⚠️ Remove OneFuzz from fuzzing checks (#3666)

This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz

Signed-off-by: David Korczynski <david@adalogics.com>

checks/evaluation/fuzzing.go

@@ -24,7 +24,6 @@ import (
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz"
-	"github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript"
@@ -47,7 +46,6 @@ func Fuzzing(name string,
 		fuzzedWithRustCargofuzz.Probe,
 		fuzzedWithSwiftLibFuzzer.Probe,
 		fuzzedWithJavaJazzerFuzzer.Probe,
-		fuzzedWithOneFuzz.Probe,
 		fuzzedWithOSSFuzz.Probe,
 		fuzzedWithPropertyBasedHaskell.Probe,
 		fuzzedWithPropertyBasedJavascript.Probe,

checks/evaluation/fuzzing_test.go

@@ -64,10 +64,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithJavaJazzerFuzzer",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -87,7 +83,7 @@ func TestFuzzing(t *testing.T) {
 			},
 			result: scut.TestReturn{
 				Score:        checker.MinResultScore,
-				NumberOfWarn: 13,
+				NumberOfWarn: 12,
 			},
 		},
 		{
@@ -125,10 +121,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithJavaJazzerFuzzer",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -159,10 +151,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithClusterFuzzLite",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -196,10 +184,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithGoNative",
 					Outcome: finding.OutcomePositive,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,

checks/fuzzing_test.go

@@ -53,7 +53,7 @@ func TestFuzzing(t *testing.T) {
 			wantErr: false,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,
@@ -110,7 +110,7 @@ func TestFuzzing(t *testing.T) {
 			wantFuzzErr: false,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,
@@ -121,7 +121,7 @@ func TestFuzzing(t *testing.T) {
 			wantFuzzErr: true,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,

checks/raw/fuzzing.go

@@ -30,7 +30,6 @@ import (
 const (
 	fuzzerOSSFuzz                 = "OSSFuzz"
 	fuzzerClusterFuzzLite         = "ClusterFuzzLite"
-	oneFuzz                       = "OneFuzz"
 	fuzzerBuiltInGo               = "GoBuiltInFuzzer"
 	fuzzerPropertyBasedHaskell    = "HaskellPropertyBasedTesting"
 	fuzzerPropertyBasedJavaScript = "JavaScriptPropertyBasedTesting"
@@ -181,21 +180,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) {
 		)
 	}
 
-	usingOneFuzz, e := checkOneFuzz(c)
-	if e != nil {
-		return checker.FuzzingData{}, fmt.Errorf("%w", e)
-	}
-	if usingOneFuzz {
-		fuzzers = append(fuzzers,
-			checker.Tool{
-				Name: oneFuzz,
-				URL:  asPointer("https://github.com/microsoft/onefuzz"),
-				Desc: asPointer("Enables continuous developer-driven fuzzing to proactively harden software prior to release."),
-				// TODO: File.
-			},
-		)
-	}
-
 	usingOSSFuzz, e := checkOSSFuzz(c)
 	if e != nil {
 		return checker.FuzzingData{}, fmt.Errorf("%w", e)
@@ -251,22 +235,6 @@ func checkCFLite(c *checker.CheckRequest) (bool, error) {
 	return result, nil
 }
 
-func checkOneFuzz(c *checker.CheckRequest) (bool, error) {
-	result := false
-	e := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
-		Pattern:       "^\\.onefuzz$",
-		CaseSensitive: true,
-	}, func(path string, content []byte, args ...interface{}) (bool, error) {
-		result = true
-		return false, nil
-	}, nil)
-	if e != nil {
-		return result, fmt.Errorf("%w", e)
-	}
-
-	return result, nil
-}
-
 func checkOSSFuzz(c *checker.CheckRequest) (bool, error) {
 	if c.OssFuzzRepo == nil {
 		return false, nil

