Merge branch 'isc-projects:master' into master

Author: tuxj

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,6 @@
+FROM registry.gitlab.isc.org/isc-projects/kea:fuzz-latest
+
+# Copy repo and link build.sh so that it runs from a location relative to the Kea repo.
+WORKDIR "${SRC}"
+COPY . "${SRC}/kea"
+RUN ln -s "${SRC}/kea/.clusterfuzzlite/build.sh" "${SRC}/build.sh"

.clusterfuzzlite/build.sh

@@ -0,0 +1,57 @@
+#!/bin/bash -eu
+
+# https://reports.kea.isc.org/new-fuzzer.html
+
+script_path="$(dirname "$(readlink -f "${0}")")"
+cd "${script_path}/.."
+
+# Use a wrapper function to allow "return 1" instead of "exit 1" which may have
+# unforeseen consequences in case this script is sourced.
+install_kea() {
+  # ccache
+  export CCACHE_DIR=/cache
+  export PATH="/usr/lib/ccache:$PATH"
+  export KEA_BUILD_DIR="${KEA_BUILD_DIR-/builds/isc-projects/kea}"
+
+  cxxflags=
+  autoreconf -i
+  if test "${SANITIZER}" = 'none'; then
+    cxxflags="${cxxflags} -fno-sanitize=all"
+    enable_fuzzing='--enable-fuzzing'
+  else
+    cxxflags="${cxxflags} -fsanitize=${SANITIZER}"
+    enable_fuzzing='--enable-fuzzing=ci'
+  fi
+  export CXXFLAGS="${cxxflags}"
+  export LDFLAGS='-L/usr/lib/gcc/x86_64-linux-gnu/9 -lstdc++fs'
+  if ! ./configure --enable-boost-headers-only --prefix='/opt/kea' "${enable_fuzzing}" --with-gtest=/usr/src/googletest/googletest; then
+    printf './configure failed. Here is config.log:\n'
+    cat config.log
+    return 1
+  fi
+  make -j "$(nproc)"
+  make install
+
+  # Copy internal libraries.
+  # SC2156 (warning): Injecting filenames is fragile and insecure. Use parameters.
+  # shellcheck disable=SC2156
+  find "/opt/kea/lib" -mindepth 1 -maxdepth 1 -not -type d -exec sh -c "cp {} ${KEA_BUILD_DIR}" ';'
+
+  # Copy the binaries.
+  for fuzzer in fuzz_config_kea_dhcp4 fuzz_http_endpoint_kea_dhcp4 fuzz_packets_kea_dhcp4 fuzz_unix_socket_kea_dhcp4 \
+                fuzz_config_kea_dhcp6 fuzz_http_endpoint_kea_dhcp6 fuzz_packets_kea_dhcp6 fuzz_unix_socket_kea_dhcp6 \
+      ; do
+    cp "/opt/kea/sbin/${fuzzer}" "${OUT}/${fuzzer}"
+    # copy all required libraries
+    echo "ldd ${OUT}/${fuzzer}: "
+    ldd "${OUT}/${fuzzer}"
+    EXTENDED_PATH=$(readelf -d "${OUT}/${fuzzer}" | grep 'R.*PATH' | cut -d '[' -f 2 | cut -d ']' -f 1)
+    patchelf --set-rpath "/usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:${EXTENDED_PATH}" "${OUT}/${fuzzer}"
+    readelf -d "${OUT}/${fuzzer}" | grep 'R.*PATH' || true
+    for i in $(ldd "${OUT}/${fuzzer}" | cut -f 2 | cut -d ' ' -f 3); do
+      cp "${i}" "${KEA_BUILD_DIR}"
+    done
+  done
+}
+
+install_kea

.clusterfuzzlite/project.yaml

@@ -0,0 +1 @@
+language: c++

.clusterfuzzlite/run-locally.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Change to parent directory, so that the script can be called from anywhere.
+parent_path=$(cd "$(dirname "${0}")" && pwd)
+cd "${parent_path}" || exit 1
+
+mkdir -p build/out
+mkdir -p build/work
+
+cd .. || exit 2
+
+docker build -t kea-fuzzing -f .clusterfuzzlite/Dockerfile .
+
+docker_run() {
+  docker run \
+    --interactive \
+    --privileged \
+    --platform linux/amd64 \
+    --rm \
+    --shm-size=2g \
+    -e ARCHITECTURE=x86_64 \
+    -e CIFUZZ=true \
+    -e FUZZING_ARGS='-rss_limit_mb=8192' \
+    -e FUZZING_ENGINE=libfuzzer \
+    -e FUZZING_LANGUAGE=c++ \
+    -e KEA_BUILD_DIR=/src \
+    -e SANITIZER=address \
+    -v "${parent_path}/build/out:/out" \
+    -v "${parent_path}/build/work:/work" \
+    kea-fuzzing \
+    "${@}"
+}
+
+docker_run
+
+docker_run compile

.github/workflows/codeql.yml

@@ -2,10 +2,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master", "ci" ]
+    branches: [ "master", "ci", "v*_*" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master", "ci" ]
+    branches: [ "master", "ci", "v*_*" ]
   schedule:
     - cron: '41 12 * * 0'
 
@@ -25,51 +25,23 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
 
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
     - name: Install dependencies
       run: |
-        ./hammer.py prepare-system -p local -w docs,netconf,perfdhcp,shell,tls,unittest
-
-    - name: Inspect system CPU
-      run: cat /proc/cpuinfo
-
-    # We want to enable shell, so python files are generated. And CodeQL can
-    # check them.
+        ./hammer.py prepare-system -p local -w all
 
-    # Flags skipped: --with-gssapi --with-freeradius
     - name: Build Kea
       run: |
-        autoreconf -i
-        ./configure --enable-shell --enable-debug --enable-generate-docs --enable-generate-messages --enable-generate-parser --enable-logger-checks --enable-perfdhcp --enable-shell --with-libyang --with-libyang-cpp --with-openssl --with-sysrepo --with-sysrepo-cpp
-        make -j2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #     echo "Run, Build Application using script"
-    #     ./location_of_script_within_repo/buildscript.sh
+        meson setup build --auto-features enabled -D fuzz=enabled -D tests=enabled -D cpp_std=c++20
+        meson compile -C build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.gitignore

@@ -46,3 +46,5 @@ config.h.in~
 /logger_lockfile
 /report.info
 /hammer
+
+/build