Manage Findings
Assess Findings
CI Fuzz allows to assess the Findings found during fuzzing. This helps survey the list of Findings and divide them into Findings that need fixing and Findings that aren't relevant in the projects context.
Assess Findings using the cifuzz assess command:
cifuzz assess [options …] [<finding name> [<assessment>]]
<finding name> is the name of the Finding you want to assess, for example adventurous_otter.
<assessment> is the assessment of the Finding. The following assessments are possible:
| Assessment | Description | Semantics |
|---|---|---|
n/a | No assessment. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
affected | The Finding affects the product. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
not_affected | The Finding doesn't affect the product. | The Finding doesn't fail invocations of cifuzz runcifuzz finding --fail |
fixed | The Finding is fixed and should no longer occur. | The Finding fails invocations of cifuzz runcifuzz finding --fail |
If no argument is provided, the command interactively asks for the Finding name and/or assessment.
Options
The cifuzz finding command supports the following command specific options:
| Flag | Description |
|---|---|
-m, --message <string> | Add a message to the status |
You can find documentation on all supported global options on the "Learn CI Fuzz" page.
Information about Findings seen in the last fuzzing run
CI Fuzz stores information about Findings found in the last fuzzing run. You can use this information to adjust the behavior of your CI/CD pipeline, for example to return exit code 99 if CI Fuzz triggered Findings in the last fuzzing run:
cifuzz findings --fail
Findings detected in the last fuzzing run are also displayed with an asterisk * in the cifuzz findings command.
This information resets at the beginning of a new fuzzing run. If that behaviour isn't desired,
deactivate it with the --preserve-present-findings flag:
cifuzz run [<fuzz test>] --preserve-present-findings