chore: add more tests, fuzzing, and a separate fuzz Workflow

.github/workflows/fuzz.yaml

@@ -0,0 +1,137 @@
+# Copyright 2026 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Fuzz Tests
+
+on:
+  push:
+    branches:
+      - "main"
+  schedule:
+    # Run weekly on Sunday at midnight UTC
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+    inputs:
+      fuzz_target:
+        description: "Specific fuzzer to run (leave empty for all)"
+        required: false
+        default: ""
+        type: string
+      fuzz_time:
+        description: "Fuzz duration per target (e.g., 30s, 1m, 5m)"
+        required: false
+        default: "30s"
+        type: choice
+        options:
+          - "10s"
+          - "30s"
+          - "1m"
+          - "5m"
+          - "10m"
+          - "30m"
+          - "60m"
+          - "180m"
+
+permissions: {}
+
+jobs:
+  discover:
+    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      targets: ${{ steps.find.outputs.targets }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Discover fuzz targets
+        id: find
+        env:
+          TARGET_FILTER: ${{ inputs.fuzz_target }}
+        run: |
+          # Find all Fuzz* functions in test files and build JSON array
+          # Format: [{"test": "FuzzName", "package": "./pkg/path/"}]
+          all_targets=$(grep -r "^func Fuzz" --include="*_test.go" -l pkg/ | while read -r file; do
+            dir="./$(dirname "${file}")/"
+            grep -o "^func Fuzz[A-Za-z0-9_]*" "${file}" | sed 's/^func //' | while read -r func; do
+              echo "{\"test\":\"${func}\",\"package\":\"${dir}\"}"
+            done
+          done | jq -s -c '.')
+
+          targets="${all_targets}"
+
+          # If a specific target is requested, validate and filter
+          if [ -n "${TARGET_FILTER}" ]; then
+            # Validate format: must start with "Fuzz" and contain only alphanumeric/underscore
+            if ! echo "${TARGET_FILTER}" | grep -qE '^Fuzz[A-Za-z0-9_]+$'; then
+              echo "::error::Invalid fuzz target format: '${TARGET_FILTER}'. Must match pattern 'Fuzz[A-Za-z0-9_]+'"
+              exit 1
+            fi
+
+            # Filter to the requested target
+            targets=$(echo "${all_targets}" | jq -c --arg t "${TARGET_FILTER}" '[.[] | select(.test == $t)]')
+
+            # Check if target exists
+            if [ "${targets}" = "[]" ]; then
+              echo "::error::Fuzz target '${TARGET_FILTER}' not found."
+              echo "Available targets:"
+              echo "${all_targets}" | jq -r '.[].test' | sort | sed 's/^/  - /'
+              exit 1
+            fi
+          fi
+
+          echo "targets=${targets}" >> "${GITHUB_OUTPUT}"
+          echo "Discovered targets: ${targets}"
+
+  fuzz:
+    if: ${{ github.repository == 'chainguard-dev/malcontent' && needs.discover.outputs.targets != '[]' }}
+    needs: discover
+    runs-on: ubuntu-latest-16-core
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.discover.outputs.targets) }}
+    container:
+      image: cgr.dev/chainguard/wolfi-base:latest # zizmor: ignore[unpinned-images]
+      options: >-
+        --cap-add DAC_OVERRIDE
+        --cap-add SETGID
+        --cap-add SETUID
+        --cap-drop ALL
+        --cgroupns private
+        --cpu-shares=16384
+        --memory-swappiness=0
+        --security-opt no-new-privileges
+        --ulimit core=0
+        --ulimit nofile=65535:65535
+        --ulimit nproc=65535:65535
+    steps:
+      - name: Install dependencies
+        run: |
+          apk update
+          apk add curl findutils git go nodejs upx xz yara-x~1.12.0
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Trust repository
+        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Clone malcontent samples (required for compile fuzzers)
+        if: contains(matrix.target.package, 'compile')
+        run: |
+          make samples
+
+      - name: Run fuzzer - ${{ matrix.target.test }}
+        env:
+          FUZZ_TIME: ${{ inputs.fuzz_time || '30s' }}
+        run: |
+          go test -timeout 0 -fuzz="${{ matrix.target.test }}" -fuzztime="${FUZZ_TIME}" "${{ matrix.target.package }}"

