Fix: Use base_os_version for all build types

Ensures that the  specified in  is correctly
applied to the  image for fuzzing, coverage, and introspector
builds. This resolves GLIBC/libstdc++ version mismatches that occur when
projects compiled on newer OS versions are run with an older base-runner.

This change modifies:
- : Extracts  and sets .
- : Extracts  and sets .
- : Extracts  and sets .
- : Passes  to  for coverage and introspector steps.
- : Modifies  to use  with .

New tests have been added to:
-
-

These tests validate that the  is correctly propagated and used
in the respective build steps.

Author: hunsche

infra/build/functions/build_and_run_coverage.py

@@ -125,7 +125,7 @@ def get_build_steps(  # pylint: disable=too-many-locals, too-many-arguments
   ]
 
   build_steps.append({
-      'name': build_lib.get_runner_image_name(config.test_image_suffix),
+      'name': build_lib.get_runner_image_name(config.test_image_suffix, config.base_image_tag),
       'env': coverage_env,
       'args': [
           'bash', '-c',
@@ -291,7 +291,7 @@ def get_fuzz_introspector_steps(  # pylint: disable=too-many-locals, too-many-ar
                   f'/reports/{coverage_report_latest}/linux')
 
   download_coverage_steps = build_lib.download_coverage_data_steps(
-      project.name, coverage_report_latest, bucket_name, build.out)
+      project.name, coverage_report_latest, bucket_name, build.out, config.base_image_tag)
   if not download_coverage_steps:
     return [], f'Skipping introspector build for {project.name}. No coverage data found.'
   build_steps.extend(download_coverage_steps)

infra/build/functions/build_lib.py

@@ -344,16 +344,18 @@ def download_corpora_steps(project_name, test_image_suffix):
   return steps, None
 
 
-def download_coverage_data_steps(project_name, latest, bucket_name, out_dir):
+def download_coverage_data_steps(project_name, latest, bucket_name, out_dir, base_image_tag=None):
   """Returns GCB steps to download coverage data for the given project"""
   steps = []
   fuzz_targets = _get_targets_list(project_name)
   if not fuzz_targets:
     sys.stderr.write('No fuzz targets found for project "%s".\n' % project_name)
     return None
 
+  runner_image_name = get_runner_image_name(None, base_image_tag)
+
   steps.append({
-      'name': 'gcr.io/oss-fuzz-base/base-runner',
+      'name': runner_image_name,
       'args': ['bash', '-c', (f'mkdir -p {out_dir}/textcov_reports')]
   })
 
@@ -365,7 +367,7 @@ def download_coverage_data_steps(project_name, latest, bucket_name, out_dir):
       'allowFailure': True
   })
   steps.append({
-      'name': 'gcr.io/oss-fuzz-base/base-runner',
+      'name': runner_image_name,
       'args': ['bash', '-c', f'ls -lrt {out_dir}/textcov_reports'],
       'allowFailure': True
   })

infra/build/functions/request_build.py

@@ -71,6 +71,11 @@ def get_build_steps(project_name, timestamp=None):
   project_yaml, dockerfile_lines = get_project_data(project_name)
   build_config = build_project.Config(
       build_type=build_project.FUZZING_BUILD_TYPE)
+
+  base_os_version = project_yaml.get('base_os_version')
+  if base_os_version:
+    build_config.base_image_tag = base_os_version
+
   return build_project.get_build_steps(project_name,
                                        project_yaml,
                                        dockerfile_lines,

infra/build/functions/request_build_test.py

@@ -14,9 +14,12 @@
 #
 ################################################################################
 """Unit tests for Cloud Function request builds which builds projects."""
+import base64
+import json
 import os
 import sys
 import unittest
+from unittest import mock
 
 from google.cloud import ndb
 
@@ -26,6 +29,8 @@
 import datastore_entities
 import request_build
 import test_utils
+import build_project
+import build_lib
 
 # pylint: disable=no-member
 
@@ -43,13 +48,96 @@ def setUpClass(cls):
   def setUp(self):
     test_utils.reset_ds_emulator()
     self.maxDiff = None  # pylint: disable=invalid-name
+    # Mocks globais para evitar chamadas de API reais
+    self.mock_get_signed_url = mock.patch(
+        'build_lib.get_signed_url',
+        return_value='https://example.com/signed-url').start()
+    self.mock_get_signed_policy = mock.patch(
+        'build_lib.get_signed_policy_document_upload_prefix',
+        return_value=mock.MagicMock()).start()
+    self.mock_curl_args = mock.patch(
+        'build_lib.signed_policy_document_curl_args', return_value=[]).start()
+
+  def tearDown(self):
+    mock.patch.stopall()
 
   def test_get_build_steps_no_project(self):
     """Test for when project isn't available in datastore."""
     with ndb.Client().context():
       self.assertRaises(RuntimeError, request_build.get_build_steps,
                         'test-project')
 
