{"id":21594759,"url":"https://github.com/ispras/casr","last_synced_at":"2025-04-12T19:48:48.707Z","repository":{"id":61818518,"uuid":"549687148","full_name":"ispras/casr","owner":"ispras","description":"Collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.","archived":false,"fork":false,"pushed_at":"2025-04-08T15:49:28.000Z","size":39999,"stargazers_count":304,"open_issues_count":5,"forks_count":29,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-12T19:48:12.242Z","etag":null,"topics":["afl","aflplusplus","apport","appsec","coredump","crash","crash-reporting","devsecops","dynamic-analysis","exploitable","fuzzing","gdb","libfuzzer","rust","sdl","security","ssdlc","testing","triage","vulnerability-management"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ispras.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-10-11T15:19:26.000Z","updated_at":"2025-04-08T15:49:31.000Z","dependencies_parsed_at":"2024-04-23T15:47:43.023Z","dependency_job_id":null,"html_url":"https://github.com/ispras/casr","commit_stats":{"total_commits":95,"total_committers":5,"mean_commits":19.0,"dds":0.5473684210526315,"last_synced_commit":"f1488707ff412a058fe98ad7383468c143279fa3"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ispras%2Fcasr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ispras%2Fcasr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ispras%2Fcasr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ispras%2Fcasr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ispras","download_url":"https://codeload.github.com/ispras/casr/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248625501,"owners_count":21135513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afl","aflplusplus","apport","appsec","coredump","crash","crash-reporting","devsecops","dynamic-analysis","exploitable","fuzzing","gdb","libfuzzer","rust","sdl","security","ssdlc","testing","triage","vulnerability-management"],"created_at":"2024-11-24T17:19:36.429Z","updated_at":"2025-04-12T19:48:48.699Z","avatar_url":"https://github.com/ispras.png","language":"Rust","readme":"[![Crates.io](https://img.shields.io/crates/v/casr)](https://crates.io/crates/casr)\n[![Documentation](https://docs.rs/libcasr/badge.svg)](https://docs.rs/libcasr)\n[![codecov](https://codecov.io/github/ispras/casr/graph/badge.svg?token=D9VY1WRWA7)](https://app.codecov.io/github/ispras/casr)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://github.com/ispras/casr/blob/master/LICENSE)\n\n[![amd64](https://github.com/ispras/casr/actions/workflows/amd64.yml/badge.svg?branch=master)](https://github.com/ispras/casr/actions/workflows/amd64.yml)\n[![aarch64](https://github.com/ispras/casr/actions/workflows/aarch64.yml/badge.svg?branch=master)](https://github.com/ispras/casr/actions/workflows/aarch64.yml)\n[![riscv64](https://github.com/ispras/casr/actions/workflows/riscv64.yml/badge.svg?branch=master)](https://github.com/ispras/casr/actions/workflows/riscv64.yml)\n[![darwin-arm64](https://github.com/ispras/casr/actions/workflows/darwin-arm64.yml/badge.svg?branch=master)](https://github.com/ispras/casr/actions/workflows/darwin-arm64.yml)\n[![fuzzing](https://github.com/ispras/casr/actions/workflows/fuzzing.yml/badge.svg?branch=master)](https://github.com/ispras/casr/actions/workflows/fuzzing.yml)\n\n# CASR: Crash Analysis and Severity Report\n\nCASR \u0026ndash; collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.\nIt is based on ideas from [exploitable](https://github.com/jfoote/exploitable) and\n[apport](https://github.com/canonical/apport).