Add initial support for the rules_fuzzing Bazel library.#14834
Add initial support for the rules_fuzzing Bazel library.#14834htuch merged 8 commits intoenvoyproxy:mainfrom
Conversation
|
Hi @stefanbucur, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
Signed-off-by: Stefan Bucur <sbucur@google.com>
30acee0 to
573c239
Compare
Signed-off-by: Stefan Bucur <sbucur@google.com>
Signed-off-by: Stefan Bucur <sbucur@google.com>
asraa
left a comment
There was a problem hiding this comment.
Thanks! Just minor comments
/wait
|
/assign htuch |
Signed-off-by: Stefan Bucur <sbucur@google.com>
Signed-off-by: Stefan Bucur <sbucur@google.com>
|
I've just checked the failures and they don't seem to be fuzzing related. For the ASAN failure I also see there is a separate PR to address it (#14844). |
Signed-off-by: Stefan Bucur <sbucur@google.com>
|
@moderation could you please take a look for deps please? |
moderation
left a comment
There was a problem hiding this comment.
Question on sha256 pinning of Python dep
| requirements = "@rules_fuzzing//fuzzing:requirements.txt", | ||
|
|
||
| # project_name = "Abseil Python Common Libraries", | ||
| # project_url = "https://github.com/abseil/abseil-py", | ||
| # version = "0.11.0", | ||
| # release_date = "2020-10-27", | ||
| # use_category = ["test"], | ||
| ) |
There was a problem hiding this comment.
This is a little different from our existing Python dependencies that normally have a requirements.txt file. The requirements.txt file allows us to pin to sha256 hashes with extra_pip_args = ["--require-hashes"],.
From what I can tell this is referring to https://github.com/bazelbuild/rules_fuzzing/blob/master/fuzzing/requirements.txt. Is there a way to pull in this dependency and pin to the sha256 hash (which is required by policy)?
There was a problem hiding this comment.
I've just created bazel-contrib/rules_fuzzing#121 to address that.
Do you mean to keep using the requirements.txt file from the @rules_fuzzing dependency, or make a copy in this repository?
If it's the former, I will update the dependency version to incorporate this change and enable the --require-hashes flag here.
If it's the latter, I think a good location for this file would be //test/fuzz:rules_fuzzing_requirements.txt. WDYT?
There was a problem hiding this comment.
I've just created bazelbuild/rules_fuzzing#121 to address that.
Do you mean to keep using the
requirements.txtfile from the@rules_fuzzingdependency, or make a copy in this repository?If it's the former, I will update the dependency version to incorporate this change and enable the
--require-hashesflag here.
This part is done - let me know if you'd prefer to go with the second approach instead.
| rules_fuzzing = dict( | ||
| project_name = "Fuzzing Rules for Bazel", | ||
| project_desc = "Bazel rules for fuzz tests", | ||
| project_url = "https://github.com/bazelbuild/rules_fuzzing", | ||
| version = "2c97fcd74f20dce950c77129b9b9b31cc63a4c8e", | ||
| sha256 = "6764e198db6f84bd1f6bf9565ebd7bb532a73b5f99cfe19126a279f67cc9b633", | ||
| strip_prefix = "rules_fuzzing-{version}", | ||
| urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/{version}.tar.gz"], | ||
| release_date = "2021-01-28", | ||
| use_category = ["test_only"], | ||
| implied_untracked_deps = [ | ||
| # This is a repository rule generated to define an OSS-Fuzz fuzzing | ||
| # engine target from the CFLAGS/CXXFLAGS environment. | ||
| "rules_fuzzing_oss_fuzz", | ||
| ], | ||
| ), |
There was a problem hiding this comment.
Not a great OSSF score but this is test only. Looks OK to me. @htuch?
scorecard --repo=https://github.com/bazelbuild/rules_fuzzing
RESULTS
-------
Active: Pass 10
Branch-Protection: Fail 0
CI-Tests: Pass 10
CII-Best-Practices: Fail 10
Code-Review: Pass 10
Contributors: Fail 10
Frozen-Deps: Fail 5
Fuzzing: Pass 10
Packaging: Fail 10
Pull-Requests: Pass 10
SAST: Fail 10
Security-Policy: Fail 10
Signed-Releases: Fail 0
Signed-Tags: Fail 0
There was a problem hiding this comment.
TIL about Scorecard, this is awesome! :) Just as a heads-up, we are planning to improve upon a number of these items in the short term, and will update the Envoy dependencies when this happens.
Signed-off-by: Stefan Bucur <sbucur@google.com>
htuch
left a comment
There was a problem hiding this comment.
LGTM! I think since this is test-only we will not block on OSSF Scorecard, but it would be ideal to see whatever practical steps taken here as a nice-to-have.
.bazelrc
Outdated
| build:oss-fuzz --linkopt=-fno-sanitize=vptr | ||
| build:oss-fuzz --define=tcmalloc=disabled | ||
| build:oss-fuzz --define=signal_trace=disabled | ||
| build:oss-fuzz --define=ENVOY_CONFIG_ASAN=1 |
There was a problem hiding this comment.
Nit: this is in the base fuzzing config.
There was a problem hiding this comment.
Ah, good catch - fixed.
It seems the last push has undone the previous LGTM. Could you approve again?
Signed-off-by: Stefan Bucur <sbucur@google.com>
|
/lgtm deps |
Commit Message: Introduce the new https://github.com/bazelbuild/rules_fuzzing library for fuzz testing support.
Additional Description: The new library provides new functionality (support for testing the fuzz test locally) and simplifies existing fuzzing tasks. This is the first PR in the series. See #14675 for the detailed rollout plan.
Risk Level: High (new dependencies and major change to the existing
envoy_cc_fuzz_testmacro)Testing: The changes consist of either (a) code that should be a drop-in replacement to the existing functionality, or (b) new targets marked as "manual". For (a), the Envoy regression tests should catch deviations from the original behavior. The new functionality in (b) is either tested manually, or through the OSS-Fuzz integration (changes coming in future PR).
Docs Changes: None (this is test-only functionality).
Release Notes: N/A
Platform Specific Features: The fuzz tests run on Linux platforms only.