Files
fuzzforge_ai/sdk/src/fuzzforge_sdk/testing.py
T
tduhamel42 ec812461d6 CI/CD Integration with Ephemeral Deployment Model (#14)
* feat: Complete migration from Prefect to Temporal

BREAKING CHANGE: Replaces Prefect workflow orchestration with Temporal

## Major Changes
- Replace Prefect with Temporal for workflow orchestration
- Implement vertical worker architecture (rust, android)
- Replace Docker registry with MinIO for unified storage
- Refactor activities to be co-located with workflows
- Update all API endpoints for Temporal compatibility

## Infrastructure
- New: docker-compose.temporal.yaml (Temporal + MinIO + workers)
- New: workers/ directory with rust and android vertical workers
- New: backend/src/temporal/ (manager, discovery)
- New: backend/src/storage/ (S3-cached storage with MinIO)
- New: backend/toolbox/common/ (shared storage activities)
- Deleted: docker-compose.yaml (old Prefect setup)
- Deleted: backend/src/core/prefect_manager.py
- Deleted: backend/src/services/prefect_stats_monitor.py
- Deleted: Docker registry and insecure-registries requirement

## Workflows
- Migrated: security_assessment workflow to Temporal
- New: rust_test workflow (example/test workflow)
- Deleted: secret_detection_scan (Prefect-based, to be reimplemented)
- Activities now co-located with workflows for independent testing

## API Changes
- Updated: backend/src/api/workflows.py (Temporal submission)
- Updated: backend/src/api/runs.py (Temporal status/results)
- Updated: backend/src/main.py (727 lines, TemporalManager integration)
- Updated: All 16 MCP tools to use TemporalManager

## Testing
-  All services healthy (Temporal, PostgreSQL, MinIO, workers, backend)
-  All API endpoints functional
-  End-to-end workflow test passed (72 findings from vulnerable_app)
-  MinIO storage integration working (target upload/download, results)
-  Worker activity discovery working (6 activities registered)
-  Tarball extraction working
-  SARIF report generation working

## Documentation
- ARCHITECTURE.md: Complete Temporal architecture documentation
- QUICKSTART_TEMPORAL.md: Getting started guide
- MIGRATION_DECISION.md: Why we chose Temporal over Prefect
- IMPLEMENTATION_STATUS.md: Migration progress tracking
- workers/README.md: Worker development guide

## Dependencies
- Added: temporalio>=1.6.0
- Added: boto3>=1.34.0 (MinIO S3 client)
- Removed: prefect>=3.4.18

* feat: Add Python fuzzing vertical with Atheris integration

This commit implements a complete Python fuzzing workflow using Atheris:

## Python Worker (workers/python/)
- Dockerfile with Python 3.11, Atheris, and build tools
- Generic worker.py for dynamic workflow discovery
- requirements.txt with temporalio, boto3, atheris dependencies
- Added to docker-compose.temporal.yaml with dedicated cache volume

## AtherisFuzzer Module (backend/toolbox/modules/fuzzer/)
- Reusable module extending BaseModule
- Auto-discovers fuzz targets (fuzz_*.py, *_fuzz.py, fuzz_target.py)
- Recursive search to find targets in nested directories
- Dynamically loads TestOneInput() function
- Configurable max_iterations and timeout
- Real-time stats callback support for live monitoring
- Returns findings as ModuleFinding objects

## Atheris Fuzzing Workflow (backend/toolbox/workflows/atheris_fuzzing/)
- Temporal workflow for orchestrating fuzzing
- Downloads user code from MinIO
- Executes AtherisFuzzer module
- Uploads results to MinIO
- Cleans up cache after execution
- metadata.yaml with vertical: python for routing

## Test Project (test_projects/python_fuzz_waterfall/)
- Demonstrates stateful waterfall vulnerability
- main.py with check_secret() that leaks progress
- fuzz_target.py with Atheris TestOneInput() harness
- Complete README with usage instructions

## Backend Fixes
- Fixed parameter merging in REST API endpoints (workflows.py)
- Changed workflow parameter passing from positional args to kwargs (manager.py)
- Default parameters now properly merged with user parameters

## Testing
 Worker discovered AtherisFuzzingWorkflow
 Workflow executed end-to-end successfully
 Fuzz target auto-discovered in nested directories
 Atheris ran 100,000 iterations
 Results uploaded and cache cleaned