\n\nCASR is maintained by:\n\n* [Andrey Fedotov](https://github.com/anfedotoff) \\\u003csplashgitar@gmail.com\\\u003e\n* [Alexey Vishnyakov](https://github.com/SweetVishnya) \\\u003cpmvishnya@gmail.com\\\u003e\n* [Georgy Savidov](https://github.com/Avgor46) \\\u003cavgor46@ispras.ru\\\u003e\n* [Ilya Yegorov](https://github.com/hkctkuy) \\\u003chkctkuy@gmail.com\\\u003e\n* [Darya Parygina](https://github.com/PaDarochek) \\\u003cpa_darochek@ispras.ru\\\u003e\n\n## Overview\n\nCASR is a set of tools that allows you to collect crash reports in different\nways. Use `casr-core` binary to deal with coredumps. Use `casr-san` to analyze\nASAN reports or `casr-ubsan` to analyze UBSAN reports. Try `casr-gdb` to get\nreports from gdb. Use `casr-python` to analyze python reports and get report\nfrom [Atheris](https://github.com/google/atheris). Use `casr-java` to analyze\njava reports and get report from\n[Jazzer](https://github.com/CodeIntelligenceTesting/jazzer). Use `casr-js` to\nanalyze JavaScript reports and get report from\n[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js) or\n[jsfuzz](https://github.com/fuzzitdev/jsfuzz). Use `casr-csharp` to analyze C#\nreports and get report from [Sharpfuzz](https://github.com/Metalnem/sharpfuzz).\nUse `casr-lua` to analyze Lua reports.\n\nCrash report contains many useful information: severity (like [exploitable](https://github.com/jfoote/exploitable))\nfor x86, x86\\_64, arm32, aarch64, rv32g, rv64g architectures,\nOS and package versions, command line, stack trace, register values,\ndisassembly, and even source code fragment where crash appeared. Reports are\nstored in JSON format. `casr-cli` is meant to provide TUI for viewing reports\nand converting them into SARIF report.\nReports triage (deduplication, clustering) is done by `casr-cluster`.\nTriage is based on stack trace comparison from [gdb-command](https://github.com/anfedotoff/gdb-command).\n`casr-afl` is used to triage crashes found by [AFL++](https://github.com/AFLplusplus/AFLplusplus)\nand AFL-based fuzzer [Sharpfuzz](https://github.com/Metalnem/sharpfuzz).\n`casr-libfuzzer` can triage crashes found by\n[libFuzzer](https://www.llvm.org/docs/LibFuzzer.html) based fuzzer\n(C/C++/[go-fuzz](https://github.com/dvyukov/go-fuzz)/[Atheris](https://github.com/google/atheris)\n/[Jazzer](https://github.com/CodeIntelligenceTesting/jazzer)/[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js)/\n[jsfuzz](https://github.com/fuzzitdev/jsfuzz)/[luzer](https://github.com/ligurio/luzer))\nor [LibAFL](https://github.com/AFLplusplus/LibAFL)\nbased [fuzzers](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers).\n`casr-dojo` allows to upload new and unique CASR reports to\n[DefectDojo](https://github.com/DefectDojo/django-DefectDojo) (available with\n`dojo` feature).\n\nExplanation of severity classes could be found [here](docs/classes.md).\nYou could take a closer look at usage details [here](docs/usage.md).\n\n![casr_report](docs/images/casr_report.png)\n\n![casr_dojo_finding](/docs/images/casr_dojo_finding.png)\n\n### LibCASR\n\nLibCASR provides API for parsing stacktraces, collecting crash reports,\ntriaging crashes (deduplication and clustering), and estimating severity of\ncrashes.\n\nIt can analyze crashes from different sources:\n\n* AddressSanitizer\n* MemorySanitizer\n* UndefinedBehaviorSanitizer\n* Gdb output\n\nand program languages:\n\n* C/C++\n* C#\n* Go\n* Java\n* JavaScript\n* Lua\n* Python\n* Rust\n\nIt could be built with `exploitable` feature for severity estimation crashes\ncollected from gdb. To save crash reports as json use `serde` feature.\n\n## Dependencies\n\nInstall runtime dependencies:\n\n    $ sudo apt install gdb lsb-release\n\nInstall build dependencies when building from source:\n\n    $ sudo apt install build-essential clang\n\nInstall [Rust](https://www.rust-lang.org/tools/install) or update existing Rust installation:\n\n    $ rustup update\n\n## Install\n\nDownload latest Linux 64-bit\n[release](https://github.com/ispras/casr/releases/latest/download/casr-x86_64-unknown-linux-gnu.tar.xz)\nor build from source as explained below.\n\nN.B. Current MacOS support is experimental. Some Linux-based code like\n[exploitable](https://github.com/ispras/casr/blob/master/libcasr/src/gdb/exploitable.rs)\nand `casr-gdb` may not properly work. Further contributions are very much\nwelcomed here.\n\nBuild from Git repository:\n\n    $ git clone https://github.com/ispras/casr\n    $ cargo update\n    $ cargo build --release\n\nOr you may just install Casr from [crates.io](https://crates.io/crates/casr):\n\n    $ cargo install casr\n\nAdd `dojo` feature if you want to install `casr-dojo` (the same for `cargo build`):\n\n    $ cargo install -F dojo casr\n\n## Usage\n\n**Running in Docker:** CASR disables address randomization for better\ndeduplication and uses ptrace to run GDB. Thus, Docker should be started with\n`--cap-add=SYS_PTRACE --security-opt seccomp=unconfined`.