With CI Fuzz CLI, the German company Code Intelligence has released a tool that starts fuzz tests from the command line. The open source tool is said to be particularly easy to use and is therefore primarily aimed at those who have not yet used fuzzing to test their projects.
Simple and connected
The tool is intended to reduce the barrier to entry into fuzzing, since a few commands and small adjustments in the editor are sufficient for the first fuzz test. At the same time, the command line tool can be integrated into continuous integration processes, build tools and development environments.
The project page shows the integration into a simple project: Initializing via cifuzz init creates the file cifuzz.yaml with the test configuration. The actual test is created by the cifuzz create command, which creates a stub file like my_fuzz_test_1.cpp.
Developers then have to configure the file so that it tests the appropriate functions in the program. They must also configure the CMake directives appropriately. Finally, the command cifuzz run my_fuzz_test_1 triggers the fuzz test. If you need a report about the test coverage, you can generate a coverage report with cifuzz coverage my_fuzz_test_1.
Fuzzing as an alternative to classic code analysis
In contrast to static code analysis, fuzzing tools do not look at the source code, but feed the software to be tested with input data that is accidentally or intentionally incorrect or incomplete. In this way, fuzz testing finds bugs like buffer overflows that can slip through when human testers only use plausible data. Code Intelligence is a German start-up specializing in fuzzing.
Internationally, Google is a strong advocate of fuzzing. In 2016, the Internet giant presented OSS Fuzz, a project for testing open source software with fuzzing. In addition, with ClusterFuzz he has a commercial fuzzing tool for integration into the CI/CD pipeline (Continuous Integration / Continuous Delivery) in his portfolio, of which a slimmed-down open source version was released in 2021.
Google’s programming language Go has included fuzzing in the toolchain since version 1.18, but according to the latest survey by the team responsible for the language, it has so far been little used.
For more details on CI Fuzz CLI, see the GitHub repository readme and the Code Intelligence project page.
To home page