* chore: Complete Temporal migration with updated CLI/SDK/docs

This commit includes all remaining Temporal migration changes:

## CLI Updates (cli/)
- Updated workflow execution commands for Temporal
- Enhanced error handling and exceptions
- Updated dependencies in uv.lock

## SDK Updates (sdk/)
- Client methods updated for Temporal workflows
- Updated models for new workflow execution
- Updated dependencies in uv.lock

## Documentation Updates (docs/)
- Architecture documentation for Temporal
- Workflow concept documentation
- Resource management documentation (new)
- Debugging guide (new)
- Updated tutorials and how-to guides
- Troubleshooting updates

## README Updates
- Main README with Temporal instructions
- Backend README
- CLI README
- SDK README

## Other
- Updated IMPLEMENTATION_STATUS.md
- Removed old vulnerable_app.tar.gz

These changes complete the Temporal migration and ensure the
CLI/SDK work correctly with the new backend.

* fix: Use positional args instead of kwargs for Temporal workflows

The Temporal Python SDK's start_workflow() method doesn't accept
a 'kwargs' parameter. Workflows must receive parameters as positional
arguments via the 'args' parameter.

Changed from:
  args=workflow_args  # Positional arguments

This fixes the error:
  TypeError: Client.start_workflow() got an unexpected keyword argument 'kwargs'

Workflows now correctly receive parameters in order:
- security_assessment: [target_id, scanner_config, analyzer_config, reporter_config]
- atheris_fuzzing: [target_id, target_file, max_iterations, timeout_seconds]
- rust_test: [target_id, test_message]

* fix: Filter metadata-only parameters from workflow arguments

SecurityAssessmentWorkflow was receiving 7 arguments instead of 2-5.
The issue was that target_path and volume_mode from default_parameters
were being passed to the workflow, when they should only be used by
the system for configuration.

Now filters out metadata-only parameters (target_path, volume_mode)
before passing arguments to workflow execution.

* refactor: Remove Prefect leftovers and volume mounting legacy

Complete cleanup of Prefect migration artifacts:

Backend:
- Delete registry.py and workflow_discovery.py (Prefect-specific files)
- Remove Docker validation from setup.py (no longer needed)
- Remove ResourceLimits and VolumeMount models
- Remove target_path and volume_mode from WorkflowSubmission
- Remove supported_volume_modes from API and discovery
- Clean up metadata.yaml files (remove volume/path fields)
- Simplify parameter filtering in manager.py

SDK:
- Remove volume_mode parameter from client methods
- Remove ResourceLimits and VolumeMount models
- Remove Prefect error patterns from docker_logs.py
- Clean up WorkflowSubmission and WorkflowMetadata models

CLI:
- Remove Volume Modes display from workflow info

All removed features are Prefect-specific or Docker volume mounting
artifacts. Temporal workflows use MinIO storage exclusively.

* feat: Add comprehensive test suite and benchmark infrastructure

- Add 68 unit tests for fuzzer, scanner, and analyzer modules
- Implement pytest-based test infrastructure with fixtures
- Add 6 performance benchmarks with category-specific thresholds
- Configure GitHub Actions for automated testing and benchmarking
- Add test and benchmark documentation

Test coverage:
- AtherisFuzzer: 8 tests
- CargoFuzzer: 14 tests
- FileScanner: 22 tests
- SecurityAnalyzer: 24 tests

All tests passing (68/68)
All benchmarks passing (6/6)

* fix: Resolve all ruff linting violations across codebase

Fixed 27 ruff violations in 12 files:
- Removed unused imports (Depends, Dict, Any, Optional, etc.)
- Fixed undefined workflow_info variable in workflows.py
- Removed dead code with undefined variables in atheris_fuzzer.py
- Changed f-string to regular string where no placeholders used

All files now pass ruff checks for CI/CD compliance.

* fix: Configure CI for unit tests only

- Renamed docker-compose.temporal.yaml → docker-compose.yml for CI compatibility
- Commented out integration-tests job (no integration tests yet)
- Updated test-summary to only depend on lint and unit-tests

CI will now run successfully with 68 unit tests. Integration tests can be added later.

