suecodelabs / cnfuzz Goto Github PK
View Code? Open in Web Editor NEWBreaking Cloud Native Web APIs in their natural habitat.
License: Apache License 2.0
Breaking Cloud Native Web APIs in their natural habitat.
License: Apache License 2.0
You can use https://github.com/pcktdmp/charts as an example
Currently Jobs
created by cnfuzz
do not properly cleanup old or previously created Jobs
.
This becomes a problem when Job
s are being re-created, for example upon re-installation of cnfuzz
.
While RESTler
is fuzzing a web API, cnfuzz
could monitor the service.
There is a lot of potential here. We could for example check on the health of the pod and collect its logs.
Currently cnfuzz
schedules fuzzing jobs without the resourceLimits
parameters.
Supporting resourceLimits
gives the administrator control over what amount of compute capacity cnfuzz
may claim.
Currently cnfuzz
announces itself as healthy and ready as soon as the (simple) webserver has started and keeps being responsive.
This can be extended towards calling backend APIs which cnfuzz
is using, like redis
.
Currently it's not clear how to use 'secret' annotation
{"level":"error","ts":1647542696.3169951,"caller":"job/launch.go:30","msg":"failed to create restler job: an empty namespace may not be set during creation"
Currently cnfuzz
only supports running RESTler
in the default fuzzing mode.
For better utilization of features provided by RESTler
we should support all fuzzing modes.
Create a workflow which deploys cnfuzz
in Kubernetes and verify that it has deployed successfully.
Tools like Kind can be used for this.
The devspace setup seems to be broken right now.
Cleanup old build images via the following Github Action:
helm install cnfuzz cnfuzz/cnfuzz
return an error :Error: INSTALLATION FAILED: failed post-install: timed out waiting for the condition
iwant to know :need whose condition
Currently cnfuzz
schedules a fuzzing job without enforcing an unprivileged user.
My project is the spring boot project
1、cnfuzz/enable: "true" Set to use cnfuzzy identification
2、cnfuzz/open-api-doc: "/swagger/swagger.json" I need to prepare the swagger document under the target project container directory
3、cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c" I don't understand the meaning of this secret. Whether the key of cnfuzzy service or the key of target project
Switch from Viper/Cobra to flag
package of Golang and also support subcommands like setting a mode
for CNFuzz.
Currently cnfuzz
does not support persistent caching of container images it already has fuzzed.
Implement a cache which introduces this feature, preferably via redis
.
Add Prometheus support.
There are instructions in the Prometheus documentation here.
After RESTler
has finished fuzzing the controller should be made aware of failure, succes and the location of the stored results.
Currently cnfuzz
heavily relies on its configuration being passed as command line arguments.
Since cnfuzz
is specifically meant for being deployed in Kubernetes switching to Kubernetes ConfigMaps
will reduce Helm Chart
complexity or any other Kubernetes deployment management tooling.
After RESTler
has finished fuzzing a web API the fuzzing results should be stored for further analysis.
According to the release notes this update is compatible with Go 1.17. And upgrading should be trivial.
Currently cnfuzz
only support trying one authentication mechanism and then fails.
To be more forgiving and also be in line with fuzzing behaviour do retries and fallback to other (available) authentication mechanisms.
{"level":"info","ts":1647336674.4652436,"caller":"kubernetes/event_handler.go:106","msg":"start fuzzing of todo-api-64c68bdf9b-ph5ff"}
{"level":"error","ts":1647336674.6302495,"caller":"kubernetes/event_handler.go:112","msg":"error while starting new fuzzing job: jobs.batch \"cnfuzz-todo-api-64c68bdf9b-ph5ff\" already exists","stacktrace":"github.com/suecodelabs/cnfuzz/src/kubernetes.HandlePodEvent\n\t/fuzzer/src/kubernetes/event_handler.go:112\ngithub.com/suecodelabs/cnfuzz/src/kubernetes.EventHandler.OnAdd\n\t/fuzzer/src/kubernetes/event_handler.go:37\nk8s.io/client-go/tools/cache.(*processorListener).run.func1\n\t/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:787\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90\nk8s.io/client-go/tools/cache.(*processorListener).run\n\t/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:781\nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:73"}
As an alternative to the default filesystem based storage capability.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.