Setting up fuzzing to run in pipelines

Author: AmbtenaarInFunctie

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,13 @@
+FROM gcr.io/oss-fuzz-base/base-builder-jvm:v1
+
+# The logboekdataverwerking-wrapper dependency is compiled with Java 21,
+# so we need JDK 21 for compilation (base-builder-jvm ships JDK 17).
+RUN apt-get update && apt-get install -y openjdk-21-jdk rsync
+
+ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
+ENV PATH=$JAVA_HOME/bin:$PATH
+
+COPY . $SRC/moza-profiel-service
+WORKDIR $SRC/moza-profiel-service
+RUN chmod +x mvnw
+COPY .clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -0,0 +1,123 @@
+#!/bin/bash -eu
+
+# Build the project with H2 database for fuzzing.
+# quarkus.datasource.db-kind is a build-time property — must be set during compilation.
+./mvnw package -DskipTests -Djacoco.skip=true \
+  -Dquarkus.datasource.db-kind=h2 \
+  -Dquarkus.datasource.jdbc.url=jdbc:h2:mem:fuzztest \
+  -Dlogboekdataverwerking.enabled=false \
+  -B
+
+# Copy all dependencies to $OUT/lib
+mkdir -p $OUT/lib
+./mvnw dependency:copy-dependencies -DoutputDirectory=$OUT/lib -B
+
+# Copy compiled application and test classes
+cp -r target/classes $OUT/classes
+cp -r target/test-classes $OUT/test-classes
+
+# Copy the full quarkus-app directory so the EndpointFuzzer wrapper can start
+# Quarkus as a subprocess (java -jar quarkus-run.jar). H2 is baked in at build time.
+cp -r target/quarkus-app $OUT/quarkus-app
+
+# Bundle the ENTIRE JDK 21 runtime to $OUT so the runner can execute Java 21 bytecode.
+# Uses rsync -aL to dereference symlinks (critical for JDK directory structure).
+# Pattern taken from the oss-fuzz tomcat project.
+mkdir -p "$OUT/open-jdk-21"
+rsync -aL --exclude='*.zip' "$JAVA_HOME/" "$OUT/open-jdk-21/"
+
+# Create a wrapper script for every standalone fuzzer
+# (classes that define the static fuzzerTestOneInput method expected by jazzer_driver)
+for fuzzer in $(grep -rl "fuzzerTestOneInput" src/test/java/ || true); do
+  class_name=$(echo "$fuzzer" | sed 's|src/test/java/||;s|\.java$||;s|/|.|g')
+  simple_name=$(basename -s .java "$fuzzer")
+
+  echo "Creating fuzzer wrapper: $simple_name -> $class_name"
+
+  if [ "$simple_name" = "EndpointFuzzer" ]; then
+    # ── Special wrapper for EndpointFuzzer ──
+    # Starts Quarkus as a subprocess (java -jar quarkus-run.jar) before
+    # launching jazzer_driver. Quarkus was built with H2 at compile time.
+    cat > "$OUT/$simple_name" << 'WRAPPER_EOF'
+#!/bin/bash
+# LLVMFuzzerTestOneInput for jvm
+this_dir=$(dirname "$0")
+
+if [[ "$@" =~ (^| )-runs=[0-9]+($| ) ]]; then
+  mem_settings='-Xmx1900m:-Xss900k'
+else
+  mem_settings='-Xmx2048m:-Xss1024k'
+fi
+
+# Start Quarkus as a background process with H2 in-memory database.
+JAVA_HOME="$this_dir/open-jdk-21" \
+LD_LIBRARY_PATH="$this_dir/open-jdk-21/lib/server" \
+"$this_dir/open-jdk-21/bin/java" \
+  -Dquarkus.http.port=8081 \
+  -Dquarkus.log.level=WARN \
+  -Dquarkus.rest-client.basisprofiel-api.url=http://localhost:9999 \
+  -Dquarkus.rest-client.email-api.url=http://localhost:9999 \
+  -Dlogboekdataverwerking.enabled=false \
+  -jar "$this_dir/quarkus-app/quarkus-run.jar" &
+QUARKUS_PID=$!
+trap "kill $QUARKUS_PID 2>/dev/null || true" EXIT
+
+# Wait for Quarkus to accept connections (up to 20 seconds)
+for i in $(seq 1 80); do
+  if curl -sf -o /dev/null http://localhost:8081/ 2>/dev/null; then
+    break
+  fi
+  sleep 0.25
+done
+
+# Build classpath from compiled classes and all dependency jars
+CP="$this_dir/test-classes:$this_dir/classes"
+for jar in "$this_dir"/lib/*.jar; do
+  CP="$CP:$jar"
+done
+
+JAVA_HOME="$this_dir/open-jdk-21" \
+LD_LIBRARY_PATH="$this_dir/open-jdk-21/lib/server":"$this_dir" \
+"$this_dir/jazzer_driver" \
+  --agent_path="$this_dir/jazzer_agent_deploy.jar" \
+  --cp="$CP" \
+  --target_class=TARGET_CLASS_PLACEHOLDER \
+  --jvm_args="$mem_settings" \
+  "$@"
+WRAPPER_EOF
+  else
+    # ── Generic wrapper for in-process fuzzers ──
+    cat > "$OUT/$simple_name" << 'WRAPPER_EOF'
+#!/bin/bash
+# LLVMFuzzerTestOneInput for jvm
+this_dir=$(dirname "$0")
+
+if [[ "$@" =~ (^| )-runs=[0-9]+($| ) ]]; then
+  mem_settings='-Xmx1900m:-Xss900k'
+else
+  mem_settings='-Xmx2048m:-Xss1024k'
+fi
+
+# Build classpath from compiled classes and all dependency jars
+CP="$this_dir/test-classes:$this_dir/classes"
+for jar in "$this_dir"/lib/*.jar; do
+  CP="$CP:$jar"
+done
+
+# Set JAVA_HOME and LD_LIBRARY_PATH inline so jazzer_driver loads
+# the bundled JDK 21 libjvm.so (not the runner's JDK 17).
+# Pattern taken from the oss-fuzz tomcat project.
+JAVA_HOME="$this_dir/open-jdk-21" \
+LD_LIBRARY_PATH="$this_dir/open-jdk-21/lib/server":"$this_dir" \
+"$this_dir/jazzer_driver" \
+  --agent_path="$this_dir/jazzer_agent_deploy.jar" \
+  --cp="$CP" \
+  --target_class=TARGET_CLASS_PLACEHOLDER \
+  --jvm_args="$mem_settings" \
+  "$@"
+WRAPPER_EOF
+  fi
+
+  sed -i "s|TARGET_CLASS_PLACEHOLDER|$class_name|" "$OUT/$simple_name"
+  chmod +x "$OUT/$simple_name"
+done