checks/raw/fuzzing_test.go

@@ -103,65 +103,6 @@ func Test_checkOSSFuzz(t *testing.T) {
 	}
 }
 
-// Test_checkOneFuzz is a test function for checkOneFuzz.
-func Test_checkOneFuzz(t *testing.T) {
-	t.Parallel()
-	//nolint
-	tests := []struct {
-		name     string
-		want     bool
-		wantErr  bool
-		fileName []string
-	}{
-		{
-			name:     "Test_checkOneFuzz success",
-			want:     true,
-			wantErr:  false,
-			fileName: []string{".onefuzz"},
-		},
-		{
-			name:     "Test_checkOneFuzz not found",
-			want:     false,
-			wantErr:  false,
-			fileName: []string{},
-		},
-		{
-			name:     "Test_checkOneFuzz failure",
-			want:     false,
-			wantErr:  true,
-			fileName: []string{".onefuzz"},
-		},
-	}
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			mockFuzz := mockrepo.NewMockRepoClient(ctrl)
-			mockFuzz.EXPECT().ListFiles(gomock.Any()).Return(tt.fileName, nil).AnyTimes()
-			mockFuzz.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(f string) (string, error) {
-				if tt.wantErr {
-					//nolint
-					return "", errors.New("error")
-				}
-				return "", nil
-			}).AnyTimes()
-			req := checker.CheckRequest{
-				RepoClient: mockFuzz,
-			}
-			got, err := checkOneFuzz(&req)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("checkOneFuzz() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("checkOneFuzz() = %v, want %v for test %v", got, tt.want, tt.name)
-			}
-		})
-	}
-}
-
 // Test_checkCFLite is a test function for checkCFLite.
 func Test_checkCFLite(t *testing.T) {
 	t.Parallel()

docs/checks.md

@@ -342,7 +342,6 @@ This check tries to determine if the project uses
    - currently only supports [Go fuzzing](https://go.dev/doc/fuzz/),
    - a limited set of property-based testing libraries for Haskell including [QuickCheck](https://hackage.haskell.org/package/QuickCheck), [Hedgehog](https://hedgehog.qa/), [validity](https://hackage.haskell.org/package/validity) or [SmallCheck](https://hackage.haskell.org/package/smallcheck),
    - a limited set of property-based testing libraries for JavaScript and TypeScript including [fast-check](https://fast-check.dev/).
-4. if it contains a [OneFuzz](https://github.com/microsoft/onefuzz) integration [detection file](https://github.com/microsoft/onefuzz/blob/main/docs/getting-started.md#detecting-the-use-of-onefuzz);
 
 Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data
 into a program to expose bugs. Regular fuzzing is important to detect

docs/checks/internal/checks.yaml

@@ -402,7 +402,6 @@ checks:
          - currently only supports [Go fuzzing](https://go.dev/doc/fuzz/),
          - a limited set of property-based testing libraries for Haskell including [QuickCheck](https://hackage.haskell.org/package/QuickCheck), [Hedgehog](https://hedgehog.qa/), [validity](https://hackage.haskell.org/package/validity) or [SmallCheck](https://hackage.haskell.org/package/smallcheck),
          - a limited set of property-based testing libraries for JavaScript and TypeScript including [fast-check](https://fast-check.dev/).
-      4. if it contains a [OneFuzz](https://github.com/microsoft/onefuzz) integration [detection file](https://github.com/microsoft/onefuzz/blob/main/docs/getting-started.md#detecting-the-use-of-onefuzz);
 
       Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data
       into a program to expose bugs. Regular fuzzing is important to detect

e2e/fuzzing_test.go

@@ -192,7 +192,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			expected := scut.TestReturn{
 				Error:         nil,
 				Score:         checker.MinResultScore,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfInfo:  0,
 				NumberOfDebug: 0,
 			}

probes/entries.go

@@ -24,7 +24,6 @@ import (
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz"
-	"github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript"
@@ -73,7 +72,6 @@ var (
 	}
 	Fuzzing = []ProbeImpl{
 		fuzzedWithOSSFuzz.Run,
-		fuzzedWithOneFuzz.Run,
 		fuzzedWithGoNative.Run,
 		fuzzedWithPythonAtheris.Run,
 		fuzzedWithCLibFuzzer.Run,

probes/fuzzedWithOneFuzz/def.yml

@@ -1,32 +0,0 @@
-# Copyright 2023 OpenSSF Scorecard Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-id: fuzzedWithOneFuzz
-short: Check that the project is fuzzed using OneFuzz
-motivation: >
-  Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs.
-  Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws.
-implementation: >
- The implementation checks if the file '.onefuzz' is present in the source code files.
-outcome:
-  - If the file is found, one finding is returned with OutcomePositive (1).
-  - If the file is not found, one finding with OutcomeNegative (0) is returned.
-remediation:
-  effort: High
-  text:
-    - Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.
-    - Over time, try to add fuzzing for more functionalities of your project.
-  markdown:
-    - Follow the steps in [https://github.com/microsoft/onefuzz](https://github.com/microsoft/onefuzz) to start fuzzing for your project.
-    - Over time, try to add fuzzing for more functionalities of your project.

