diff --git a/pkg/fuzz/fuzz_utils.go b/pkg/fuzz/fuzz_utils.go new file mode 100644 index 000000000..9fb33b31e --- /dev/null +++ b/pkg/fuzz/fuzz_utils.go @@ -0,0 +1,74 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package fuzz + +import ( + "net/url" + "os" + "path/filepath" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + + fuzz "github.com/AdaLogics/go-fuzz-headers" + + "github.com/sigstore/rekor/pkg/log" + "github.com/sigstore/rekor/pkg/types" +) + +func CreateProps(ff *fuzz.ConsumeFuzzer) (types.ArtifactProperties, func(), error) { + props := types.ArtifactProperties{} + ff.GenerateStruct(&props) //nolint:all + + if props.ArtifactBytes == nil { + artifactBytes, err := ff.GetBytes() + if err != nil { + return props, nil, err + } + artifactFile, err := os.Create("ArtifactFile") + if err != nil { + return props, nil, err + } + defer artifactFile.Close() + + artifactPath, err := filepath.Abs("ArtifactFile") + if err != nil { + return props, nil, err + } + artifactURL, err := url.Parse(artifactPath) + if err != nil { + return props, nil, err + } + props.ArtifactPath = artifactURL + + _, err = artifactFile.Write(artifactBytes) + return props, func() { + os.Remove("ArtifactFile") + }, err + + } + return props, func() {}, nil +} + +func SetFuzzLogger() { + config := zap.NewProductionConfig() + config.Level = zap.NewAtomicLevelAt(zapcore.FatalLevel) + logger, err := config.Build() + if err != nil { + panic(err) + } + log.Logger = logger.Named("rekor-fuzz-logger").Sugar() +} diff --git a/pkg/types/cose/fuzz_test.go b/pkg/types/cose/fuzz_test.go index 5bdd8eb40..376989963 100644 --- a/pkg/types/cose/fuzz_test.go +++ b/pkg/types/cose/fuzz_test.go @@ -17,13 +17,18 @@ package cose import ( "context" + "sync" "testing" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" "github.com/sigstore/rekor/pkg/types" ) +var initter sync.Once + func FuzzCreateProposedEntry(f *testing.F) { f.Fuzz(func(t *testing.T, version string) { + initter.Do(fuzzUtils.SetFuzzLogger) ctx := context.Background() brt := New() props := types.ArtifactProperties{} diff --git a/pkg/types/helm/fuzz_test.go b/pkg/types/helm/v0.0.1/fuzz_test.go similarity index 73% rename from pkg/types/helm/fuzz_test.go rename to pkg/types/helm/v0.0.1/fuzz_test.go index b97738c63..ad75ef24f 100644 --- a/pkg/types/helm/fuzz_test.go +++ b/pkg/types/helm/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package helm import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/helm" ) +var initter sync.Once + func FuzzHelmCreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := helm.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/pkg/types/intoto/fuzz_test.go b/pkg/types/intoto/v0.0.1/fuzz_test.go similarity index 73% rename from pkg/types/intoto/fuzz_test.go rename to pkg/types/intoto/v0.0.1/fuzz_test.go index aa9cb0b2d..0909c20b0 100644 --- a/pkg/types/intoto/fuzz_test.go +++ b/pkg/types/intoto/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package intoto import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/intoto" ) +var initter sync.Once + func FuzzIntotoCreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := intoto.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/pkg/types/intoto/v0.0.2/fuzz_test.go b/pkg/types/intoto/v0.0.2/fuzz_test.go new file mode 100644 index 000000000..cfbacc388 --- /dev/null +++ b/pkg/types/intoto/v0.0.2/fuzz_test.go @@ -0,0 +1,55 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package intoto + +import ( + "context" + "sync" + "testing" + + fuzz "github.com/AdaLogics/go-fuzz-headers" + + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/intoto" +) + +var initter sync.Once + +func FuzzIntotoCreateProposedEntry(f *testing.F) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.2" + + ff := fuzz.NewConsumer(propsData) + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := intoto.New() + entry, err := it.CreateProposedEntry(context.Background(), version, props) + if err != nil { + t.Skip() + } + _, err = it.UnmarshalEntry(entry) + if err != nil { + t.Skip() + } + }) +} diff --git a/pkg/types/rekord/fuzz_test.go b/pkg/types/rekord/v0.0.1/fuzz_test.go similarity index 73% rename from pkg/types/rekord/fuzz_test.go rename to pkg/types/rekord/v0.0.1/fuzz_test.go index d5bd3f905..c16a26f66 100644 --- a/pkg/types/rekord/fuzz_test.go +++ b/pkg/types/rekord/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package rekord import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/rekord" ) +var initter sync.Once + func FuzzRekordCreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := rekord.