.dockerignore

@@ -1,5 +1,14 @@
 *
+
+# ClusterFuzzLite Docker build (see .clusterfuzzlite/Dockerfile)
+!.clusterfuzzlite/*
+!src/**
+!pom.xml
+!mvnw
+!.mvn/**
+
+# Quarkus production Docker builds (see src/main/docker/)
 !target/*-runner
 !target/*-runner.jar
 !target/lib/*
-!target/quarkus-app/*
+!target/quarkus-app/*

.github/workflows/cflite_batch.yml

@@ -0,0 +1,24 @@
+name: ClusterFuzzLite Batch
+on:
+  schedule:
+    - cron: '0 0 * * 6' # Every week on saturday at midnight
+  workflow_dispatch:
+permissions: read-all
+jobs:
+  Batch:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Build Fuzzers
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: jvm
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run Fuzzers
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 3600
+        mode: 'batch'

.github/workflows/cflite_cron.yml

@@ -0,0 +1,30 @@
+name: ClusterFuzzLite Cron
+on:
+  schedule:
+    - cron: '0 0 * * 0' # Every week on Sunday at midnight
+  workflow_dispatch:
+permissions: read-all
+jobs:
+  Cron:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Build Fuzzers
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: jvm
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run Fuzzers
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 600
+        mode: 'coverage'
+    - name: Run Fuzzers (Pruning)
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 600
+        mode: 'prune'

.github/workflows/cflite_pr.yml

@@ -0,0 +1,26 @@
+name: ClusterFuzzLite PR
+on:
+  pull_request:
+    branches: [ main ]
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Build Fuzzers
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: jvm
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run Fuzzers
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300
+        mode: 'code-change'

.github/workflows/maven.yml

@@ -14,7 +14,7 @@ on:
   push:
     branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ main ]
 
 jobs:
   build:

