Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: remove recurring fuzzer in Fuzzing results #2060

Closed
laurentsimon opened this issue Jul 14, 2022 · 6 comments
Closed

BUG: remove recurring fuzzer in Fuzzing results #2060

laurentsimon opened this issue Jul 14, 2022 · 6 comments
Labels
kind/bug Something isn't working

Comments

@laurentsimon
Copy link
Contributor

see curl -s https://ossfscorecard.dev/v2/github.com/ossf/scorecard/result.json | jq

project is fuzzed with [OSSFuzz GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer ...

We need to show a single GoBuiltInFuzzer.

@aidenwang9867 assigning to you.
@laurentsimon laurentsimon added the kind/bug Something isn't working label Jul 14, 2022
@aidenwang9867
Copy link
Contributor

np, i think this bug was introduced by me in the early fuzzing pr :/

@aidenwang9867
Copy link
Contributor

aidenwang9867 commented Jul 15, 2022
edited

In the fuzzer recording for-loop in func raw.checkFuzzFunc, fuzzers of each programming language will be reported only once along with its files (indicating those fuzzer positions) when the returned usingFuzzFunc is true, suggesting fuzzers are found for this language.

I also pulled the latest scorecard commit and ran the CLI go run . --repo ossf-tests/scorecard-check-fuzzing-golang --checks Fuzzing --format json --show-details | jq on the e2e test repo ossf-tests/scorecard-check-fuzzing-golang, where multiple go func fuzzers are defined.

It is expected to return a single GoBuildInFuzzer along with multiple fuzzer entries - and the result seems fine.
Did I miss anything?

Here's the result:

{
  "date": "2022-07-15",
  "repo": {
    "name": "github.com/ossf-tests/scorecard-check-fuzzing-golang",
    "commit": "57388033a028da894848b74816dcc0d6fcdc8a7a"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 10,
  "checks": [
    {
      "details": [
        "Info: func FuzzReverse1(f *testing.F): reverse_test.go:24",
        "Info: func FuzzReverse2(f *testing.F): reverse_test.go:41"
      ],
      "score": 10,
      "reason": "project is fuzzed with [GoBuiltInFuzzer]",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    }
  ],
  "metadata": null
}

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Jul 15, 2022
edited

maybe the curl results above is using an older version then? Hers's what it shows:

"reason": "project is fuzzed with [OSSFuzz GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer]",
      "details": [
        "Info: func FuzzSomething (fOo_bAR_1234 *testing.F): checks/raw/fuzzing_test.go:179",
        "Info: func FuzzSomething (fOo_bAR_1234 *testing.F): checks/raw/fuzzing_test.go:179",

A giant array of GoBuiltInFuzzer

@aidenwang9867
Copy link
Contributor

aidenwang9867 commented Jul 15, 2022
edited

maybe the curl results above is using an older version then? Hers's what it shows:

"reason": "project is fuzzed with [OSSFuzz GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer GoBuiltInFuzzer]",
      "details": [
        "Info: func FuzzSomething (fOo_bAR_1234 *testing.F): checks/raw/fuzzing_test.go:179",
        "Info: func FuzzSomething (fOo_bAR_1234 *testing.F): checks/raw/fuzzing_test.go:179",

A giant array of GoBuiltInFuzzer

Ah, there's a hell lot of go fuzzers :/

I don't know which version it uses, but I haven't modified the main logic of checkFuzzFunc after PR #1979. In the result, it seems in raw.Fuzzing, the checkFuzzFunc was called several times - but this shouldn't have been possible since I only define it to be called once.

A possible reason might be the ListProgrammingLanguages() API reports multiple "Go"s as the prominent language (something of the GitHub ListLangauge API is malfunctioning I guess?). Maybe I should drop the language duplicates before checking their fuzzers?

@aidenwang9867 aidenwang9867 mentioned this issue Jul 15, 2022
Closed
@laurentsimon
Copy link
Contributor Author

/cc @naveensrinivasan

Closing this issue because the scorecard LCI does not have this problem, so it must be in the way the data was dumped. Thanks @aidenwang9867 for checking!

@aidenwang9867
Copy link
Contributor

aidenwang9867 commented Jul 15, 2022
edited

/cc @naveensrinivasan

Closing this issue because the scorecard LCI does not have this problem, so it must be in the way the data was dumped. Thanks @aidenwang9867 for checking!

Awesome! Thank you for bringing this issue up, but I'm still kind of suspicious on whether the GitHub List Langs API will give us duplicated language entries.

This was referenced Jul 27, 2022
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aidenwang9867 @laurentsimon