Skip to content

feat(fuzz): add GitLab fuzzing infra setup #586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
edznux-dd wants to merge 1 commit into from
Closed

feat(fuzz): add GitLab fuzzing infra setup #586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ stages:
- integration-test
- reliability
- benchmarks
- fuzz
- notify

# Detects newer images in registry and creates GitHub PR with updates
Expand Down Expand Up @@ -162,3 +163,4 @@ include:
- local: .gitlab/reliability/.gitlab-ci.yml
- local: .gitlab/dd-trace-integration/.gitlab-ci.yml
- local: .gitlab/sanitizer-tests/.gitlab-ci.yml
- local: .gitlab/fuzzing/.gitlab-ci.yml
32 changes: 32 additions & 0 deletions .gitlab/fuzzing/.gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
variables:
FUZZ_IMAGE: registry.ddbuild.io/java-profiler-fuzz
FUZZYDOG_VERSION: "0.28.0"
BUILD_IMAGE: ${BUILD_IMAGE_X64}

fuzz_infra:
needs: []
extends: .retry-config
image: registry.ddbuild.io/images/docker:27.3.1
tags: ["arch:amd64"]
stage: fuzz
timeout: 30m
allow_failure: true
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
rules:
- if: $NIGHTLY_BUILD == "true"
- when: manual
before_script:
- apt-get update -qq && apt-get install -y -qq curl unzip jq
- >-
curl -fsSL "https://binaries.ddbuild.io/fuzzing/fuzzydog/${FUZZYDOG_VERSION}/fuzzydog-tar.tar.gz"
| tar -xz -C /usr/local/bin fuzzydog-linux-amd64 &&
mv /usr/local/bin/fuzzydog-linux-amd64 /usr/local/bin/fuzzydog
- >-
curl -fsSL "https://releases.hashicorp.com/vault/1.21.1/vault_1.21.1_linux_amd64.zip"
-o /tmp/vault.zip &&
unzip -o /tmp/vault.zip -d /usr/local/bin vault &&
rm /tmp/vault.zip
script:
- .gitlab/scripts/fuzz_infra.sh
50 changes: 50 additions & 0 deletions .gitlab/scripts/fuzz_infra.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash
set -euo pipefail

FUZZ_IMAGE="${FUZZ_IMAGE:-registry.ddbuild.io/java-profiler-fuzz}"
GIT_SHA="${CI_COMMIT_SHORT_SHA:-$(git rev-parse --short HEAD)}"

export FUZZYDOG_AUTH_TOKEN
FUZZYDOG_AUTH_TOKEN=$(vault read -field=token identity/oidc/token/security-fuzzing-platform)

# Build and push the compiled image (all fuzz binaries + fuzzydog)
docker buildx build \
--target build \
-f docker/Dockerfile.fuzz \
--build-arg "BUILD_IMAGE=${BUILD_IMAGE}" \
--build-arg "FUZZYDOG_VERSION=${FUZZYDOG_VERSION}" \
-t "${FUZZ_IMAGE}:${GIT_SHA}" \
--push \
--metadata-file compiled-metadata.json \
.

COMPILED_DIGEST=$(jq -r '."containerimage.digest"' compiled-metadata.json)

# Extract binary list from the compiled image
mkdir -p manifest-out
docker run --rm "${FUZZ_IMAGE}@${COMPILED_DIGEST}" cat /fuzz_binaries.txt > manifest-out/fuzz_binaries.txt

# For each binary: build thin per-binary image, sign, replicate, register
while IFS= read -r binary; do
[ -z "${binary}" ] && continue
IMAGE_REF="${FUZZ_IMAGE}:${GIT_SHA}-${binary}"

printf 'FROM %s@%s\nENV FUZZ_APP=%s\nENV FUZZ_BUILD_ID=%s\n' \
"${FUZZ_IMAGE}" "${COMPILED_DIGEST}" "${binary}" "${GIT_SHA}" \
| docker buildx build - \
-t "${IMAGE_REF}" \
--push \
--metadata-file "meta-${binary}.json"

ddsign sign "${IMAGE_REF}" --docker-metadata-file "meta-${binary}.json"
ddsign replicate --to us1.ddbuild.io \
"${FUZZ_IMAGE}@$(jq -r '."containerimage.digest"' "meta-${binary}.json")"

fuzzydog fuzzer create "${binary}" \
--image "${IMAGE_REF}" \
--version "${GIT_SHA}" \
--type libfuzzer \
--team profiling \
--slack-channel profiling-java \
--repository-url https://github.com/DataDog/java-profiler
done < manifest-out/fuzz_binaries.txt
34 changes: 34 additions & 0 deletions docker/Dockerfile.fuzz
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
ARG BUILD_IMAGE

FROM ${BUILD_IMAGE} AS build

ARG FUZZYDOG_VERSION=0.27.1

ENV JAVA_HOME=/root/.sdkman/candidates/java/current
ENV PATH=$JAVA_HOME/bin:$PATH

WORKDIR /src
COPY . .

RUN ./gradlew :ddprof-lib:fuzz:linkFuzz_dwarf \
:ddprof-lib:fuzz:linkFuzz_arguments \
:ddprof-lib:fuzz:linkFuzz_buffer \
:ddprof-lib:fuzz:linkFuzz_elf \
:ddprof-lib:fuzz:linkFuzz_stringDictionary \
--no-daemon

RUN mkdir -p /fuzzer/builds && \
find ddprof-lib/fuzz/build/bin/fuzz -maxdepth 2 -type f -executable \
-exec cp {} /fuzzer/builds/ \; && \
ls /fuzzer/builds/ > /fuzz_binaries.txt

RUN curl -fsSL "https://binaries.ddbuild.io/fuzzing/fuzzydog/${FUZZYDOG_VERSION}/fuzzydog-tar.tar.gz" \
| tar -xz -C /usr/local/bin fuzzydog-linux-amd64 && \
mv /usr/local/bin/fuzzydog-linux-amd64 /usr/local/bin/fuzzydog

CMD fuzzydog fuzzer run "$FUZZ_APP" "$FUZZ_BUILD_ID" \
--type libfuzzer \
--team profiling \
--build-path /fuzzer/builds/ \
--skip-dl-build \
--repository-url https://github.com/DataDog/java-profiler
Loading