FUZZING.md

@@ -0,0 +1,126 @@
+# Fuzz Testing in Moza Profiel Service
+
+To boost the security of our application, we have implemented fuzz testing for our REST endpoints and core components. Fuzzing is a testing technique that provides semi-random data as input to the application to find bugs, crashes, or security vulnerabilities.
+
+## What has been implemented?
+
+We have implemented **two types** of fuzz tests:
+
+### 1. JUnit-based Fuzz Tests (for local development)
+
+-   **EndpointFuzzTest.java**: A JUnit test class using `@FuzzTest` annotations and `RestAssured` to fuzz REST endpoints in a running Quarkus test instance.
+-   **Purpose**: Quick feedback during development and as part of the regular test suite.
+-   **Runs**: As part of `mvn test`, with configurable duration using `-Djazzer.duration=<time>`.
+
+### 2. Standalone Fuzz Targets (for ClusterFuzzLite)
+
+These are lightweight, standalone classes that implement the `fuzzerTestOneInput` method expected by Jazzer's native driver. They run in ClusterFuzzLite's continuous fuzzing pipeline:
+
+-   **EndpointFuzzer.java**: Coverage-guided fuzzing of all REST endpoints by starting Quarkus as a subprocess and sending HTTP requests.
+-   **HashHelperFuzzer.java**: Tests the SHA-256 hashing functionality with arbitrary string inputs to verify determinism and detect edge cases.
+-   **JsonDeserializationFuzzer.java**: Fuzzes JSON deserialization of all request DTOs (ContactgegevenRequest, VoorkeurRequest, DienstverlenerRequest, etc.) to find parsing vulnerabilities.
+
+**Key Difference**: The JUnit tests run Quarkus in-process with `@QuarkusTest`, while the ClusterFuzzLite targets are optimized for long-running, coverage-guided fuzzing in CI/CD pipelines.
+
+## How to run Fuzz Tests
+
+By default, fuzz tests run as part of the normal test suite but with only a few iterations. To run them for a longer period (which is recommended for finding real issues), you can use the following Maven command:
+
+```bash
+mvn test -Dtest=EndpointFuzzTest -Djazzer.duration=1m -Djacoco.skip=true
+```
+
+The `-Djazzer.duration=1m` flag tells Jazzer to run for 1 minute. You can increase this (e.g., `10m`, `1h`) for more thorough testing.
+
+> **Note**: We use `-Djacoco.skip=true` because running only a subset of tests (like just the fuzz tests) will likely fail the JaCoCo coverage check, as the overall project coverage threshold won't be met.
+
+### Running a specific Fuzz Test
+
+To run only one specific fuzz test method:
+
+```bash
+mvn test -Dtest=EndpointFuzzTest#fuzzGetPartij -Djazzer.duration=1m -Djacoco.skip=true
+```
+
+## Adding more Fuzz Tests
+
+### Adding a JUnit-based Fuzz Test
+
+To add a new fuzz test to `EndpointFuzzTest`:
+
+1.  Add a method to `EndpointFuzzTest` (or create a new test class).
+2.  Annotate it with `@FuzzTest`.
+3.  Use `FuzzedDataProvider` to generate semi-random input data.
+4.  Use `RestAssured` to send this data to your endpoint.
+
+Example:
+
+```java
+@FuzzTest
+public void fuzzMyNewEndpoint(FuzzedDataProvider data) {
+    String input = data.consumeRemainingAsString();
+
+    RestAssured.given()
+            .body(input)
+            .when()
+            .post("/api/my-endpoint")
+            .then()
+            .extract().response();
+}
+```
+
+### Adding a Standalone Fuzzer for ClusterFuzzLite