probes/fuzzedWithOneFuzz/impl.go

@@ -1,39 +0,0 @@
-// Copyright 2023 OpenSSF Scorecard Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// nolint:stylecheck
-package fuzzedWithOneFuzz
-
-import (
-	"embed"
-	"fmt"
-
-	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/finding"
-	"github.com/ossf/scorecard/v4/probes/internal/utils/fuzzing"
-	"github.com/ossf/scorecard/v4/probes/internal/utils/uerror"
-)
-
-//go:embed *.yml
-var fs embed.FS
-
-var Probe = "fuzzedWithOneFuzz"
-
-func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
-	if raw == nil {
-		return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil)
-	}
-	//nolint:wrapcheck
-	return fuzzing.Run(raw, fs, Probe, "OneFuzz")
-}

probes/fuzzedWithOneFuzz/impl_test.go

@@ -1,144 +0,0 @@
-// Copyright 2023 OpenSSF Scorecard Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// nolint:stylecheck
-package fuzzedWithOneFuzz
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
-
-	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/finding"
-	"github.com/ossf/scorecard/v4/probes/internal/utils/uerror"
-)
-
-func Test_Run(t *testing.T) {
-	t.Parallel()
-	// nolint:govet
-	tests := []struct {
-		name     string
-		raw      *checker.RawResults
-		outcomes []finding.Outcome
-		err      error
-	}{
-		{
-			name: "fuzzer present",
-			raw: &checker.RawResults{
-				FuzzingResults: checker.FuzzingData{
-					Fuzzers: []checker.Tool{
-						{
-							Name: "OneFuzz",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomePositive,
-			},
-		},
-		{
-			name: "fuzzer present twice",
-			raw: &checker.RawResults{
-				FuzzingResults: checker.FuzzingData{
-					Fuzzers: []checker.Tool{
-						{
-							Name: "OneFuzz",
-						},
-						{
-							Name: "OneFuzz",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomePositive,
-				finding.OutcomePositive,
-			},
-		},
-		{
-			name: "fuzzer present and other present",
-			raw: &checker.RawResults{
-				FuzzingResults: checker.FuzzingData{
-					Fuzzers: []checker.Tool{
-						{
-							Name: "OneFuzz",
-						},
-						{
-							Name: "not-OneFuzz",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomePositive,
-			},
-		},
-		{
-			name: "fuzzer not present",
-			raw: &checker.RawResults{
-				FuzzingResults: checker.FuzzingData{
-					Fuzzers: []checker.Tool{
-						{
-							Name: "not-OneFuzz",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomeNegative,
-			},
-		},
-		{
-			name: "no fuzzer",
-			raw:  &checker.RawResults{},
-			outcomes: []finding.Outcome{
-				finding.OutcomeNegative,
-			},
-		},
-		{
-			name: "nil raw",
-			err:  uerror.ErrNil,
-		},
-	}
-	for _, tt := range tests {
-		tt := tt // Re-initializing variable so it is not changed while executing the closure below
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			findings, s, err := Run(tt.raw)
-			if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) {
-				t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors()))
-			}
-			if err != nil {
-				return
-			}
-			if diff := cmp.Diff(Probe, s); diff != "" {
-				t.Errorf("mismatch (-want +got):\n%s", diff)
-			}
-			if diff := cmp.Diff(len(tt.outcomes), len(findings)); diff != "" {
-				t.Errorf("mismatch (-want +got):\n%s", diff)
-			}
-			for i := range tt.outcomes {
-				outcome := &tt.outcomes[i]
-				f := &findings[i]
-				if diff := cmp.Diff(*outcome, f.Outcome); diff != "" {
-					t.Errorf("mismatch (-want +got):\n%s", diff)
-				}
-			}
-		})
-	}
-}