feat: fuzz testing RustParser

mastersans · web-flow · commit 0c1d8ce1a97f · 2023-10-30T11:58:01.000-07:00
fixes: #3328 added fuzz testing for RustParser(Cargo.lock) based on [Rust docs](https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html) and [Cargo.lock of Rust itself](https://github.com/rust-lang/rust/blob/master/Cargo.lock).
diff --git a/fuzz/fuzz_cargo_lock.py b/fuzz/fuzz_cargo_lock.py
@@ -0,0 +1,74 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.cargo_lock_pb2 as cargo_lock_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.rust import RustParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def CargoLockBuilder(data):
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        for package_data in json_data.get("packages", []):
+            package_name = package_data.get("name", "")
+            package_version = package_data.get("version", "")
+            f.write("[[package]]\n")
+            f.write(f'name = "{package_name}"\n')
+            f.write(f'version = "{package_version}"\n')
+            package_source = package_data.get("source", "")
+            if package_source != "":
+                f.write(f'source = "{package_source}"\n')
+            package_checksum = package_data.get("checksum", "")
+            if package_checksum != "":
+                f.write(f'checksum = "{package_checksum}"\n')
+
+            dependencies = package_data.get("dependency", [])
+            f.write("dependencies = [\n")
+            for dependency in dependencies:
+                name = dependency.get("name", "")
+                version = dependency.get("version", "")
+                url = dependency.get("url", "")
+                f.write(f' "{name}')
+                if version != "":
+                    f.write(f" {version}")
+                if url != "":
+                    f.write(f" {url}")
+                f.write('",\n')
+            f.write("]\n")
+            f.write("\n")
+
+
+def TestParseData(data):
+    try:
+        CargoLockBuilder(data)
+
+        rust_parser = RustParser(cve_db, logger)
+        rust_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "Cargo.lock")
+
+atheris_libprotobuf_mutator.Setup(
+    sys.argv, TestParseData, proto=cargo_lock_pb2.CargoLock
+)
+atheris.Fuzz()
diff --git a/fuzz/generated/cargo_lock_pb2.py b/fuzz/generated/cargo_lock_pb2.py
diff --git a/fuzz/proto_files/cargo_lock.proto b/fuzz/proto_files/cargo_lock.proto
@@ -0,0 +1,20 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+message CargoLock {
+    message Package {
+        string name = 1;
+        string version = 2;
+        optional string source = 3;
+        optional string checksum = 4;
+        repeated Dependencies dependency = 5;
+    }
+    message Dependencies {
+        string name = 1;
+        optional string version = 2;
+        optional string url = 3;
+    }
+    repeated Package packages = 1;
+}