+
+To add a new standalone fuzzer that runs in the CI/CD pipeline:
+
+1.  Create a new class in `src/test/java/nl/rijksoverheid/moz/fuzzing/`.
+2.  Implement a `public static void fuzzerTestOneInput(FuzzedDataProvider data)` method.
+3.  Use `data` to consume input and test your functionality.
+4.  The fuzzer will automatically be detected by `.clusterfuzzlite/build.sh` and included in continuous fuzzing.
+
+Example:
+
+```java
+package nl.rijksoverheid.moz.fuzzing;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+public class MyComponentFuzzer {
+
+    public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+        String input = data.consumeRemainingAsString();
+
+        // Test your component with the fuzzed input
+        MyComponent.process(input);
+    }
+}
+```
+
+## What to look for?
+
+Jazzer will automatically stop and report if it finds:
+-   An unhandled exception that causes the JVM to crash (e.g., `OutOfMemoryError`, `StackOverflowError`).
+-   Any security-relevant exceptions if configured.
+-   Assertions that fail.
+
+If Jazzer finds a "finding", it will create a `fuzz-test-*.repro` file. You can use this file to reproduce the exact input that caused the failure.
+
+## GitHub Scorecard & Continuous Fuzzing
+
+To satisfy the [GitHub Scorecard](https://github.com/ossf/scorecard) "Fuzzing" requirement, this project is configured to use **ClusterFuzzLite (CFL)**.
+
+### How it works:
+
+1.  **ClusterFuzzLite**: We have integrated ClusterFuzzLite via GitHub Actions (see `.clusterfuzzlite/` and `.github/workflows/cflite_*.yml`).
+2.  **Continuous Testing**: 
+    -   **PR Mode**: Every pull request triggers a short fuzzing session (5 minutes) to catch regressions before they are merged. This is configured to run on all pull requests with the target branch being `main`.
+    -   **Batch Mode**: A longer daily fuzzing session (1 hour) runs on the `main` branch to discover deeper issues.
+    -   **Manual Trigger**: Fuzzing workflows can also be triggered manually via the GitHub Actions "Run workflow" button.
+3.  **Scorecard Recognition**: By having these workflows in place and running them, the OpenSSF Scorecard will recognize that the project is being actively fuzzed, which improves our security score.
+
+### Configuration
+
+-   `.clusterfuzzlite/Dockerfile`: Defines the build environment (based on `oss-fuzz-base`).
+-   `.clusterfuzzlite/build.sh`: Script that compiles the application and prepares the fuzzing targets for Jazzer.
+-   `.github/workflows/cflite_pr.yml`: GitHub Action for PR fuzzing.
+-   `.github/workflows/cflite_batch.yml`: GitHub Action for scheduled batch fuzzing.

README.md

@@ -9,7 +9,6 @@ Documentatie over de Profiel Service is te vinden op [de documentatie website va
 ## Quarkus
 Dit project draait op Quarkus. Meer informatie hierover staat in [quarkus.md](quarkus.md)
 
-## Configuratie
 In de application.properties file staat een notifyNl gedeelte, deze moeten worden gevuld met information van https://admin.notifynl.nl/ vraag de developers van dit project voor deze gegevens.
 
 Plaats deze gegevens vervolgens NIET in de `application.properties` file maar maak een file `/src/main/resources/application-dev.properties` aan en zet de values hier in. Deze file staat in de `.gitignore`.