Add ClusterFuzzLite integration for OSSF scorecard fuzzing#4951
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds ClusterFuzzLite fuzzing integration to improve the OSSF scorecard fuzzing score. Two new Atheris fuzz targets fuzz Slack formatting utilities and QueryParser by injecting fuzzed data, stubbing dependencies, and instrumenting imports. A build script packages both targets as executable runners with dependencies, and a GitHub Actions workflow runs fuzzing on push/PR/schedule and uploads SARIF to Code Scanning. ChangesClusterFuzzLite Fuzzing Setup
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
01b7cd8 to
c72f199
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.clusterfuzzlite/build.sh:
- Line 3: Replace the floating package versions in the pip install command with
pinned versions to ensure reproducible fuzzing behavior and prevent CI breakage
from upstream releases. Update the pip install statement to specify explicit
versions for atheris, lxml, requests, and pyyaml, using the same versions that
are defined in backend/pyproject.toml for consistency across the project.
In @.github/workflows/clusterfuzzlite.yml:
- Line 23: The fork-filter condition on the `if:` statement is checking the
wrong event field. Currently it checks `github.event.repository.fork` which
evaluates whether the base repository is a fork, not whether the PR originates
from a fork. Replace `github.event.repository.fork` with
`github.event.pull_request.head.repo.fork` to correctly identify and skip jobs
triggered by pull requests originating from forks, which will prevent permission
failures and unwanted SARIF uploads.
In `@backend/tests/fuzz/fuzz_nest_test.py`:
- Around line 53-59: The fuzzer entrypoint is catching all exceptions with a
bare except Exception clause around the calls to escape, format_links_for_slack,
and strip_markdown, which prevents the fuzzer from detecting real defects in
these functions. Remove the try-except block entirely so that any exceptions
(including crashes indicating bugs) propagate and are caught by the fuzzer,
allowing it to surface genuine defects in the target functions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c9d7a5d8-f44f-4779-8d39-566a82d8ce0d
📒 Files selected for processing (4)
.clusterfuzzlite/build.sh.github/workflows/clusterfuzzlite.ymlbackend/tests/fuzz/fuzz_nest_test.pycspell/custom-dict.txt
There was a problem hiding this comment.
4 issues found and verified against the latest diff
Confidence score: 3/5
- In
.github/workflows/clusterfuzzlite.yml, the fork check usesgithub.event.repository.fork, which can misclassify PR origin and run ClusterFuzzLite under the wrong conditions; merging as-is risks either skipped fuzzing on valid PRs or unsafe execution context—switch to thepull_requesthead-repo fork field before merging. - In
backend/tests/fuzz/fuzz_nest_test.py, the catch-all exception handler hides real fuzz crashes, so ClusterFuzzLite may report green while defects are still present—remove the blanketexceptand let unexpected exceptions fail the job. - In
backend/tests/fuzz/fuzz_nest_test.py, manual module loading may bypass Atheris instrumentation, reducing coverage signal and missing reachable bugs—use normal imports or explicitly instrument loaded functions so fuzz feedback is reliable. - In
.clusterfuzzlite/build.sh, unpinned installs (atheris lxml requests pyyaml) make fuzz runs non-reproducible and vulnerable to upstream breakage, which can cause flaky CI and inconsistent findings—pin dependency versions before merge to stabilize results.
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
c72f199 to
c8cb345
Compare
c8cb345 to
5391590
Compare
5391590 to
b81c5e4
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4951 +/- ##
=======================================
Coverage 98.74% 98.74%
=======================================
Files 538 539 +1
Lines 17068 17070 +2
Branches 2421 2421
=======================================
+ Hits 16853 16855 +2
Misses 123 123
Partials 92 92
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
|
hey @arkid15r, have a look at this. |
b81c5e4 to
1d7161f
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.clusterfuzzlite/build.sh:
- Line 3: The pip install command in the build.sh file contains version numbers
for lxml and requests that do not match the versions specified in
backend/pyproject.toml, creating potential runtime incompatibilities between the
fuzzing and production environments. Update the lxml version from 6.1.1 to 6.1.0
and the requests version from 2.34.2 to 2.33.1 in the pip install statement to
align with the backend/pyproject.toml specifications. The atheris, pyyaml, and
pyparsing versions are already correct and do not need changes.
In @.github/workflows/clusterfuzzlite.yml:
- Around line 24-26: Add brief explanatory comments to the permissions section
in the clusterfuzzlite.yml workflow file. For the contents permission, add a
comment explaining it is needed to check out the repository code. For the
security-events permission, add a comment explaining it is required to upload
SARIF reports to Code Scanning. These comments should clarify the security
rationale for granting each permission.
In `@backend/tests/fuzz/fuzz_nest_test.py`:
- Around line 14-38: In the _load_format_module() function, the next() call on
line 22 lacks error handling and will raise StopIteration if the required
format.py file is not found in sys.path. Add a default value to the next() call
or wrap it in a try-except block to catch StopIteration and raise a more
informative error message that clearly indicates the file path that could not be
located in sys.path, helping with debugging when the fuzzer fails to start.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8156712f-d01c-44c2-81e6-0bcf98b1070d
📒 Files selected for processing (6)
.clusterfuzzlite/build.sh.clusterfuzzlite/project.yaml.github/workflows/clusterfuzzlite.ymlbackend/tests/fuzz/fuzz_nest_test.pybackend/tests/fuzz/fuzz_query_parser_test.pycspell/custom-dict.txt
1d7161f to
10ac346
Compare
| push: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
I removed push to main trigger recently from CI/CD. Check other CI/CD jobs triggers for consistency.