* feat: Add CI/CD integration with ephemeral deployment model

Implements comprehensive CI/CD support for FuzzForge with on-demand worker management:

**Worker Management (v0.7.0)**
- Add WorkerManager for automatic worker lifecycle control
- Auto-start workers from stopped state when workflows execute
- Auto-stop workers after workflow completion
- Health checks and startup timeout handling (90s default)

**CI/CD Features**
- `--fail-on` flag: Fail builds based on SARIF severity levels (error/warning/note/info)
- `--export-sarif` flag: Export findings in SARIF 2.1.0 format
- `--auto-start`/`--auto-stop` flags: Control worker lifecycle
- Exit code propagation: Returns 1 on blocking findings, 0 on success

**Exit Code Fix**
- Add `except typer.Exit: raise` handlers at 3 critical locations
- Move worker cleanup to finally block for guaranteed execution
- Exit codes now propagate correctly even when build fails

**CI Scripts & Examples**
- ci-start.sh: Start FuzzForge services with health checks
- ci-stop.sh: Clean shutdown with volume preservation option
- GitHub Actions workflow example (security-scan.yml)
- GitLab CI pipeline example (.gitlab-ci.example.yml)
- docker-compose.ci.yml: CI-optimized compose file with profiles

**OSS-Fuzz Integration**
- New ossfuzz_campaign workflow for running OSS-Fuzz projects
- OSS-Fuzz worker with Docker-in-Docker support
- Configurable campaign duration and project selection

**Documentation**
- Comprehensive CI/CD integration guide (docs/how-to/cicd-integration.md)
- Updated architecture docs with worker lifecycle details
- Updated workspace isolation documentation
- CLI README with worker management examples

**SDK Enhancements**
- Add get_workflow_worker_info() endpoint
- Worker vertical metadata in workflow responses

**Testing**
- All workflows tested: security_assessment, atheris_fuzzing, secret_detection, cargo_fuzzing
- All monitoring commands tested: stats, crashes, status, finding
- Full CI pipeline simulation verified
- Exit codes verified for success/failure scenarios

Ephemeral CI/CD model: ~3-4GB RAM, ~60-90s startup, runs entirely in CI containers.

* fix: Resolve ruff linting violations in CI/CD code

- Remove unused variables (run_id, defaults, result)
- Remove unused imports
- Fix f-string without placeholders

