Continuous fuzzing

DevSecOps
1

Continuous fuzzing reproducing problem

I am trying to learn how to implement Gitlab CI/CD into my company’s development process. I’ve tried to reproduce continuous fuzzing example from gitlab documentation. And I have a problem.

First attempt - simple fuzzing into CI/CD pipeline.

Here is my .gitlab-ci.yml

image: golang:latest

stages:
  - test
  - fuzz

format:
  stage: test
  script:
    - go fmt
    - go vet
    - go test -race ./...

include:
  - template: Coverage-Fuzzing.gitlab-ci.yml

sync_fuzzing:
  extends: .fuzz_base
  image: golang:latest
  script:
    - apt update && apt install -y clang
    - go get github.com/dvyukov/go-fuzz/go-fuzz-dep
    - go install github.com/dvyukov/go-fuzz/go-fuzz-build@latest
    - go-fuzz-build -libfuzzer -o my_fuzz_target.a .
    - clang -fsanitize=fuzzer my_fuzz_target.a -o my_fuzz_target
    - ./gitlab-cov-fuzz run --regression=$REGRESSION -- ./my_fuzz_target

In that way everything is OK.

Second attempt - implementing asynchronous fuzzing

Now repository has 2 branches: master and continuous_fuzzing. Both are on the same commit.

.gitlab-ci.yaml

image: golang:latest

stages:
  - test
  - fuzz

format:
  stage: test
  script:
    - go fmt
    - go vet
    - go test -race ./...

include:
  - template: SAST.gitlab-ci.yml

sync_fuzzing:
  variables:
    COVFUZZ_ADDITIONAL_ARGS: '-max_total_time=300'
  trigger:
    include: .covfuzz-ci.yml
    strategy: depend
  rules:
    - if: $CI_COMMIT_BRANCH != 'continuous_fuzzing' && $CI_PIPELINE_SOURCE != 'merge_request_event'

async_fuzzing:
  variables:
    COVFUZZ_ADDITIONAL_ARGS: '-max_total_time=3600'
  trigger:
    include: .covfuzz-ci.yml
  rules:
    - if: $CI_COMMIT_BRANCH == 'continuous_fuzzing' && $CI_PIPELINE_SOURCE != 'merge_request_event'

.covfuzz-ci.yml

stages:
  - fuzz

include:
  - template: Coverage-Fuzzing.gitlab-ci.yml
 
my_fuzz_target_a:
  extends: .fuzz_base
  image: golang:latest
  script:
    - apt update && apt install -y clang
    - go get github.com/dvyukov/go-fuzz/go-fuzz-dep
    - go install github.com/dvyukov/go-fuzz/go-fuzz-build@latest
    - env
    - go-fuzz-build -libfuzzer -o my_fuzz_target.a .
    - clang -fsanitize=fuzzer my_fuzz_target.a -o my_fuzz_target
    - ./gitlab-cov-fuzz run --regression=$REGRESSION -- ./my_fuzz_target

And here is the problem. When child pipeline is spawned, gitlab-cov-fuzz generating an error without any fuzz testing.

$ ./gitlab-cov-fuzz run --regression=$REGRESSION -- ./my_fuzz_target
[INFO] [2021-11-24T12:15:09Z] ▶ {"message":"401 Unauthorized"}
[ERRO] [2021-11-24T12:15:09Z] ▶ 401 Unauthorized

How can I fix it?