There was a problem hiding this comment.
Done removed the push to main trigger. Aligned with other workflows.
10ac346 to
352d19c
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.clusterfuzzlite/build.sh:
- Line 3: The pip install command in build.sh currently only installs atheris,
but the fuzz targets have unresolved runtime dependencies. Modify the pip
install line to include all required packages: atheris, pyparsing (needed by
QueryParser imported in fuzz_query_parser_test.py), and requests, pyyaml, lxml
(needed by format.py imported in fuzz_nest_test.py). Update the single pip
install atheris command to install all these packages together in one pip
install statement.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 225a7658-ba6a-49aa-8344-a5c03221cdbf
📒 Files selected for processing (6)
.clusterfuzzlite/build.sh.clusterfuzzlite/project.yaml.github/workflows/clusterfuzzlite.ymlbackend/tests/fuzz/fuzz_nest_test.pybackend/tests/fuzz/fuzz_query_parser_test.pycspell/custom-dict.txt
352d19c to
774c2c7
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.clusterfuzzlite/build.sh (1)
3-3:⚠️ Potential issue | 🟠 Major | ⚡ Quick winInstall fuzz target runtime dependencies in the build image.
Only installing
atherismakes this target setup fragile; if transitive packages are absent in the builder image, fuzzers fail at import time and never execute target code.Suggested fix
-pip install atheris +pip install atheris pyparsing requests pyyaml lxml#!/bin/bash set -euo pipefail echo "=== build.sh install line ===" nl -ba .clusterfuzzlite/build.sh | sed -n '1,12p' echo echo "=== QueryParser imports (runtime deps) ===" nl -ba backend/apps/common/search/query_parser.py | sed -n '1,160p' | rg -n '^\s*[0-9]+\s+(from|import)\s+' echo echo "=== Slack format module imports (runtime deps) ===" nl -ba backend/apps/slack/utils/format.py | sed -n '1,200p' | rg -n '^\s*[0-9]+\s+(from|import)\s+'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.clusterfuzzlite/build.sh at line 3, The build.sh script only installs atheris but omits the runtime dependencies needed by the fuzz target modules, making the build fragile. Identify the actual package dependencies required by the fuzz target code (particularly the imports in modules like query_parser.py and format.py referenced in the backend), and update the pip install command in build.sh to include these dependencies, either by installing from a requirements file or explicitly listing the required packages alongside atheris..github/workflows/clusterfuzzlite.yml (1)
20-20:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse PR head-repo fork status in the job gate.
This condition checks whether the base repo is a fork, not whether the PR comes from a fork. Use the pull request head repo flag instead.
Suggested fix
- if: github.event.repository.fork == false + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == falseFor GitHub Actions pull_request events, does `github.event.repository.fork` represent the base repository, and is `github.event.pull_request.head.repo.fork` the correct field to detect PRs from forks?🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/clusterfuzzlite.yml at line 20, The job gate condition currently uses github.event.repository.fork which checks whether the base repository is a fork, but you need to check whether the pull request itself originates from a fork. Replace the condition in the if statement at line 20 that uses github.event.repository.fork with github.event.pull_request.head.repo.fork to properly detect PRs coming from forks instead of checking the base repository status.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.clusterfuzzlite/build.sh:
- Line 3: The build.sh script only installs atheris but omits the runtime
dependencies needed by the fuzz target modules, making the build fragile.
Identify the actual package dependencies required by the fuzz target code
(particularly the imports in modules like query_parser.py and format.py
referenced in the backend), and update the pip install command in build.sh to
include these dependencies, either by installing from a requirements file or
explicitly listing the required packages alongside atheris.
In @.github/workflows/clusterfuzzlite.yml:
- Line 20: The job gate condition currently uses github.event.repository.fork
which checks whether the base repository is a fork, but you need to check
whether the pull request itself originates from a fork. Replace the condition in
the if statement at line 20 that uses github.event.repository.fork with
github.event.pull_request.head.repo.fork to properly detect PRs coming from
forks instead of checking the base repository status.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: a9b09389-6056-4665-ba85-bf281f240a9d
📒 Files selected for processing (6)
.clusterfuzzlite/build.sh.clusterfuzzlite/project.yaml.github/workflows/clusterfuzzlite.ymlbackend/tests/fuzz/fuzz_nest_test.pybackend/tests/fuzz/fuzz_query_parser_test.pycspell/custom-dict.txt
|
I will take a look at this |
e9b29b6 to
df1fffd
Compare
df1fffd to
18884c5
Compare
|
hii @arkid15r can you take a look at this ? Only SonarCloud is failing I think in Dockerfile COPY as a hotspot. i am unable to mark it as safe |
There was a problem hiding this comment.
3 issues found across 35 files (changes from recent commits).
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
There was a problem hiding this comment.
0 issues found across 2 files (changes from recent commits).
Requires human review: Auto-approval blocked by 3 unresolved issues from previous reviews.
Re-trigger cubic
|
Thanks for the help really appreciate that. |
|



Resolves #4934
Proposed change
These are Two fuzz targets:-
Both targets I have verified inside the base-builder-python Docker image.
Checklist
make check-testlocally: all warnings addressed, tests passed