DeviceFingerprinting/.github/workflows/clusterfuzzlite.yml at main · Johnsonajibi/DeviceFingerprinting · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: ClusterFuzzLite Continuous Fuzzing

"on":
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    # Run fuzzing twice daily (2 AM and 2 PM UTC)
    - cron: '0 2,14 * * *'

permissions: read-all

jobs:
  # Build fuzzers for fuzzing
  Build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        sanitizer:
          - address
          - undefined
    steps:
    - name: Build Fuzzers (${{ matrix.sanitizer }})
      id: build
      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
      with:
        language: python
        sanitizer: ${{ matrix.sanitizer }}

    - name: Check Build Output
      run: |
        echo "Checking build output directory..."
        ls -laR build-out/ || echo "build-out directory not found or empty"
        if [ -d "build-out" ]; then
          echo "Files in build-out:"
          find build-out -type f -name "fuzz_*" || echo "No fuzz targets found"
        fi

    - name: Upload Build Artifacts
      uses: actions/upload-artifact@v4
      with:
        name: fuzzers-${{ matrix.sanitizer }}
        path: build-out/
        retention-days: 7

  # Run fuzzers on PRs
  PR-Fuzzing:
    if: github.event_name == 'pull_request'
    needs: Build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        sanitizer:
          - address
          - undefined
        fuzzer:
          - fuzz_crypto
          - fuzz_fingerprint
          - fuzz_storage
    steps:
    - name: Download Build Artifacts
      uses: actions/download-artifact@v4
      with:
        name: fuzzers-${{ matrix.sanitizer }}
        path: build-out/

    - name: Restore Executable Permissions
      run: chmod +x build-out/* || true

    - name: Run Fuzzing (${{ matrix.fuzzer }}, ${{ matrix.sanitizer }})
      id: run_fuzzer
      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        fuzz-seconds: 300  # 5 minutes per fuzzer on PRs
        mode: 'code-change'
        sanitizer: ${{ matrix.sanitizer }}
        parallel-fuzzing: true
        output-sarif: true

    - name: Upload Crash Artifacts
      if: always() && steps.run_fuzzer.outputs.crash-found == 'true'
      uses: actions/upload-artifact@v4
      with:
        name: crashes-${{ matrix.fuzzer }}-${{ matrix.sanitizer }}
        path: out/
        retention-days: 30

    - name: Upload SARIF Results
      if: always() && steps.run_fuzzer.outputs.sarif-output != ''
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: ${{ steps.run_fuzzer.outputs.sarif-output }}
        category: clusterfuzzlite-${{ matrix.sanitizer }}

  # Batch fuzzing on schedule/push
  Batch-Fuzzing:
    if: github.event_name != 'pull_request'
    needs: Build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        sanitizer:
          - address
          - undefined
    steps:
    - name: Download Build Artifacts
      uses: actions/download-artifact@v4
      with:
        name: fuzzers-${{ matrix.sanitizer }}
        path: build-out/

    - name: Restore Executable Permissions
      run: chmod +x build-out/* || true

    - name: Run Batch Fuzzing (${{ matrix.sanitizer }})
      id: run_batch
      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        fuzz-seconds: 600  # 10 minutes per sanitizer (reduced from 30)
        mode: 'batch'
        sanitizer: ${{ matrix.sanitizer }}
        parallel-fuzzing: true
        minimize-crashes: true  # Minimize crash testcases to reduce noise

    - name: Upload Crash Artifacts
      if: always() && steps.run_batch.outputs.crash-found == 'true'
      uses: actions/upload-artifact@v4
      with:
        name: crashes-batch-${{ matrix.sanitizer }}-${{ github.run_number }}
        path: out/
        retention-days: 90

  # Summary report
  Summary:
    if: always()
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
    - name: Generate Fuzzing Summary
      run: |
        echo "# 🔍 ClusterFuzzLite Fuzzing Results" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "**Workflow**: ${{ github.workflow }}" >> $GITHUB_STEP_SUMMARY
        echo "**Trigger**: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
        echo "**Date**: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "## Sanitizers Used" >> $GITHUB_STEP_SUMMARY
        echo "- ✅ AddressSanitizer (ASan) - Memory safety issues" >> $GITHUB_STEP_SUMMARY
        echo "- ✅ UndefinedBehaviorSanitizer (UBSan) - Undefined behavior" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "## Fuzz Targets" >> $GITHUB_STEP_SUMMARY
        echo "- \`fuzz_crypto\` - Cryptographic operations" >> $GITHUB_STEP_SUMMARY
        echo "- \`fuzz_fingerprint\` - Device fingerprinting" >> $GITHUB_STEP_SUMMARY
        echo "- \`fuzz_storage\` - Secure storage operations" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "Check individual job logs for detailed results." >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "📊 View coverage reports in the artifacts." >> $GITHUB_STEP_SUMMARY