Coverage-guided fuzzing results download
Full context in parent epic
Problem to solve
After a fuzz test has completed, users need a way to consume the results so they can take a next step.
Intended users
Further details
Proposal
Provide artifacts for all relevant fuzz testing results as part of the Security tab in the pipeline view.
See attached designs on Design tab to implement.
- Include a 'Download Report' button on the Pipeline view
- Download button should return the latest set of fuzz artifacts from the pipeline.
- Consider leveraging the artifact download feature being done in %13.1
Original Figma designs to implement- Finalized Figma design
Note: Adding buttons to the MR widget is out of scope for this issue.
- Background for this decision is that the security MR widget designs will be dramatically changing in the future, so changes there would be undone in the very near future.
Items to include in the fuzz test artifacts:
- Machine-readable file report with the fuzz test results (e.g.
gl-fuzz-test.json
) - For each identified fault, a folder containing
- The input that cause the fault
- The text logs from standard output/standard error
- Application-specific log files (would need to have paths specified in the config)
- The outputs from the fuzzing harness binaries
- The input that cause the fault
If it's possible to parse the fuzzing results into a table view or list view, that also would work.
- Note that we do not want to introduce a new data model analogous to Standalone Vulnerabilities as part of this issue.
Add usage ping data to indicate when a user has downloaded the fuzz test results.
Permissions and Security
Users are required to have the same permissions as viewing the Security Dashboard.
- This is because fuzz testing results could show security vulnerabilities that could be exploited by malicious users. We don't want to unintentionally publish security vulnerabilities by publicly showing the fuzzing results for a project.
What does success look like, and how can we measure that?
Users are able to successfully consume the results of fuzz testing.
- Measure this by adding usage ping to the screens & actions that a user would use to access fuzz results.
What is the type of buyer?
Is this a cross-stage feature?
Not likely. This may involve adding new content to the Pipeline view, which may require other groups, lbut can likely be added solely by ~"group::fuzz testing"
Links / references
The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.