Skip to main content

Manage Findings

Assess Findings

CI Fuzz allows to assess the Findings found during fuzzing. This can help survey the list of Findings and divide Findings into

  • Findings that need to be fixed and
  • Findings that do not need to be fixed.

Findings can be assessed using the cifuzz assess command:

    cifuzz assess [options …] [<finding name> [<assessment>]]

The <finding name> argument is the name of the Finding you want to assess, for example adventurous_otter.

  • If the <assessment> is not given as command line argument, CI Fuzz will interactively ask for the assessment.
  • If the <finding name> is not given as command line argument, CI Fuzz will interactively ask for the finding name and assessment.

The following assessments are possible:

AssessmentDescriptionSemantics
n/aThe finding has not yet been assessed.The finding will fail invocations of cifuzz run or cifuzz finding --fail.
affectedThe finding has been assessed and it affects the product.The finding will fail invocations of cifuzz run or cifuzz finding --fail.
not_affectedThe finding has been assessed and it does NOT affect the product.The finding will NOT fail invocations of cifuzz run or cifuzz finding --fail.
fixedThe finding has been fixed and it should no longer occur.The finding will fail invocations of cifuzz runor cifuzz finding --fail.

Options

The cifuzz finding command supports the following command specific options:

FlagDescription
-m, --message <message>Add a message to the status, e.g. a justification.

You can find all supported global options on the "Learn CI Fuzz" page.

Information about Findings Seen in the Last Fuzzing Run

CI Fuzz stores information about which Findings have been found in the last fuzzing run.

This information can be used to fail a CI/CD pipeline for example. The following command will return the exit code 99 if Findings have been encountered in the last fuzzing run or the exit code 0 otherwise:

Fail the CI/CD pipeline depending on the presence of Findings found in the last fuzzing run
    cifuzz findings --fail

This information is also displayed in cifuzz finding: Findings that have been seen in the last fuzzing run are marked with an asterisk * (cf. Show Findings).

The information about which Findings have been found in the last fuzzing run are reset at the beginning of a new fuzzing run. If that behaviour is not desired, it can be deactivated using the --preserve-present-findings flag:

Preserve information about last seen findings
    cifuzz run [<fuzz test>] --preserve-present-findings