Coverage-guided fuzzing results download

Full context in parent epic

Problem to solve

After a fuzz test has completed, users need a way to consume the results so they can take a next step.

Intended users

Further details

Proposal

Provide artifacts for all relevant fuzz testing results as part of the Security tab in the pipeline view.

See attached designs on Design tab to implement.

  • Include a 'Download Report' button on the Pipeline view
  • Download button should return the latest set of fuzz artifacts from the pipeline.
    • Consider leveraging the artifact download feature being done in %13.1
  • Original Figma designs to implement
  • Finalized Figma design

Note: Adding buttons to the MR widget is out of scope for this issue.

  • Background for this decision is that the security MR widget designs will be dramatically changing in the future, so changes there would be undone in the very near future.

Items to include in the fuzz test artifacts:

  1. Machine-readable file report with the fuzz test results (e.g. gl-fuzz-test.json)
  2. For each identified fault, a folder containing
    1. The input that cause the fault
      1. The text logs from standard output/standard error
      2. Application-specific log files (would need to have paths specified in the config)
    2. The outputs from the fuzzing harness binaries

If it's possible to parse the fuzzing results into a table view or list view, that also would work. - Note that we do not want to introduce a new data model analogous to Standalone Vulnerabilities as part of this issue.

Add usage ping data to indicate when a user has downloaded the fuzz test results.

Download button in pipeline report when there is one job only Download button in pipeline report when there are more jobs only *(Not in this issue Just for reference)*
Fuzzing in setting area
Pipeline_list-onejob Pipeline_list-multijobs Configuration--not-enabled
Add download button, user click on the button, it triggers zip file download Add dropdown download button, user click on the option in the dropdown, it triggers zip file download

Permissions and Security

Users are required to have the same permissions as viewing the Security Dashboard.

  • This is because fuzz testing results could show security vulnerabilities that could be exploited by malicious users. We don't want to unintentionally publish security vulnerabilities by publicly showing the fuzzing results for a project.

What does success look like, and how can we measure that?

Users are able to successfully consume the results of fuzz testing.

  • Measure this by adding usage ping to the screens & actions that a user would use to access fuzz results.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Not likely. This may involve adding new content to the Pipeline view, which may require other groups, lbut can likely be added solely by ~"group::fuzz testing"

Links / references

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