Add simple, new auto-vex reachability: Emit OpenVEX vulnerable_code_n… #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2025 Erick Bourgeois, firestoned | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # | |
| # Short-duration fuzzing of 5-Spot's string parsers on every PR and push. | |
| # | |
| # Each target runs for 60 seconds against libFuzzer via cargo-fuzz. This is a | |
| # credible smoke-fuzz, not continuous fuzzing — the Scorecard FuzzingID check | |
| # only requires that some fuzzing infrastructure exists; follow-up work is | |
| # tracked in ~/dev/roadmaps/5spot-code-scanning-remediation.md § Phase 8 to | |
| # integrate with OSS-Fuzz for continuous coverage. | |
| # | |
| # Requires nightly Rust (libfuzzer-sys uses nightly-only build-script hooks). | |
| name: Fuzz | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - 'src/**/*.rs' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'fuzz/**' | |
| - '.github/workflows/fuzz.yaml' | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'src/**/*.rs' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'fuzz/**' | |
| - '.github/workflows/fuzz.yaml' | |
| permissions: | |
| contents: read | |
| env: | |
| # Override the cross-compilation linkers set in .cargo/config.toml. | |
| # cargo-fuzz builds with --target x86_64-unknown-linux-gnu, which picks up | |
| # the macOS cross-compiler setting in .cargo/config.toml — that tool is | |
| # not on Linux CI runners, so builds fail with | |
| # `linker x86_64-unknown-linux-gnu-gcc not found`. `cc` is the native GCC. | |
| CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER: cc | |
| CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: cc | |
| jobs: | |
| fuzz: | |
| name: 🎲 Fuzz ${{ matrix.target }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - parse_duration | |
| - parse_day_ranges | |
| - parse_hour_ranges | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install nightly Rust toolchain | |
| uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable (moving ref — re-pin quarterly) | |
| with: | |
| toolchain: nightly | |
| - name: Install cargo-fuzz | |
| run: cargo install cargo-fuzz --locked | |
| - name: Cache cargo dependencies | |
| uses: firestoned/github-actions/rust/cache-cargo@53b483254bc648903c364ee3c73a546d0936a91e # v1.3.6 | |
| - name: Run fuzz target (60 s) | |
| working-directory: fuzz | |
| run: cargo +nightly fuzz run ${{ matrix.target }} -- -max_total_time=60 | |
| - name: Upload crash artifacts on failure | |
| if: failure() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: fuzz-crash-${{ matrix.target }} | |
| path: fuzz/artifacts/${{ matrix.target }}/ | |
| if-no-files-found: ignore |