{"id":21602771,"url":"https://github.com/codeintelligencetesting/c-cpp-demo","last_synced_at":"2025-08-01T02:15:00.296Z","repository":{"id":58888054,"uuid":"534349673","full_name":"CodeIntelligenceTesting/c-cpp-demo","owner":"CodeIntelligenceTesting","description":"A C/C++ CMake project","archived":false,"fork":false,"pushed_at":"2023-10-04T13:36:04.000Z","size":13,"stargazers_count":2,"open_issues_count":5,"forks_count":15,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-25T00:04:44.356Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CodeIntelligenceTesting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-08T18:45:32.000Z","updated_at":"2023-03-07T23:49:43.000Z","dependencies_parsed_at":"2024-11-24T19:14:24.790Z","dependency_job_id":"fc5bd1f4-9241-4720-8a3e-5a80cd5a38b9","html_url":"https://github.com/CodeIntelligenceTesting/c-cpp-demo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fc-cpp-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fc-cpp-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fc-cpp-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CodeIntelligenceTesting%2Fc-cpp-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CodeIntelligenceTesting","download_url":"https://codeload.github.com/CodeIntelligenceTesting/c-cpp-demo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248330067,"owners_count":21085649,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T19:14:17.131Z","updated_at":"2025-04-11T02:35:14.789Z","avatar_url":"https://github.com/CodeIntelligenceTesting.png","language":"C++","readme":"\u003ca href=\"https://www.code-intelligence.com/\"\u003e\n\u003cimg src=\"https://www.code-intelligence.com/hubfs/Logos/CI%20Logos/Logo_quer_white.png\" alt=\"Code Intelligence logo\" width=\"450px\"\u003e\n\u003c/a\u003e\n\n# Testing C/C++ for Security and Reliability\nBuilding robust C/C++ applications is a highly challenging endeavor that requires thorough testing.\nWhile C/C++ enables us to write high-performance code, the memory-unsafety nature of the language \nbrings a broad spectrum of security risks. Memory corruption issues constitute the vast majority of\nbugs and security vulnerabilities found in C/C++ projects, and their impact is best demonstrated by the\n[Heartbleed](https://en.wikipedia.org/wiki/Heartbleed) bug on OpenSSL.\nRegular unit and integration tests are essential to test that our code functions correctly, \nthey are not enough to uncover memory-corruption bugs. \nOn the other hand, fuzz testing has established itself as the best practical method to find these \nissues in large code bases such as Google Chrome.\n\nIn this example, we demonstrate how you can integrate fuzz testing into your CMake projects. \nThis is enabled by the CMake integration provided by CI Fuzz.\n\n# C/C++ demo\nThe demo is a C++ CMake project that demonstrates two types of memory-corruption issues: \na buffer overflow and a use-after-free issue. These bugs can only be triggered with specific\ninputs. This means that a blackbox approach is extremely unlikely to trigger them.\nHere, we demonstrate how you can create fuzz tess and integrate them into your CMake\nproject and how you can use CI Fuzz to run them and find the bugs.\n\n## Develop Fuzz Tests\n\nTo add a fuzz test, you should define a function that has the following signature\n\n```c++\nFUZZ_TEST(const uint8_t *data, size_t size) {\n // Do something interesting with inputs generated by CI Fuzz. \n}\n```\nCI Fuzz will then execute with method in a loop and in each iteration provide new inputs that maximize\ncode coverage and trigger interesting behavior in your application.\n\nCI Fuzz provides an `add_fuzz_test` CMake command that you can use to add your fuzz tests\ninto your CMake project. This command behaves exactly as the usual `add_executable` command and you can\nconfigure dependencies and include paths as you would do with an executable target.\n\n## Run Fuzz Tests\n1. (Once) Install the command line interface named `cifuzz`. You can get the\n [latest release from GitHub](https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest)\n or by running our install script:\n\n ```shell\n sh -c \"$(curl -fsSL https://raw.githubusercontent.com/CodeIntelligenceTesting/cifuzz/main/install.sh)\"\n ```\n If you are using Windows you can download the [latest release](https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_windows.exe)\n and execute it.\n2. Login to our [CI App](https://app.code-intelligence.com/)\n\n ```shell\n cifuzz login\n ```\n This will create an API access token that `cifuzz` uses to communicate with the CI App.\n When logged in, the `cifuzz` can provide more details about the findings including severity.\n You will also be able to run your tests at scale in our SaaS.\n\n3. Run the fuzz test with CI Fuzz. For that you just need to provide the test class containing the fuzz test.\n ```shell\n \u003e cifuzz run heap_buffer_overflow_test\n ▄ Build in progress... Done. \n Running heap_buffer_overflow_test \n Storing generated corpus in .cifuzz-corpus/heap_buffer_overflow_test \n Starting from an empty corpus \n \n Use 'cifuzz finding \u003cfinding name\u003e' for details on a finding.\n\n 💥 [prickly_hare] heap buffer overflow in heap_buffer_overflow (src/heap_buffer_overflow.cpp:17:5) \n \n Note: The reproducing inputs have been copied to the seed corpus at:\n\n heap_buffer_overflow_test_inputs/prickly_hare\n\n They will now be used as a seed input for all runs of the fuzz test,\n including remote runs with artifacts created via 'cifuzz bundle' and\n regression tests. For more information on regression tests, see:\n\n https://github.com/CodeIntelligenceTesting/cifuzz/blob/main/docs/Regression-Testing.md\n\n Execution time: 2s \n Average exec/s: 1060290 \n Findings: 1 \n Corpus entries: 9 (+9) \n ```\n4. You can check the finding details as follows\n ```shell\n cifuzz finding prickly_hare \n ```\n5. You can also check the code covered by CI Fuzz \n ```shell\n cifuzz coverage heap_buffer_overflow_test\n Building heap_buffer_overflow_test \n ▀ Build in progress... Done. \n Running heap_buffer_overflow_test on corpus\n\n ✅ Coverage Report:\n File | Functions Hit/Found | Lines Hit/Found | Branches Hit/Found\n src/heap_buffer_overflow.cpp | 1 / 1 (100.0%) | 11 / 11 (100.0%) | 17 / 18 (94.4%)\n src/heap_buffer_overflow_test.cpp | 2 / 2 (100.0%) | 4 / 4 (100.0%) | 0 / 0 (100.0%)\n | | | \n | Functions Hit/Found | Lines Hit/Found | Branches Hit/Found\n Total | 3 / 3 | 15 / 15 | 17 / 18\n ```\n In addition, you also get a `lcov` coverage report that you can observe in your browser. \n Having a look at coverage report helps understand the testing progress and observe the code\n areas that CI Fuzz has not yet covered. This is valuable so that you can improve and optimize\n your tests. \n\n# Conclusion\nIn this short tutorial, we have shown how to use CI Fuzz to test your C/C++ CMake project.\n`cifuzz` offers many more features, and if you are interested simply `cifuzz help`.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeintelligencetesting%2Fc-cpp-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodeintelligencetesting%2Fc-cpp-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeintelligencetesting%2Fc-cpp-demo/lists"}