All CI/CD integration files now pass ruff checks.
2025-10-14 10:13:45 +02:00

414 lines
14 KiB
Python

"""
Automated testing utilities for FuzzForge workflows.
This module provides high-level testing capabilities for validating
workflow functionality, performance, and expected results.
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
import time
from pathlib import Path
from typing import Dict, Any, List, Optional
from dataclasses import dataclass
from datetime import datetime
import logging
from .client import FuzzForgeClient
from .utils import validate_absolute_path, create_workflow_submission
from .exceptions import ValidationError
logger = logging.getLogger(__name__)
@dataclass
class TestResult:
"""Result of a single workflow test."""
workflow_name: str
test_project_path: str
passed: bool
run_id: Optional[str] = None
findings_count: int = 0
execution_time: float = 0.0
error: Optional[str] = None
expected_min_findings: int = 0
details: Dict[str, Any] = None
def __post_init__(self):
if self.details is None:
self.details = {}
@dataclass
class TestSummary:
"""Summary of multiple workflow tests."""
total: int
passed: int
failed: int
tests: List[TestResult]
start_time: datetime
end_time: Optional[datetime] = None
total_duration: float = 0.0
@property
def failed_tests(self) -> List[TestResult]:
"""Get list of failed tests."""
return [test for test in self.tests if not test.passed]
@property
def success_rate(self) -> float:
"""Get success rate as percentage."""
if self.total == 0:
return 0.0
return (self.passed / self.total) * 100
# Default test configurations for each workflow
DEFAULT_TEST_CONFIG = {
"static_analysis_scan": {
"test_project": "static_analysis_vulnerable",
"expected_min_findings": 3, # Expect at least 3 findings
"timeout": 300, # 5 minutes
"description": "Tests OpenGrep and Bandit static analysis tools"
},
"secret_detection_scan": {
"test_project": "secret_detection_vulnerable",
"expected_min_findings": 5, # Expect at least 5 secrets
"timeout": 180, # 3 minutes
"description": "Tests TruffleHog and Gitleaks secret detection"
},
"infrastructure_scan": {
"test_project": "infrastructure_vulnerable",
"expected_min_findings": 8, # Expect at least 8 IaC issues
"timeout": 240, # 4 minutes
"description": "Tests Checkov, Hadolint, and other IaC security tools"
},
"penetration_testing_scan": {
"test_project": "penetration_testing_vulnerable",
"expected_min_findings": 4, # Expect at least 4 vulnerabilities
"timeout": 420, # 7 minutes (needs time to start services)
"description": "Tests Nuclei penetration testing tools"
},
"security_assessment": {
"test_project": "security_assessment_comprehensive",
"expected_min_findings": 10, # Expect at least 10 mixed findings
"timeout": 600, # 10 minutes (comprehensive scan)
"description": "Comprehensive security assessment across all categories"
}
}
class WorkflowTester:
"""
High-level testing utilities for FuzzForge workflows.
This class provides methods to easily test individual workflows or
run comprehensive test suites against all available workflows.
"""
def __init__(self, client: FuzzForgeClient, test_projects_base_path: Optional[str] = None):
"""
Initialize the workflow tester.
Args:
client: FuzzForge client instance
test_projects_base_path: Base path to test projects directory
"""
self.client = client
self.test_projects_base_path = test_projects_base_path
if not test_projects_base_path:
# Try to auto-detect test projects path
current_dir = Path.cwd()
candidates = [
current_dir / "test_projects",
current_dir.parent / "test_projects",
current_dir / ".." / "test_projects",
Path("/app/test_projects"), # Inside Docker container (last resort)
]
for candidate in candidates:
if candidate.exists() and candidate.is_dir():
self.test_projects_base_path = str(candidate.resolve())
logger.info(f"Auto-detected test projects at: {self.test_projects_base_path}")
break
if not self.test_projects_base_path:
logger.warning("Could not auto-detect test projects path. Please specify explicitly.")
self.test_projects_base_path = str(current_dir / "test_projects")
def test_workflow(
self,
workflow_name: str,
test_project_path: Optional[str] = None,
expected_min_findings: Optional[int] = None,
timeout: int = 300,
**workflow_params
) -> TestResult:
"""
Test a single workflow against a test project.
Args:
workflow_name: Name of the workflow to test
test_project_path: Path to test project (or relative to base path)
expected_min_findings: Minimum expected findings for test to pass
timeout: Timeout in seconds
**workflow_params: Additional workflow parameters
Returns:
TestResult with test outcome and details
"""
start_time = time.time()
try:
# Get test configuration
config = DEFAULT_TEST_CONFIG.get(workflow_name, {})
if expected_min_findings is None:
expected_min_findings = config.get("expected_min_findings", 0)
if timeout == 300: # Use config timeout if default
timeout = config.get("timeout", 300)
# Resolve test project path
if test_project_path is None:
test_project_name = config.get("test_project")
if not test_project_name:
raise ValidationError(f"No test project configured for workflow: {workflow_name}")
test_project_path = str(Path(self.test_projects_base_path) / test_project_name)
elif not Path(test_project_path).is_absolute():
test_project_path = str(Path(self.test_projects_base_path) / test_project_path)
# Validate path exists
test_path = validate_absolute_path(test_project_path)
logger.info(f"Testing workflow '{workflow_name}' with project: {test_path}")