+  @mock.patch('build_project.run_build', return_value={'id': 'mock-build-id'})
+  def test_get_build_steps_with_base_os_version(self, mock_run_build):
+    """Test that get_build_steps uses the base_os_version."""
+    project_name = 'example'
+    base_os_version = 'ubuntu-24-04'
+
+    project_yaml_contents = """
+homepage: https://my-api.example.com
+main_repo: https://github.com/example/my-api
+language: c++
+vendor_ccs: []
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+base_os_version: ubuntu-24-04
+"""
+    dockerfile_contents = """
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.                                                 
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN apt-get update && apt-get install -y make
+
+# Get *your* source code here.
+RUN git clone https://github.com/google/oss-fuzz.git my-git-repo
+WORKDIR my-git-repo
+COPY build.sh $SRC/
+"""
+    with ndb.Client().context():
+      datastore_entities.Project(name=project_name,
+                                 project_yaml_contents=project_yaml_contents,
+                                 dockerfile_contents=dockerfile_contents).put()
+
+    event = {'data': base64.b64encode(project_name.encode('utf-8'))}
+
+    with mock.patch('google.auth.default', return_value=(None, 'oss-fuzz')):
+      request_build.request_build(event, None)
+
+    # Check that run_build was called.
+    self.assertTrue(mock_run_build.called)
+
+    # Get the build_steps from the first call to run_build.
+    self.assertEqual(2, mock_run_build.call_count)
+    build_steps = mock_run_build.call_args_list[0][0][1]
+
+    # Find the 'build-check' step and assert the runner image is correct.
+    found_build_check_step = False
+    for inner_step in build_steps[0]:
+      if isinstance(
+          inner_step,
+          dict) and inner_step.get('id') and 'build-check' in inner_step['id']:
+        found_build_check_step = True
+        expected_image = f'gcr.io/oss-fuzz-base/base-runner:{base_os_version}'
+        self.assertIn(expected_image, inner_step['args'])
+        break
+    self.assertTrue(found_build_check_step, 'Build check step not found.')
+
   def test_build_history(self):
     """Testing build history."""
     with ndb.Client().context():

infra/build/functions/request_coverage_build.py

@@ -30,6 +30,11 @@ def get_build_steps(project_name):
   build_config = request_build.get_empty_config()
   project_yaml_contents, dockerfile_lines = request_build.get_project_data(
       project_name)
+
+  base_os_version = project_yaml_contents.get('base_os_version')
+  if base_os_version:
+    build_config.base_image_tag = base_os_version
+
   return build_and_run_coverage.get_build_steps(project_name,
                                                 project_yaml_contents,
                                                 dockerfile_lines, build_config)

infra/build/functions/request_coverage_build_test.py

@@ -0,0 +1,103 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+"""Unit tests for Cloud Function request_coverage_build."""
+import base64
+import os
+import sys
+import unittest
+from unittest import mock
+
+from google.cloud import ndb
+
+sys.path.append(os.path.dirname(__file__))
+# pylint: disable=wrong-import-position
+
+import datastore_entities
+import request_coverage_build
+import test_utils
+import yaml
+
+# pylint: disable=no-member
+
+
+class TestRequestCoverageBuild(unittest.TestCase):
+  """Unit tests for sync."""
+
+  @classmethod
+  def setUpClass(cls):
+    cls.ds_emulator = test_utils.start_datastore_emulator()
+    test_utils.wait_for_emulator_ready(cls.ds_emulator, 'datastore',
+                                       test_utils.DATASTORE_READY_INDICATOR)
+    test_utils.set_gcp_environment()
+
+  def setUp(self):
+    test_utils.reset_ds_emulator()
+    self.maxDiff = None
+
+  @mock.patch('request_build.run_build', return_value={'id': 'mock-build-id'})
+  @mock.patch('build_lib.get_signed_url',
+              return_value='https://mocked-signed-url.com')
+  def test_get_build_steps_with_base_os_version(self, mock_get_signed_url,
+                                                mock_run_build):
+    """Test that get_build_steps uses the base_os_version for coverage builds."""
+    project_name = 'example'
+    base_os_version = 'ubuntu-24-04'
+
+    project_yaml_contents = f"""
+homepage: https://my-api.example.com
+main_repo: https://github.com/example/my-api
+language: c++
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+base_os_version: {base_os_version}
+"""
+    dockerfile_contents = "FROM gcr.io/oss-fuzz-base/base-builder"
+
+    with mock.patch('request_build.get_project_data') as mock_get_project_data:
+      mock_get_project_data.return_value = (
+          yaml.safe_load(project_yaml_contents), dockerfile_contents)
+
+      event = {'data': base64.b64encode(project_name.encode('utf-8'))}
+
+      with mock.patch('google.auth.default', return_value=(None, 'oss-fuzz')):
+        request_coverage_build.request_coverage_build(event, None)
+
+    self.assertTrue(mock_run_build.called)
+    build_steps = mock_run_build.call_args[0][1]
+
+    for inner_list in build_steps:
+      for step in inner_list:
+        if isinstance(
+            step, dict
+        ) and 'name' in step and 'gcr.io/oss-fuzz-base/base-runner' in step[
+            'name']:
+          found_build_check_step = True
+          expected_image = f'gcr.io/oss-fuzz-base/base-runner:{base_os_version}'
+          self.assertEqual(step['name'], expected_image)
+          break
+      if found_build_check_step:
+        break
+    self.assertTrue(found_build_check_step, 'Coverage build step not found.')
+
+  @classmethod
+  def tearDownClass(cls):
+    test_utils.cleanup_emulator(cls.ds_emulator)
+
+
+if __name__ == '__main__':
+  unittest.main(exit=False)

infra/build/functions/request_introspector_build.py

@@ -31,6 +31,11 @@ def get_build_steps(project_name, image_project, base_images_project):
   build_config = request_build.get_empty_config()
   project_yaml_contents, dockerfile_lines = request_build.get_project_data(
       project_name)
+
+  base_os_version = project_yaml_contents.get('base_os_version')
+  if base_os_version:
+    build_config.base_image_tag = base_os_version
+
   return build_and_run_coverage.get_fuzz_introspector_steps(
       project_name, project_yaml_contents, dockerfile_lines, build_config)