Change coverage fuzzing prefix to COVFUZZ

73f82a89 · Yevgeny Pats · Imre Farkas · acaf79ee · 73f82a89 · 73f82a89
Commit 73f82a89 authored Aug 12, 2020 by Yevgeny Pats Committed by Imre Farkas Aug 12, 2020
3 changed files
--- a/doc/user/application_security/coverage_fuzzing/index.md
+++ b/doc/user/application_security/coverage_fuzzing/index.md
@@ -92,7 +92,7 @@ There are two types of jobs:

 Here's our current suggestion for configuring your fuzz target's timeout:

- Set `COVERAGE_FUZZING_BRANCH` to the branch where you want to run long-running (async) fuzzing
+- Set `COVFUZZ_BRANCH` to the branch where you want to run long-running (async) fuzzing
  jobs. This is `master` by default.
 - Use regression or short-running fuzzing jobs for other branches or merge requests.

@@ -107,10 +107,11 @@ any option available in the underlying fuzzing engine.

 | Environment variable      | Description                                                        |
 |---------------------------|--------------------------------------------------------------------|
-| `COVERAGE_FUZZING_BRANCH` | The branch for long-running fuzzing jobs. The default is `master`. |
-| `CI_SEED_CORPUS`          | Path to a seed corpus directory. The default is empty.             |
+| `COVFUZZ_BRANCH`          | The branch for long-running fuzzing jobs. The default is `master`. |
+| `COVFUZZ_SEED_CORPUS`     | Path to a seed corpus directory. The default is empty.             |
+| `COVFUZZ_URL_PREFIX`      | Path to the `gitlab-cov-fuzz` repository cloned for use with an offline environment. You should only change this when using an offline environment. The default value is `https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz/-/raw`.  |

-The files in the seed corpus (`CI_SEED_CORPUS`), if provided, aren't updated unless you commit new
+The files in the seed corpus (`COVFUZZ_SEED_CORPUS`), if provided, aren't updated unless you commit new
 files to your Git repository. There's usually no need to frequently update the seed corpus. As part
 of the GitLab artifacts system, GitLab saves in a corpus directory the new test cases that every run
 generates. In any subsequent runs, GitLab also reuses the generated corpus together with the seed

--- a/ee/changelogs/unreleased/covfuzz_prefix_change.yml
+++ b/ee/changelogs/unreleased/covfuzz_prefix_change.yml
+---
+title: Change prefix to COVFUZZ for CI variables related to coverage fuzzing
+merge_request: 38441
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
@@ -3,22 +3,26 @@
 variables:
  # Which branch we want to run full fledged long running fuzzing jobs.
  # All others will run fuzzing regression
-  COVERAGE_FUZZING_BRANCH: "$CI_DEFAULT_BRANCH"
-  # This is using semantic version and will always download latest v1 gitlab-cov-fuzz release
-  COVERAGE_FUZZING_VERSION: v1
+  COVFUZZ_BRANCH: "$CI_DEFAULT_BRANCH"
+  # This is using semantic version and will always download latest v2 gitlab-cov-fuzz release
+  COVFUZZ_VERSION: v2
  # This is for users who have an offline environment and will have to replicate gitlab-cov-fuzz release binaries
  # to their own servers
-  COVERAGE_FUZZING_URL_PREFIX: "https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz/-/raw"
+  COVFUZZ_URL_PREFIX: "https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz/-/raw"
+

 .fuzz_base:
  stage: fuzz
  allow_failure: true
  before_script:
+    - export COVFUZZ_JOB_TOKEN=$CI_JOB_TOKEN
+    - export COVFUZZ_PRIVATE_TOKEN=$CI_PRIVATE_TOKEN
+    - export COVFUZZ_PROJECT_ID=$CI_PROJECT_ID
    - if [ -x "$(command -v apt-get)" ] ; then apt-get update && apt-get install -y wget; fi
-    - wget -O gitlab-cov-fuzz "${COVERAGE_FUZZING_URL_PREFIX}"/"${COVERAGE_FUZZING_VERSION}"/binaries/gitlab-cov-fuzz_Linux_x86_64
+    - wget -O gitlab-cov-fuzz "${COVFUZZ_URL_PREFIX}"/"${COVFUZZ_VERSION}"/binaries/gitlab-cov-fuzz_Linux_x86_64
    - chmod a+x gitlab-cov-fuzz
    - export REGRESSION=true
-    - if [[ $CI_COMMIT_BRANCH = $COVERAGE_FUZZING_BRANCH ]]; then REGRESSION=false; fi;
+    - if [[ $CI_COMMIT_BRANCH = $COVFUZZ_BRANCH ]]; then REGRESSION=false; fi;
  artifacts:
    paths:
      - corpus
@@ -28,7 +32,7 @@ variables:
      coverage_fuzzing: gl-coverage-fuzzing-report.json
    when: always
  rules:
-    - if: $COVERAGE_FUZZING_DISABLED
+    - if: $COVFUZZ_DISABLED
      when: never
    - if: $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/
    - if: $CI_RUNNER_EXECUTABLE_ARCH == "linux"