feat: fuzz testing PerlParser (#3725)

joydeep049 · web-flow · commit 40e51801fe8a · 2024-01-17T13:26:03.000-08:00
Closes #3335
diff --git a/fuzz/fuzz_cpanfile.py b/fuzz/fuzz_cpanfile.py
@@ -0,0 +1,75 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.cpanfile_pb2 as cpanfile_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.perl import PerlParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def cpanfileBuilder(data, file_path):
+    # Convert the Protobuf message to a dictionary
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        # Writing general requirements
+        for module in json_data.get("general_requirements", []):
+            f.write(
+                f'requires "{module.get("name", "")}" => "{module.get("version", "0")}";\n'
+            )
+
+        # Handling 'test' environment
+        test_deps = json_data.get("test_dependencies", {})
+        if test_deps:
+            f.write("\non 'test' => sub {\n")
+            for module in test_deps.get("test_requirements", []):
+                f.write(
+                    f'    requires "{module.get("name", "")}" => "{module.get("version", "0")}";\n'
+                )
+            for module in test_deps.get("test_recommends", []):
+                f.write(
+                    f'    recommends "{module.get("name", "")}" => "{module.get("version", "0")}";\n'
+                )
+            f.write("};\n")
+
+        # Handling 'develop' environment
+        develop_deps = json_data.get("develop_dependencies", {})
+        if develop_deps:
+            f.write("\non 'develop' => sub {\n")
+            for module in develop_deps.get("develop_requirements", []):
+                f.write(
+                    f'    requires "{module.get("name", "")}" => "{module.get("version", "0")}";\n'
+                )
+            f.write("};\n")
+
+
+def TestParseData(data):
+    try:
+        cpanfileBuilder(data)
+
+        perl_parser = PerlParser(cve_db, logger)
+        perl_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "cpanfile")
+
+atheris_libprotobuf_mutator.Setup(sys.argv, TestParseData, proto=cpanfile_pb2.CPANFile)
+atheris.Fuzz()
diff --git a/fuzz/generated/cpanfile_pb2.py b/fuzz/generated/cpanfile_pb2.py
diff --git a/fuzz/proto_files/cpanfile.proto b/fuzz/proto_files/cpanfile.proto
@@ -0,0 +1,28 @@
+// Copyright (C) 2022 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+// Represents a single Perl module requirement.
+message ModuleRequirement {
+    string name = 1;     // The name of the module
+    string version = 2;  // The required version of the module
+}
+
+// Represents the entire CPAN file.
+message CPANFile {
+    repeated ModuleRequirement general_requirements = 1;  // General requirements
+
+    // Dependencies specific to the 'test' environment.
+    message TestDependencies {
+        repeated ModuleRequirement test_requirements = 1;  // Test requirements
+        repeated ModuleRequirement test_recommends = 2;    // Test recommendations
+    }
+    TestDependencies test_dependencies = 2;
+
+    // Dependencies specific to the 'develop' environment.
+    message DevelopDependencies {
+        repeated ModuleRequirement develop_requirements = 1;  // Develop requirements
+    }
+    DevelopDependencies develop_dependencies = 3;
+}
