Continuous Fuzzing Integration with Fuzzit

[yevgenypats]

Please do not merge yet. This is work in progress.
The contribution was discuss in the mailing-list with @htuch , @mattklein123 .

Description:
This will introduce another platform (apart from oss) fuzz that
will run the long-running fuzzers as well as will introduce
"sanity fuzzers" that will run the accumlated corpus and crashes
on every Pull-Request to detect bugs early-on in the development
cycle.

Risk Level:
Low - as this will introduce only another step in CircleCI where the fuzzers will be uploaded to Fuzzit and the heavy lifting will be there.

Testing:
No code is added just a CI code in Circle

Docs Changes:
Will be updated later.

Release Notes: None
[Optional Fixes #Issue] None
[Optional Deprecated:] None

[htuch]

One key issue here is build performance; if this takes a significant amount of time (which anecdotally it does from local runs), e.g. > 1 hour, it will become a CI bottleneck. Many of our CI jobs now benefit from Bazel caching and (in the future) RBE enablement, this one is going to be inherently stuck without this, since the oss-fuzz image doesn't have any plumbing for this. CC @lizan

[yevgenypats]

@htuch This is exactly what I'm trying to do just wanted to see if it works with the current oss-fuzz images. Anyway I was able to compile the targets with bazel for example

using bazel build //test/server:server_fuzz_test the build completes successfully but it seems that it doesn't link against libFuzzer. what would be the right command to link it against libfuzzer (i.e -fsanitize=fuzzer) as I don't wont to use the oss docker both to use the caching and also not to use the nested docker in Circle.

[htuch]

Yeah, I'm afraid you're going to have to do some gnarly Bazel hacking to get it to link against libfuzzer under Bazel. We would be super appreciative of this work, but it will involve diving into https://github.com/envoyproxy/envoy/blob/master/bazel/envoy_test.bzl#L66 and figuring out how to cleanly offer both the corpus run (using the existing test driver) and a way to on the Bazel CLI configure a link against libfuzzer (and somehow getting libfuzzer included in the Envoy build).

[yevgenypats]

Thanks! I'll find the way to do that. I just wanted to make sure that I'm not doing double work and it's not implemented yet.

[htuch]

Are we doing nested Docker here? I.e. running oss-fuzz Docker build inside a CircleCI Docker env?

[yevgenypats]

I'm exactly working on this to make it work not inside the oss-fuzz docker.

[yevgenypats]

@htuch looks like I get some no-credits error at CircleCI? any particular reason for this to happen? I can test my changes.

[htuch]

@yevgenypats this is a general Envoy CI issue, we are working to resolve.

[htuch]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: Build Error (failed build)

🐱

Caused by: a #7509 (comment) was created by @htuch.

see: more, trace.

[yevgenypats]

@htuch thx. just an update. look like it works now. I'll update when the PR will be ready for review. should be soon. cheers.

[lizan]

no need --test_arg

[lizan]

ditto

[lizan]

are you intended to do this in every PR? This doesn't provide anything in addition to bazel.fuzz above, does it?

[yevgenypats]

yeah. I think it is and this was one of the main reasons integrating fuzzit in addition to OSS Fuzz. this downloads the current corpus+fixed_crashes from Fuzzit Servers and runs the fuzzers through those test-cases which is stronger then just a run for 10 seconds with empty corpus (which is fine but that just checks if the fuzzers compiled successfully)

[lizan]

can we merge those two jobs into one?

[yevgenypats]

done

[lizan]

Add FUZZIT_API_KEY env (it can be in FUZZIT_API_KEY=$(FuzzitApiKey) before ci/do_ci.sh, or env below and add propagate it in ci/run_envoy_docker.sh.

[lizan]

update comment as well.

[yevgenypats]

done

[lizan]

can we merge those two jobs into one?

[yevgenypats]

@lizan fixed the review:)

[lizan]

@htuch?

[htuch]

/wait

[htuch]

Can you add some comments here explaining when this runs? Does this happen on every PR, does it block PRs, is this contributing to the PR critical path on CI? I think this PR generally looks awesome, but this needs some clarification, preferably in source comments. Thanks!

[yevgenypats]

Done, as explained in the comments there are two workflows:

• Fuzzing - This will run on every push/merge to master, will build the fuzzers and will upload them to Fuzzit where they will run asynchronous. This will ensure the latest version of the code is always being fuzzed and new bugs are found as new code is added.
• Regression - This will run on every commit/PR and will run the fuzzers inline in the CI together with the corpus generated on Fuzzit as well as previous fixed crashes. This will ensure bugs are found BEFORE merge.

[yevgenypats]

@htuch why this fails now ?https://circleci.com/gh/envoyproxy/envoy/279964?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link

[yevgenypats]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: docs (failed build)

🐱

Caused by: a #7509 (comment) was created by @yevgenypats.

see: more, trace.

[yevgenypats]

@htuch passing!:)

[htuch]

Thanks @yevgenypats. Appreciate your patience and work on iterating to find the best fit with Envoy CI and fuzzing. Also thanks @lizan for all the help with the CI aspects.

[yevgenypats]

@htuch @lizan sure thing, thank you! and feel free to ping me if there are any issues/changes you need.

also @lizan are you sure the FUZZIT_API_KEY is available because I see that the script didn't find it (I couldn't check it before merge as this is environment variable is not available for forked-PRs)

Also looks there are some crashes already https://app.fuzzit.dev/orgs/envoyproxy/dashboard

and of course feel free to RT https://twitter.com/fuzzitdev/status/1176246876821217283

Thanks!

[htuch]

@yevgenypats are these crashes limited in visibility? We would like to maintain embargo on any zero days and only have https://github.com/google/oss-fuzz/blob/master/projects/envoy/project.yaml#L3 see these.

[yevgenypats]

@htuch yes of course, like we discussed. currently only @lizan has access I can add you to the email notifications but you need to sign-up at https://app.fuzzit.dev so I can add you to the envoy account so you will have access to the crashes and other data.

[lizan]

I set the api key right now, should be fixed in future builds

[yevgenypats]

Great.

…

On Mon, Sep 23, 2019, 5:55 PM Lizan Zhou ***@***.***> wrote: I set it right now, should be fixed in future builds — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#7509?email_source=notifications&email_token=AD52CDUYCVHBV4TWPG5AYHTQLE3LVA5CNFSM4H7ICZEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7MMOZY#issuecomment-534300519>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD52CDRJ4YHQ2IFSKL2UCEDQLE3LVANCNFSM4H7ICZEA> .

[lizan]

@yevgenypats now it is failing with

+ ./fuzzit create target --skip-if-exists --public-corpus envoyproxy/access-log-formatter
2019/09/23 23:20:23 Creating target...
2019/09/23 23:20:23 target can only contain lowercase characetrs, numbers and hypens