Analyser: Add handling of far-reach-low-coverage-with-fuzz-keyword

Signed-off-by: Arthur Chan <[email protected]>
ossf · Jan 22, 2025 · b100b6a · b100b6a
1 parent a8c12d8
commit b100b6a
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 8 deletions.
diff --git a/src/fuzz_introspector/analyses/far_reach_low_coverage_analyser.py b/src/fuzz_introspector/analyses/far_reach_low_coverage_analyser.py
@@ -69,12 +69,13 @@ def set_json_string_result(self, string):
         self.json_string_result = string
 
     def set_flags(self, exclude_static_functions: bool,
-                  only_referenced_functions: bool,
-                  only_header_functions: bool):
+                  only_referenced_functions: bool, only_header_functions: bool,
+                  only_interesting_functions: bool):
         """Configure the flags from the CLI."""
         self.exclude_static_functions = exclude_static_functions
         self.only_referenced_functions = only_referenced_functions
         self.only_header_functions = only_header_functions
+        self.only_interesting_functions = only_interesting_functions
 
     def set_max_functions(self, max_functions: int):
         """Configure the max functions to return from CLI."""
@@ -96,12 +97,13 @@ def analysis_func(self,
                       out_dir: str) -> str:
         logger.info(' - Running analysis %s', self.get_name())
         logger.info(
-            ' - Settings: exclude_static_functions: %s,'
-            'only_referenced_functions: %s,'
-            'only_header_functions: %s,'
+            ' - Settings: exclude_static_functions: %s, '
+            'only_referenced_functions: %s, '
+            'only_header_functions: %s, '
+            'only_interesting_functions: %s, '
             'max_functions: %d', self.exclude_static_functions,
             self.only_referenced_functions, self.only_header_functions,
-            self.max_functions)
+            self.only_interesting_functions, self.max_functions)
 
         result_list: List[Dict[str, Any]] = []
 
@@ -123,7 +125,7 @@ def analysis_func(self,
         # configured flags
         for function in filtered_functions:
             # Check for max_functions count
-            if len(result_list) > self.max_functions:
+            if len(result_list) >= self.max_functions:
                 break
 
             # Check for only_referenced_functions flag
@@ -139,6 +141,12 @@ def analysis_func(self,
             # TODO No Debug information from the new frontend yet.
             # Handle this later
 
+            # Check for interesting functions with fuzz keywords
+            if (self.only_interesting_functions
+                    and not self._is_interesting_function_with_fuzz_keywords(
+                        function)):
+                continue
+
             result_list.append(
                 function.to_dict(
                     proj_profile.get_func_hit_percentage(
@@ -195,3 +203,29 @@ def _get_functions_of_interest(
             proj_profile.get_func_hit_percentage(x.function_name)))
 
         return filtered_functions
+
+    def _is_interesting_function_with_fuzz_keywords(
+            self, function: function_profile.FunctionProfile) -> bool:
+        """Internal helper to determine if it is interesting for fuzzing."""
+        interesting_fuzz_keywords = [
+            'deserialize',
+            'parse',
+            'parse_xml',
+            'read_file',
+            'read_json',
+            'read_xml',
+            'request',
+            'parse_header',
+            'parse_request',
+            'compress',
+            'file_read',
+            'read_message',
+            'load_image',
+        ]
+
+        if any(fuzz_keyword in function.function_name.lower() or
+               fuzz_keyword.replace('_', '') in function.function_name.lower()
+               for fuzz_keyword in interesting_fuzz_keywords):
+            return True
+
+        return False
diff --git a/src/fuzz_introspector/cli.py b/src/fuzz_introspector/cli.py
@@ -197,6 +197,11 @@ def get_cmdline_parser() -> argparse.ArgumentParser:
         action='store_true',
         help=('Excluding functions without header declaration in the '
               'analysing result.'))
+    far_reach_low_coverage_analyser_parser.add_argument(
+        '--only-interesting-functions',
+        action='store_true',
+        help=('Excluding functions without interesting fuzz keywords, like'
+              'parse or deserialise'))
     far_reach_low_coverage_analyser_parser.add_argument(
         '--max-functions',
         default=30,

diff --git a/src/fuzz_introspector/commands.py b/src/fuzz_introspector/commands.py
@@ -219,13 +219,15 @@ def analyse(args) -> int:
         exclude_static_functions = args.exclude_static_functions
         only_referenced_functions = args.only_referenced_functions
         only_header_functions = args.only_header_functions
+        only_interesting_functions = args.only_interesting_functions
         max_functions = args.max_functions
 
         introspection_proj.load_debug_report(out_dir)
 
         target_analyser.set_flags(exclude_static_functions,
                                   only_referenced_functions,
-                                  only_header_functions)
+                                  only_header_functions,
+                                  only_interesting_functions)
         target_analyser.set_max_functions(max_functions)
         target_analyser.set_introspection_project(introspection_proj)