Skip to content

Commit 61df8a5

Browse files
Address fuzz testing (#170)
1 parent 270f251 commit 61df8a5

2 files changed

Lines changed: 45 additions & 0 deletions

File tree

.github/scorecard.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# OpenSSF Scorecard maintainer annotations.
2+
#
3+
# These DO NOT change numeric check scores. Scorecard's Fuzzing check is
4+
# binary (0 or 10) and annotations are applied after scoring. What they do
5+
# is surface a maintainer-provided reason alongside the 0/10 so that anyone
6+
# reading the report (CLI --show-annotations, REST API, scorecard.dev viewer)
7+
# sees context instead of an unexplained failure.
8+
#
9+
# Schema and reason vocabulary:
10+
# https://github.com/ossf/scorecard/blob/main/config/README.md
11+
#
12+
# Valid reasons: test-data, remediated, not-applicable, not-supported, not-detected
13+
14+
annotations:
15+
- checks:
16+
- fuzzing
17+
reasons:
18+
# This repository is a learning playground: Bicep templates, Jupyter
19+
# notebooks, APIM policy XML, and thin Python wrappers around the Azure
20+
# CLI. The Python helpers do not parse untrusted attacker-controlled
21+
# input — the only parsing surface (json_utils.py) delegates to the
22+
# standard library's json and ast modules, which are already fuzzed
23+
# upstream in CPython via OSS-Fuzz. All other inputs originate from the
24+
# operator's own Azure tenant or their own policy files.
25+
#
26+
# Scorecard also has no Python-native fuzzer detection (Go / Haskell /
27+
# JS / Erlang only), so even adding hypothesis or atheris tests would
28+
# not move this score. See SECURITY.md for the full rationale.
29+
- reason: not-applicable

SECURITY.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,19 @@ We prefer all communications to be in English.
3737
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
3838

3939
<!-- END MICROSOFT SECURITY.MD BLOCK -->
40+
41+
## Security Scanning Scope
42+
43+
This repository is scanned by [OpenSSF Scorecard](https://github.com/ossf/scorecard) via a scheduled GitHub Action. Some checks will report a low score by design; the rationale is recorded as maintainer annotations in [`.github/scorecard.yml`](.github/scorecard.yml) and summarised below.
44+
45+
### Fuzzing
46+
47+
This repository does not implement dedicated fuzz testing, and the Scorecard Fuzzing check is expected to report `0/10`. This is a deliberate scoping decision rather than an oversight.
48+
49+
Fuzz testing is most valuable where code parses untrusted, attacker-controlled input — file formats, network protocols, deserialisers — particularly in memory-unsafe languages. This repository is a learning playground composed of Bicep templates, Jupyter notebooks, APIM policy XML, and thin Python wrappers around the Azure CLI. None of these components parse untrusted input locally:
50+
51+
- Bicep, policy XML, and notebooks are declarative assets consumed by Azure-side tooling, not by code in this repository.
52+
- The Python helpers read output from the operator's own `az` CLI session and their own policy files.
53+
- The only parsing surface (`shared/python/json_utils.py`) delegates to the Python standard library `json` and `ast` modules, which are [already fuzzed upstream in CPython via OSS-Fuzz](https://github.com/google/oss-fuzz/tree/master/projects/cpython3).
54+
55+
Scorecard additionally has no Python-native fuzzer detection — only OSS-Fuzz enrolment, ClusterFuzzLite, or language-native fuzzers for Go, Haskell, JavaScript/TypeScript, and Erlang are recognised. Adding `hypothesis` or `atheris` property-based tests would therefore not change the score, and would only exercise standard-library code paths already covered upstream.

0 commit comments

Comments
 (0)