Description
Our fuzzer is currently generating the following error:
Found Fuzzing scripts: fuzz_cargo_lock.py fuzz_composer_lock.py fuzz_cpanfile.py fuzz_cyclonedx.py fuzz_gemfile_lock.py fuzz_go.py fuzz_intermediate_report_merge.py fuzz_main.py fuzz_package_list_parser.py fuzz_package_lock.py fuzz_package_resolved.py fuzz_pkg_info.py fuzz_pom_xml.py fuzz_pubspec_lock.py fuzz_python_requirement_parser.py fuzz_renv_lock.py fuzz_tuples.py
Current week number: 09
/opt/actions-runner/_work/_temp/fa0d77ad-34fa-4075-8cdd-45e2346cba6c.sh: line 7: (09: value too great for base (error token is "09")
Selected script: fuzz_cargo_lock.py
Although it's not obvious from the github error, it's referring to a definition in fuzzing.yml here, you can search for "week" and see where it's happening:
https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/fuzzing.yml
We currently use the week number to rotate through which fuzzer is run so that we strike a balance between having fuzzers run somewhat regularly but also not wasting a bunch of cycles. Unfortunately, judging from the fact that it's choosing the first script and not the one that would have been number 9, this isn't working as intended. It may be because the script is outputting "09" rather than "9" but it could be something else.
Note that those are basically bash scripts but github actions has some weird syntax. If you need to replace this with python script to handle the fuzzer rotation, that's totally reasonable. It's probably easy to fix so I'll flag it as such but be warned that testing stuff that runs once a week is a pain, so you will probably want to make a local branch and figure it out there before sending in a PR.
Short tips for new contributors:
- cve-bin-tool's contributor docs
- If you've contributed to open source but not this project, you might just want our checklist for a great pull request
- cve-bin-tool uses https://www.conventionalcommits.org/ style for commit messages, and we have a test that checks the title of your pull request (PR). A good potential title for this one is in the title of this issue.
- You can make an issue auto close by including a comment "fixes #ISSUENUMBER" in your PR comments where ISSUENUMBER is the actual number of the issue. This "links" the issue to the pull request.
Claiming issues:
- You do not need to have an issue assigned to you before you work on it. To "claim" an issue either make a linked pull request or comment on the issue saying you'll be working on it.
- If someone else has already commented or opened a pull request, assume it is claimed and find another issue to work on.
- If it's been more than 1 week without progress, you can ask in a comment if the claimant is still working on it before claiming it yourself (give them at least 3 days to respond before assuming they have moved on).