Manage Findings
Assess Findings
CI Fuzz allows to assess the Findings found during fuzzing. This helps survey the list of Findings and divide them into Findings that need fixing and Findings that aren't relevant in the projects context.
Assess Findings using the cifuzz assess command:
cifuzz assess [options …] [<finding name> [<assessment>]]
Command options
| Flag | Description |
|---|---|
-m, --message <string> | Add a message to the status |
<finding name> is the name of the Finding you want to assess, for example adventurous_otter.
<assessment> is the assessment of the Finding. The following assessments are possible:
| Assessment | Description | Semantics |
|---|---|---|
n/a | No assessment. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
affected | The Finding affects the product. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
not_affected | The Finding doesn't affect the product. | The Finding doesn't fail invocations of cifuzz runcifuzz finding --fail |
fixed | The Finding is fixed and should no longer occur. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
If you don't provide any argument, the command interactively asks for the Finding name and/or assessment.
Information about Findings seen in the last fuzzing run
CI Fuzz stores information about Findings found in the last fuzzing run. You can use this information to adjust the behavior of your CI/CD pipeline, for example to return exit code 99 if CI Fuzz triggered Findings in the last fuzzing run:
cifuzz findings --fail
Findings detected in the last fuzzing run are also displayed with an asterisk * in the cifuzz findings command.
This information resets at the beginning of a new fuzzing run. If that behaviour isn't desired, deactivate it with the
--preserve-present-findings flag:
cifuzz run [<fuzz test>] --preserve-present-findings