.github/workflows/go-tests.yaml

@@ -20,7 +20,7 @@ jobs:
     permissions:
       contents: read
     container:
-      image: cgr.dev/chainguard/wolfi-base:latest
+      image: cgr.dev/chainguard/wolfi-base:latest # zizmor: ignore[unpinned-images]
       options: >-
         --cap-add DAC_OVERRIDE
         --cap-add SETGID
@@ -57,7 +57,7 @@ jobs:
     permissions:
       contents: read
     container:
-      image: cgr.dev/chainguard/wolfi-base:latest
+      image: cgr.dev/chainguard/wolfi-base:latest # zizmor: ignore[unpinned-images]
       options: >-
         --cap-add DAC_OVERRIDE
         --cap-add SETGID
@@ -87,44 +87,3 @@ jobs:
       - name: Integration tests
         run: |
           make integration
-
-  fuzz:
-    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
-    runs-on: ubuntu-latest-16-core
-    permissions:
-      contents: read
-    container:
-      image: cgr.dev/chainguard/wolfi-base:latest
-      options: >-
-        --cap-add DAC_OVERRIDE
-        --cap-add SETGID
-        --cap-add SETUID
-        --cap-drop ALL
-        --cgroupns private
-        --cpu-shares=16384
-        --memory-swappiness=0
-        --security-opt no-new-privileges
-        --ulimit core=0
-        --ulimit nofile=65535:65535
-        --ulimit nproc=65535:65535
-    steps:
-      - name: Install dependencies
-        run: |
-          apk update
-          apk add curl findutils git go nodejs upx xz yara-x~1.12.0
-
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Trust repository
-        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
-
-      - name: Clone malcontent samples required for Fuzz tests
-        run: |
-          make samples
-
-      - name: Fuzz tests
-        run: |
-          make fuzz

.github/workflows/release.yaml

@@ -1,3 +1,6 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
 name: Cut Release
 
 on:

.github/workflows/scorecard.yml

@@ -1,3 +1,6 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.

.github/workflows/third-party.yaml

@@ -1,3 +1,6 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
 name: Update third-party rules
 
 on:

.github/workflows/version.yaml

@@ -1,3 +1,6 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
 name: Bump Version
 
 on:

Makefile

@@ -142,14 +142,25 @@ test:
 fuzz:
 	go test -timeout 0 -fuzz=FuzzContainsUnprintable -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzExtractArchive -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractBz2 -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractDeb -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractGzip -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractRPM -fuzztime=10s ./pkg/archive/
 	go test -timeout 0 -fuzz=FuzzExtractTar -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractUPX -fuzztime=10s ./pkg/archive/
 	go test -timeout 0 -fuzz=FuzzExtractZip -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractZlib -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractZstd -fuzztime=10s ./pkg/archive/
 	go test -timeout 0 -fuzz=FuzzFile -fuzztime=30s ./pkg/programkind/
 	go test -timeout 0 -fuzz=FuzzGetExt -fuzztime=10s ./pkg/programkind/
 	go test -timeout 0 -fuzz=FuzzIsValidPath -fuzztime=10s ./pkg/archive/
 	go test -timeout 0 -fuzz=FuzzLongestUnique -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzMatchToString -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzPath -fuzztime=10s ./pkg/programkind/
+	go test -timeout 0 -fuzz=FuzzRecursiveCompile -fuzztime=10s ./pkg/compile/
+	go test -timeout 0 -fuzz=FuzzRemoveRules -fuzztime=10s ./pkg/compile/
+	go test -timeout 0 -fuzz=FuzzRenderDifferential -fuzztime=10s ./pkg/render/
+	go test -timeout 0 -fuzz=FuzzReportLoad -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzStringPoolAtomic -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzStringPoolConcurrent -fuzztime=10s ./pkg/report/
 	go test -timeout 0 -fuzz=FuzzStringPoolIntern -fuzztime=10s ./pkg/report/

pkg/action/archive_test.go

@@ -1,3 +1,6 @@
+// Copyright 2024 Chainguard, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
 package action
 
 import (

pkg/action/diff.go

@@ -10,7 +10,6 @@ import (
 	"maps"
 	"os"
 	"path/filepath"
-	"runtime"
 	"slices"
 	"sort"
 	"strings"
@@ -19,7 +18,6 @@ import (
 	"github.com/chainguard-dev/malcontent/pkg/archive"
 	"github.com/chainguard-dev/malcontent/pkg/file"
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
-	"github.com/chainguard-dev/malcontent/pkg/pool"
 	"github.com/chainguard-dev/malcontent/pkg/programkind"
 	"github.com/chainguard-dev/malcontent/pkg/report"
 	"github.com/egibs/reconcile/pkg/files"
@@ -222,10 +220,6 @@ func Diff(ctx context.Context, c malcontent.Config, _ *clog.Logger) (*malcontent
 		isReport bool
 	)
 
-	initReadPool.Do(func() {
-		readPool = pool.NewBufferPool(runtime.GOMAXPROCS(0))
-	})
-
 	if c.OCI {
 		srcPath, err = archive.OCI(ctx, srcPath, c.OCIAuth)
 		if err != nil {