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/pkg/types/rfc3161/fuzz_test.go b/pkg/types/rfc3161/v0.0.1/fuzz_test.go similarity index 72% rename from pkg/types/rfc3161/fuzz_test.go rename to pkg/types/rfc3161/v0.0.1/fuzz_test.go index 583b69485..87d2a3df0 100644 --- a/pkg/types/rfc3161/fuzz_test.go +++ b/pkg/types/rfc3161/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package rfc3161 import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/rfc3161" ) +var initter sync.Once + func FuzzRfc3161CreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := rfc3161.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/pkg/types/rpm/fuzz_test.go b/pkg/types/rpm/v0.0.1/fuzz_test.go similarity index 73% rename from pkg/types/rpm/fuzz_test.go rename to pkg/types/rpm/v0.0.1/fuzz_test.go index df72c7286..fbb77fd87 100644 --- a/pkg/types/rpm/fuzz_test.go +++ b/pkg/types/rpm/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package rpm import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/rpm" ) +var initter sync.Once + func FuzzRpmCreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := rpm.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/pkg/types/tuf/fuzz_test.go b/pkg/types/tuf/v0.0.1/fuzz_test.go similarity index 73% rename from pkg/types/tuf/fuzz_test.go rename to pkg/types/tuf/v0.0.1/fuzz_test.go index 477dd0a01..44ba59e99 100644 --- a/pkg/types/tuf/fuzz_test.go +++ b/pkg/types/tuf/v0.0.1/fuzz_test.go @@ -17,19 +17,32 @@ package tuf import ( "context" + "sync" "testing" fuzz "github.com/AdaLogics/go-fuzz-headers" - "github.com/sigstore/rekor/pkg/types" + fuzzUtils "github.com/sigstore/rekor/pkg/fuzz" + "github.com/sigstore/rekor/pkg/types/tuf" ) +var initter sync.Once + func FuzzTufCreateProposedEntry(f *testing.F) { - f.Fuzz(func(t *testing.T, version string, propsData []byte) { + f.Fuzz(func(t *testing.T, propsData []byte) { + initter.Do(fuzzUtils.SetFuzzLogger) + + version := "0.0.1" + ff := fuzz.NewConsumer(propsData) - props := types.ArtifactProperties{} - ff.GenerateStruct(&props) - it := New() + + props, cleanup, err := fuzzUtils.CreateProps(ff) + if err != nil { + t.Skip() + } + defer cleanup() + + it := tuf.New() entry, err := it.CreateProposedEntry(context.Background(), version, props) if err != nil { t.Skip() diff --git a/tests/oss_fuzz.sh b/tests/oss_fuzz.sh index b99fc715f..84253b187 100644 --- a/tests/oss_fuzz.sh +++ b/tests/oss_fuzz.sh @@ -30,9 +30,10 @@ compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/cose FuzzCreateProp compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/alpine FuzzPackageUnmarshal FuzzPackageUnmarshal compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/jar FuzzJarUnmarshal FuzzJarUnmarshal compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/hashedrekord FuzzHashedRekord FuzzHashedRekord -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/intoto FuzzIntotoCreateProposedEntry FuzzIntotoCreateProposedEntry -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/tuf FuzzTufCreateProposedEntry FuzzTufCreateProposedEntry -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rfc3161 FuzzRfc3161CreateProposedEntry FuzzRfc3161CreateProposedEntry -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rpm FuzzRpmCreateProposedEntry FuzzRpmCreateProposedEntry -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/helm FuzzHelmCreateProposedEntry FuzzHelmCreateProposedEntry -compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rekord FuzzRekordCreateProposedEntry FuzzRekordCreateProposedEntry +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/intoto/v0.0.1 FuzzIntotoCreateProposedEntry FuzzIntotoCreateProposedEntry_v001 +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/intoto/v0.0.2 FuzzIntotoCreateProposedEntry FuzzIntotoCreateProposedEntry_v002 +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/tuf/v0.0.1 FuzzTufCreateProposedEntry FuzzTufCreateProposedEntry +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rfc3161/v0.0.1 FuzzRfc3161CreateProposedEntry FuzzRfc3161CreateProposedEntry +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rpm/v0.0.1 FuzzRpmCreateProposedEntry FuzzRpmCreateProposedEntry +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/helm/v0.0.1 FuzzHelmCreateProposedEntry FuzzHelmCreateProposedEntry +compile_native_go_fuzzer github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 FuzzRekordCreateProposedEntry FuzzRekordCreateProposedEntry