fuzz: introduce continuous fuzzing for Caddy

[mohammed90]

1. What does this change do, exactly?

Introduce fuzzers to Caddy's codebase for continuous fuzzing on CI. Closes #2710 .

2. Please link to the relevant issues.

#2710

3. Which documentation changes (if any) need to be made because of this PR?

N/A

4. Checklist

• I have written tests and verified that they fail without my change
• I have squashed any insignificant commits
• This change has comments explaining package types, values, functions, and non-obvious lines of code
• I am willing to help maintain this change if there are issues with it later

[mholt]

This is looking pretty good. What's the status of the draft at this point?

[mholt]

Does the fuzzer need to be its own module? AFAIK, having multiple modules in a repository can cause complications in some cases.

[mohammed90]

Unfortunately, yes due to go-fuzz not yet being able to handle modules. Creating another module is a workaround as described by mvdan here. It will not work without it due to SIV /v2.

The only pain points I've been experiencing is the tendency of the tools to automatically adding the go-fuzz module to Caddy's go.mod and adding Caddy v1.0.3 to Caddy v2's go.sum. I had to keep an eye on them and constantly revert them.

[mholt]

Are we going to have to keep go.mod and go.sum maintained then, you think? Dang, I wish they'd make it work with modules... this might be kind of annoying.

[mohammed90]

I'm not sure. Do you think this is a bug? Should it modify the root go.mod and go.sum with dependencies of the submodule?

[mohammed90]

It's ready for review. The only reason it's still marked as draft for now is because it needs one more commit to uncomment a few lines in the azure-pipelines.yml file and the badge in the README.

[mholt]

Okay, I have registered the Fuzzit API key with Azure Pipelines and uploaded the targets to Fuzzit. It should be ready to go I think!

[mholt]

The pipeline is ready to go. This PR looks good, just uncomment the env var bit and I'll probably approve this PR when the fuzzing works in CI. :)

[mholt]

Are we going to have to keep go.mod and go.sum maintained then, you think? Dang, I wish they'd make it work with modules... this might be kind of annoying.

[mholt]

Waiting on dvyukov/go-fuzz#263

[mholt]

Now I guess we're waiting on dvyukov/go-fuzz#274 ?

[mohammed90]

Now I guess we're waiting on dvyukov/go-fuzz#274 ?

For perfect solution? yes, I presume. However, mvdan is in the same boat as us, and he was able to do it without the temporary GOPATH (but still with the submodule) in this commit. I'll fiddle with it again this coming weekend.

[mholt]

I really really don't want to do a submodule. I guess we can wait until they're ready to support modules.

[mohammed90]

Note for later in case I forget: once go-fuzz gets proper module support, I don't think we'll need the fuzz/ directory. Fuzzers' files can live next to their siblings within the modules they're fuzzing.

[thepudds]

Now that dvyukov/go-fuzz#274 is merged, I would be curious to hear if it works for you. ;-)

[mohammed90]

Azure Pipelines doesn't seem to support having a particular job on schedule while others triggered on PR, hence the condition.

[mohammed90]

@thepudds the latest go-fuzz works like a charm with modules. Thank you!

[mholt]

Great! Thanks so much for all the work you put into this, @mohammed90 !