diff(len(tt.outcomes), len(findings)); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - for i := range tt.outcomes { - outcome := &tt.outcomes[i] - f := &findings[i] - if diff := cmp.Diff(*outcome, f.Outcome); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - } - }) - } -}