cd18c6066d
A Friday afternoon jaunt. To be merged after #2855; does the remaining work to close #2277 (and closes off some things that Dependabot was trying to upgrade). Tested by manually running the commands; we don't have good coverage for this kind of stuff. OTOH, most of these commands are for the experimental local fuzzing mode, which is not fully supported yet. I did specifically test the `onefuzz-task managed` command which is the one used in production. ## Details - Bump `clap` to 4.1.6 - Remove `structopt` as this is subsumed by clap now - Bump `envlogger` to 0.10 (removes problematic dependency) - Set `default-features=false` on `proc-maps` (removes a feature which is only needed to support FreeBSD), and bump it to 0.3 The main changes migrating `clap` are: - `value_t!` is gone; now use `matches.get_one::<T>`. If `T` is not `String` then a parser must have been registered on the `Arg` when it was created, with `arg.value_parser(value_parser!(T))`. - `Command::with_name` and `Arg::with_name` are now called `new`. - `Command` and `Subcommand` were unified, and `App` is removed. - `arg.takes_value(true)` is gone; it is the default. For flags use `arg.action(ArgAction::SetTrue)` and then retrieve the flag value with `matches.get_flag`. This code would be simplified a lot by using the `clap::Parser` on structs, but that requires reworking the code significantly as we cannot dynamically add/remove arguments the way that this is currently done. ## Also found Found one bug while manually testing the `onefuzz-task local` commands; see comment below.
A self-hosted Fuzzing-As-A-Service platform
Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release. With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.
Features
- Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
- Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
- Programmatic triage and result de-duplication: It provides unique flaw cases that always reproduce.
- On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
- Observable and Debug-able: Transparent design allows introspection into every stage.
- Fuzz on Windows and Linux: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
- Crash reporting notification callbacks: Including Azure DevOps Work Items and Microsoft Teams messages
For information, check out some of our guides:
Are you a Microsoft employee interested in fuzzing? Join us on Teams at Fuzzing @ Microsoft.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
For more information:
Reporting Security Issues
Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC). For more information, please see SECURITY.md.