# Create workflow submission
submission = create_workflow_submission(
target_path=str(test_path),
volume_mode="ro",
**workflow_params
)
# Submit workflow
response = self.client.submit_workflow(workflow_name, submission)
run_id = response.run_id
logger.info(f"Workflow submitted with run_id: {run_id}")
# Wait for completion
final_status = self.client.wait_for_completion(
run_id=run_id,
timeout=timeout,
poll_interval=5
)
# Get findings
findings = self.client.get_run_findings(run_id)
findings_count = 0
# Count findings from SARIF data if available
if hasattr(findings, 'sarif') and findings.sarif:
findings_count = findings.sarif.get('total_findings', 0)
execution_time = time.time() - start_time
# Determine if test passed
passed = (
final_status.is_completed and
not final_status.is_failed and
findings_count >= expected_min_findings
)
result = TestResult(
workflow_name=workflow_name,
test_project_path=test_project_path,
passed=passed,
run_id=run_id,
findings_count=findings_count,
execution_time=execution_time,
expected_min_findings=expected_min_findings,
details={
"status": final_status.status,
"sarif_summary": getattr(findings, 'sarif', {}),
"config_used": config.get("description", ""),
"timeout_used": timeout
}
)
if not passed:
if final_status.is_failed:
result.error = f"Workflow execution failed with status: {final_status.status}"
elif findings_count < expected_min_findings:
result.error = f"Found {findings_count} findings, expected at least {expected_min_findings}"
logger.info(f"Test {'PASSED' if passed else 'FAILED'}: {workflow_name}")
return result
except Exception as e:
execution_time = time.time() - start_time
error_msg = f"Test execution failed: {str(e)}"
logger.error(error_msg)
return TestResult(
workflow_name=workflow_name,
test_project_path=test_project_path or "unknown",
passed=False,
execution_time=execution_time,
expected_min_findings=expected_min_findings or 0,
error=error_msg
)
def test_all_workflows(
self,
workflows: Optional[List[str]] = None,
parallel: bool = False
) -> TestSummary:
"""
Test all available workflows.
Args:
workflows: List of specific workflows to test (defaults to all available)
parallel: Whether to run tests in parallel (not yet implemented)
Returns:
TestSummary with results from all tests
"""
start_time = datetime.now()
try:
# Get available workflows if not specified
if workflows is None:
workflow_list = self.client.list_workflows()
workflows = [w.name for w in workflow_list]
logger.info(f"Testing {len(workflows)} workflows: {', '.join(workflows)}")
results = []
# Test each workflow
for workflow_name in workflows:
logger.info(f"Testing workflow: {workflow_name}")
result = self.test_workflow(workflow_name)
results.append(result)
end_time = datetime.now()
total_duration = (end_time - start_time).total_seconds()
passed = len([r for r in results if r.passed])
failed = len(results) - passed
summary = TestSummary(
total=len(results),
passed=passed,
failed=failed,
tests=results,
start_time=start_time,
end_time=end_time,
total_duration=total_duration
)
logger.info(f"Testing complete: {passed}/{len(results)} workflows passed")
return summary
except Exception as e:
logger.error(f"Test suite execution failed: {e}")
end_time = datetime.now()
return TestSummary(
total=0,
passed=0,
failed=1,
tests=[],
start_time=start_time,
end_time=end_time,
total_duration=(end_time - start_time).total_seconds()
)
def validate_workflow_deployment(self, workflow_name: str) -> bool:
"""
Validate that a workflow is properly deployed and available.
Args:
workflow_name: Name of the workflow to validate
Returns:
True if workflow is available, False otherwise
"""
try:
workflows = self.client.list_workflows()
available_workflows = [w.name for w in workflows]
return workflow_name in available_workflows
except Exception as e:
logger.error(f"Failed to validate workflow deployment: {e}")
return False
def get_test_project_path(self, project_name: str) -> str:
"""
Get the full path to a test project.
Args:
project_name: Name of the test project
Returns:
Full path to the test project
"""
return str(Path(self.test_projects_base_path) / project_name)
def format_test_summary(summary: TestSummary, detailed: bool = False) -> str:
"""
Format a test summary for display.
Args:
summary: Test summary to format
detailed: Whether to include detailed results
Returns:
Formatted string representation
"""
lines = []
# Header
lines.append("=" * 60)
lines.append("FuzzForge Workflow Test Results")
lines.append("=" * 60)
# Summary stats
lines.append(f"Total Tests: {summary.total}")
lines.append(f"Passed: {summary.passed} ✅")
lines.append(f"Failed: {summary.failed} ❌")
lines.append(f"Success Rate: {summary.success_rate:.1f}%")
lines.append(f"Total Duration: {summary.total_duration:.1f}s")
lines.append("")
if detailed and summary.tests:
lines.append("Detailed Results:")
lines.append("-" * 40)
for test in summary.tests:
status_icon = "✅" if test.passed else "❌"
lines.append(f"{status_icon} {test.workflow_name}")
lines.append(f" Project: {Path(test.test_project_path).name}")
lines.append(f" Findings: {test.findings_count} (expected ≥{test.expected_min_findings})")
lines.append(f" Duration: {test.execution_time:.1f}s")
if test.error:
lines.append(f" Error: {test.error}")
lines.append("")
# Failed tests summary
if summary.failed_tests:
lines.append("Failed Tests:")
lines.append("-" * 40)
for test in summary.failed_tests:
lines.append(f"❌ {test.workflow_name}: {test.error or 'Unknown error'}")
lines.append("")
return "\n".join(lines)