Skip to content

✨ Support multiple fuzz configs per language; add Python Hypothesis#4957

Open
Fieldnote-Echo wants to merge 5 commits intoossf:mainfrom
Fieldnote-Echo:feat/python-hypothesis-detection
Open

✨ Support multiple fuzz configs per language; add Python Hypothesis#4957
Fieldnote-Echo wants to merge 5 commits intoossf:mainfrom
Fieldnote-Echo:feat/python-hypothesis-detection

Conversation

@Fieldnote-Echo
Copy link

@Fieldnote-Echo Fieldnote-Echo commented Mar 2, 2026

What kind of change does this PR introduce?

Refactors the language fuzzer detection to support multiple fuzzer configs per language, then adds Python Hypothesis (property-based testing) detection alongside existing Atheris detection.

What is the current behavior?

languageFuzzSpecs maps one languageFuzzConfig per language. Python projects using Hypothesis — the dominant Python property-based testing library — receive 0/10 on the Fuzzing check because only Atheris is detected.

What is the new behavior (if this is a feature change)?

  • languageFuzzSpecs now maps to []languageFuzzConfig (slice), supporting multiple fuzzer configs per language
  • Python Hypothesis detection added via (from|import)\s+hypothesis\b regex (word-boundary anchored to prevent false positives from hypothesis-prefixed packages like hypothesis_auto)
  • Existing Atheris detection unchanged (backwards compatible)
  • checkFuzzFunc refactored to accept a config directly; Fuzzing() iterates configs per language
  • Both Atheris and Hypothesis can be detected simultaneously for projects using both

The multi-config refactor is the infrastructure contribution — it unblocks any future "add a second fuzzer for language X" PR without further refactoring.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4549

Special notes for your reviewer

The checkFuzzFunc signature change from (c, lang) to (c, config) touches the call path for every language. All existing language test cases (Go, Haskell, Erlang, Elixir, Gleam, JavaScript, TypeScript, C#, F#) continue to pass after the refactor — 55 tests total, 0 regressions.

New test cases cover: from hypothesis import, import hypothesis, from hypothesis.strategies import (submodule), Atheris backwards compatibility, no-match negative case, hypothesis_auto false-positive prevention (word boundary), and dual Atheris+Hypothesis detection in the same file.

Does this PR introduce a user-facing change?

Support detection of fuzzing in Python through the import of the Hypothesis property-based testing framework. Also refactors language fuzzer detection to support multiple fuzzer configurations per language.

@Fieldnote-Echo
✨ Add PropertyBasedPython fuzzer constant
9a585bc 
Adds the string constant for Python property-based testing detection,
following the naming convention of PropertyBasedHaskell,
PropertyBasedElixir, etc.

Signed-off-by: Fieldnote-Echo <nelson@projectnavi.ai>
@Fieldnote-Echo
✨ Support multiple fuzz configs per language; add Python Hypothesis
0c5fb12 
Changes languageFuzzSpecs from map[LanguageName]languageFuzzConfig to
map[LanguageName][]languageFuzzConfig, enabling detection of multiple
fuzzing tools for a single language.

Refactors checkFuzzFunc to accept a config directly, and updates
Fuzzing() to iterate over all configs for each prominent language.

Adds Python Hypothesis (property-based testing) detection alongside
existing Atheris detection. Uses word-boundary anchor to prevent
false positives from hypothesis-prefixed packages.

Fixes ossf#4549

Signed-off-by: Fieldnote-Echo <nelson@projectnavi.ai>
@Fieldnote-Echo
✅ Update tests for multi-config map; add Hypothesis cases
304531f 
Adapts Test_fuzzFileAndFuncMatchPattern and Test_checkFuzzFunc for the
new []languageFuzzConfig slice type.

Adds test cases for Python Hypothesis detection:
- from hypothesis import (from import)
- import hypothesis (direct import)
- from hypothesis.strategies import (submodule import)
- import atheris (Atheris still works)
- import pytest (no fuzzing, negative case)
- from hypothesis_auto import (prefix false positive, negative case)
- import atheris + from hypothesis import (dual detection)

All existing language test cases (Go, Haskell, Erlang, Elixir, Gleam,
JavaScript, TypeScript, C#, F#) continue to pass.

Signed-off-by: Fieldnote-Echo <nelson@projectnavi.ai>
@Fieldnote-Echo
📖 Add Hypothesis to supported fuzzers list
bef2cb8 
Signed-off-by: Fieldnote-Echo <nelson@projectnavi.ai>
@Fieldnote-Echo Fieldnote-Echo requested a review from a team as a code owner March 2, 2026 10:16
@Fieldnote-Echo Fieldnote-Echo requested review from jeffmendoza and justaugustus and removed request for a team March 2, 2026 10:16
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add HypothesisWorks/hypothesis as a fuzzer

1 participant

@Fieldnote-Echo