suecodelabs / cnfuzz Goto Github PK

You can use https://github.com/pcktdmp/charts as an example

Currently Jobs created by cnfuzz do not properly cleanup old or previously created Jobs.
This becomes a problem when Jobs are being re-created, for example upon re-installation of cnfuzz.

While RESTler is fuzzing a web API, cnfuzz could monitor the service.
There is a lot of potential here. We could for example check on the health of the pod and collect its logs.

Currently cnfuzz schedules fuzzing jobs without the resourceLimits parameters.
Supporting resourceLimits gives the administrator control over what amount of compute capacity cnfuzz may claim.

Currently cnfuzz announces itself as healthy and ready as soon as the (simple) webserver has started and keeps being responsive.
This can be extended towards calling backend APIs which cnfuzz is using, like redis.

Currently it's not clear how to use 'secret' annotation

{"level":"error","ts":1647542696.3169951,"caller":"job/launch.go:30","msg":"failed to create restler job: an empty namespace may not be set during creation"

Currently cnfuzz only supports running RESTler in the default fuzzing mode.
For better utilization of features provided by RESTler we should support all fuzzing modes.

https://github.com/microsoft/restler-fuzzer#using-restler

Create a workflow which deploys cnfuzz in Kubernetes and verify that it has deployed successfully.
Tools like Kind can be used for this.

The devspace setup seems to be broken right now.

Cleanup old build images via the following Github Action:

https://github.com/snok/container-retention-policy

helm install cnfuzz cnfuzz/cnfuzz

return an error :Error: INSTALLATION FAILED: failed post-install: timed out waiting for the condition

iwant to know :need whose condition

Spring boot based project+knife4j has no off the shelf offline documents of swagger. json, only online documents, similar to this format. Yes No

Currently cnfuzz schedules a fuzzing job without enforcing an unprivileged user.

My project is the spring boot project

1、cnfuzz/enable: "true" Set to use cnfuzzy identification
2、cnfuzz/open-api-doc: "/swagger/swagger.json" I need to prepare the swagger document under the target project container directory
3、cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c" I don't understand the meaning of this secret. Whether the key of cnfuzzy service or the key of target project

Switch from Viper/Cobra to flag package of Golang and also support subcommands like setting a mode for CNFuzz.

I prepared the demo project and swagger document under the container, but it was not fuzzy tested. Cnfuzzy reports an error as follows

Currently cnfuzz does not support persistent caching of container images it already has fuzzed.
Implement a cache which introduces this feature, preferably via redis.

Add Prometheus support.
There are instructions in the Prometheus documentation here.

After RESTler has finished fuzzing the controller should be made aware of failure, succes and the location of the stored results.

Currently cnfuzz heavily relies on its configuration being passed as command line arguments.

Since cnfuzz is specifically meant for being deployed in Kubernetes switching to Kubernetes ConfigMaps will reduce Helm Chart complexity or any other Kubernetes deployment management tooling.

After RESTler has finished fuzzing a web API the fuzzing results should be stored for further analysis.

According to the release notes this update is compatible with Go 1.17. And upgrading should be trivial.

Currently cnfuzz only support trying one authentication mechanism and then fails.
To be more forgiving and also be in line with fuzzing behaviour do retries and fallback to other (available) authentication mechanisms.

As an alternative to the default filesystem based storage capability.