馃帹 Design-Fuzz-Corpus management interface
Problem to solve
Fuzz testing jobs will produce corpus objects as outputs from each run. They also will generally start with a corpus object to save time when fuzzing and to re-use results from past runs. This is helpful for users but this also means users have to find some way to manage these corpus objects.
Intended users
User experience goal(Breaddown task)
(Note: all task, need to later specify which one is MVC)
(Help developer reproduce, debug, and fix bugs)
Discoverability:
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to know that I am able to manage the corpus
Manage functionality:
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to be able to download the corpus objects that the most recent job produced.
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to be able to download a corpus object that an older job produced.
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to be able to delete a corpus object that I consider as useless
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to be able to add the corpus objects to use
Rule setting functionality:
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to set up clean up policies
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to set up Corpus policies
- As a software developer(or security analyst) debugging a fuzz testing fault, I need to know how much spaces the corpus taking
(The main purpose is to help configure & customize)
- As a software developer(or security analyst) integrating fuzz testing into my pipeline, I need to be able to specify where the corpus inputs are coming from and manage it
- As a software developer(or security analyst) integrating fuzz testing into my pipeline, I need to be able to specify a location to save my job's corpus objects.
Proposal
Provide users a way to manage corpus objects that fuzz testing jobs produce.
- Build something similar to what we do today with Package & Container Registries. The rest of this issue will use "Corpus Registry" as a working name, but another name can be chosen.
Allow users to specify to use the GitLab corpus registry as part of their CI jobs (this is an example and could be tweaked):
my_fuzz_job:
- use_corpus_registry: true // otherwise, require to specify corpus_directory. Default to true
- corpus_object_id: my_corpus_object // specify the corpus name to use. Would be the value set on the corpus management screen
- Fail the job if the corpus isn't available Open question for discussion: Is this the right approach?
Allow users to manage the Corpus Registry:
- Allow downloading of corpus objects
- Allow objects of corpus objects to be created programmatically as part of running a fuzz testing job
- Allow corpus objects to be deleted from the registry
Not in scope
- Being able to manually upload corpus objects.
- This will be done as a separate issue since it is a different workflow and use case.
Design:
Figma: https://www.figma.com/file/eSIeuIPKFwEDs4X9ky2O5E/Corpus-Registry?node-id=432%3A2262
Breakdown:
- the MVC issue: #235484 (closed)
Also, several Post-MVC issues are created, preferably discussed 1 milestone before, maybe design needs to be updated or issue needs to separate and combined.
- Post MVC: Add clean-up policy issue: #268003
- Post MVC: Add more info and detail to each corpus issue: #268004 (closed)
- Post MVC: Add sort feature issue: #268011
Last: a solution validation issue is created to validate the all features includes both MVC and post MVC, maybe the user will give us an idea for new features ideas.
- Solution validations issue: https://gitlab.com/gitlab-org/ux-research/-/issues/1135