Run a fuzz test With CI Fuzz
You can build and execute a fuzz test with the cifuzz run command:
cifuzz run <fuzz test> [--option...] [--] [<build system argument>...]
Fuzz test argument
The name and syntax of the fuzz test argument are dependent on the build system:
- CMake
- Bazel
- Maven/Gradle
- NodeJS
| Argument | Description |
|---|---|
<fuzz test> | Name of the fuzz test defined in the add_fuzz_test command in your CMakeLists.txt |
| Argument | Description |
|---|---|
<fuzz test> | Name of the cc_fuzz_test target defined in your BUILD.bazel fileCan be relative or absolute Bazel label |
| Argument | Description |
|---|---|
<fuzz test>::<method name> | Name of the class containing the fuzz test and the name of the fuzz test |
| Argument | Description |
|---|---|
<fuzz test>:<test name> | Regex pattern that matches against all paths containing fuzz test files |
Command completion
Command completion for the <fuzz test> argument is immediately supported for Bazel, Maven, Gradle and NodeJS.
In the case of CMake, it's only supported after building the fuzz test or calling the cifuzz reload command.
Command completion for other build systems aren't supported.
Options
The cifuzz run command supports the following command specific options:
| Flag | Description |
|---|---|
--build-command <string> | Command to build the fuzz test for build system "other". |
--build-jobs uint[=0] | Maximum number of concurrent processes used for building. If argument is omitted, default of the native build tool is used. |
--build-only | Build the fuzz tests but don't execute them. |
--clean-command <string> | Command to clean the fuzz test and its dependencies for build system "other". |
--dict <string> | File containing input language keywords or other byte sequences. This flag is only used if no default dictionary is found for the fuzz test. For libFuzzer see: https://llvm.org/docs/LibFuzzer.html#dictionaries For AFL see: https://github.com/AFLplusplus/AFLplusplus/blob/stable/dictionaries/README.md |
--engine-arg <stringArray> | Command-line arguments to pass to the fuzzing engine. This flag can be used multiple times. For libFuzzer see: https://llvm.org/docs/LibFuzzer.html#options For AFL see: https://www.mankier.com/8/afl-fuzz |
--fail-fast | Exit the fuzzing campaign as soon as a any Finding is found. |
--interactive | Toggle interactive prompting in the terminal (default true) |
--json | Print output as JSON. |
--keep-going | (Experimental) Continue fuzzing even if a fuzz test triggers a Finding. Specific kinds of Findings can still cause the fuzzer to stop due to technical limitations. |
--max-fuzzing-duration <duration> | Maximum time to run all fuzz tests ("5s", "30m", "1h", ...) Time will be split up evenly if multiple fuzz tests are run. To keep running indefinitely, set value to 0. (default 10m0s) |
--max-idle-time duration <duration> | Maximum time until fuzz test is aborted if no progress is detected ("5s", "30m", "1h", ...) (default 1m0s) |
--min-severity <string> | Minimum severity of Findings: "low", "medium", "high" or "critical". Command will exit with status code 99 if Finding with matching severity was detected. Findings with lower severity are marked as a warning. |
--preserve-present-findings | Findings marked as "present" from other fuzz tests will still remain marked. This can be imprecise if fuzz tests are renamed, deleted or ambiguously identified. |
--project-dir <string> | Path to project root. Defaults to the directory containing the cifuzz.yaml. |
--prune-corpus-only | Only prune redundant corpus entries that produce the same coverage without executing any fuzzing. |
--prune-shard-size <int> | Number of corpus inputs in each shard when pruning the corpus with --prune-corpus-only flag. Shards are pruned in parallel to speed up process. Set value to 0 to prune the corpus in a single step. (default 10000) |
--regression-only | Run configured fuzz tests in regression mode. This runs the fuzz test only with inputs from previous Findings and existing test cases. |
-r, --resolve | Set if fuzz test argument of the command is path to a source file instead of an identifier. Path can be absolute or relative to the current working directory and will be resolved to the identifier of the corresponding fuzz test. |
-s, --seed-corpus <stringArray> | Directory containing sample inputs used as seeds for fuzzing. Used in addition to inputs found in the directory of the fuzz test. This flag can be used multiple times. For more general information see: https://docs.code-intelligence.com/glossary#seed-corpus For AFL see: https://aflplus.plus/docs/fuzzing_in_depth/#a-collecting-inputs |
--with-coverage | Follow up with code coverage for the fuzz test. |
You can find documentation on all supported global options on the "Learn CI Fuzz" page.
Build system arguments
You can pass additional arguments for CMake, Bazel, Maven and Gradle after a -- at the end of the command. Be aware
to define all other options before.
- CMake
- Bazel
- Maven
Example
cifuzz run my_fuzz_test -- -G Ninja
Example
cifuzz run src:my_fuzz_test -- --sandbox_debug
Example
cifuzz run com.example.FuzzTestCase::myFuzzTest -- -Dcheckstyle.skip