\n\nCreate report from coredump:\n\n    $ casr-core -f casr/tests/casr_tests/bin/core.test_destAv -e casr/tests/casr_tests/bin/test_destAv -o destAv.casrep\n\nCreate report from AddressSanitizer output:\n\n    $ clang++ -fsanitize=address -O0 -g casr/tests/casr_tests/test_asan_df.cpp -o test_asan_df\n    $ casr-san -o asan.casrep -- ./test_asan_df\n\nCreate report from MemorySanitizer output:\n\n    $ clang++ -fsanitize=memory -O0 -g casr/tests/casr_tests/test_msan.cpp -o test_msan\n    $ casr-san -o msan.casrep -- ./test_msan\n\nCreate report from UndefinedBehaviorSanitizer output:\n\n    $ clang++ -fsanitize=undefined -O0 -g casr/tests/casr_tests/ubsan/test_ubsan.cpp -o test_ubsan\n    $ casr-ubsan -i casr/tests/casr_tests/ubsan/input1 -o output -- ./test_ubsan @@\n    $ casr-cli output\n\nCreate report from gdb:\n\n    $ casr-gdb -o destAv.gdb.casrep -- casr/tests/casr_tests/bin/test_destAv $(printf 'A%.s' {1..200})\n\nCreate report from python:\n\n    $ casr-python -o python.casrep -- casr/tests/casr_tests/python/test_casr_python.py\n\nCreate report from java:\n\n    $ casr-java -o java.casrep -- java casr/tests/casr_tests/java/Test1.java\n\nCreate report from JavaScript:\n\n    $ casr-js -o js.casrep -- node casr/tests/casr_tests/js/test_casr_js.js\n\nCreate report from C#:\n\n    $ casr-csharp -o csharp.casrep -- dotnet run --project casr/tests/casr_tests/csharp/test_casr_csharp/test_casr_csharp.csproj\n\nCreate report from Lua:\n\n    $ casr-lua -o lua.casrep -- casr/tests/casr_tests/lua/test_casr_lua.lua\n\nView report:\n\n    $ casr-cli casr/tests/casr_tests/casrep/test_clustering_san/load_fuzzer_crash-120697a7f5b87c03020f321c8526adf0f4bcc2dc.casrep\n\nView joint statistics about crash clusters:\n\n    $ casr-cli casr_reports\n\nConvert reports to SARIF report:\n\n    $ casr-cli --sarif out.sarif --tool libfuzzer --source-root /xlnt casr/tests/casr_tests/casrep/test_clustering_san\n\nCreate report for program that reads stdin:\n\n    $ casr-san --stdin seed -o san_bin.casrep -- ./san_bin\n\nDeduplicate reports:\n\n    $ casr-cluster -d casr/tests/casr_tests/casrep/test_clustering_gdb out-dedup\n\nCluster reports:\n\n    $ casr-cluster -c out-dedup out-cluster\n\nTriage crashes after AFL++ fuzzing with casr-afl:\n\n    $ cp casr/tests/casr_tests/bin/load_afl /tmp/load_afl\n    $ cp casr/tests/casr_tests/bin/load_sydr /tmp/load_sydr\n    $ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out\n    $ # You may also additionally generate crash reports for uninstrumented binary with casr-gdb\n    $ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out -- /tmp/load_sydr @@\n\nTriage crashes after Sharpfuzz fuzzing with casr-afl:\n\n    $ cp -r casr/tests/casr_tests/csharp/test_casr_afl_csharp /tmp/test_casr_afl_csharp\n    $ cp -r casr/tests/casr_tests/csharp/test_casr_afl_csharp_module /tmp/test_casr_afl_csharp_module\n    $ dotnet publish /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj -c Debug -o /tmp/test_casr_afl_csharp/bin\n    $ casr-afl -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz -o casr/tests/tmp_tests_casr/casr_afl_csharp_out\n    $ # You may force your own run arguments using --ignore-cmdline\n    $ casr-afl --ignore-cmdline -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz -o casr/tests/tmp_tests_casr/casr_afl_csharp_out -- dotnet run --no-build --project /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj @@\n    $ # If you use vanilla AFL for fuzzing with Sharpfuzz, force your own run arguments via -- \u003cARGS\u003e\n    $ casr-afl -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz/afl_main-worker -o casr/tests/tmp_tests_casr/casr_afl_csharp_out -- dotnet run --no-build --project /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj @@\n\nTriage libFuzzer crashes with casr-libfuzzer:\n\n    $ casr-libfuzzer -t 30 -i casr/tests/casr_tests/casrep/libfuzzer_crashes_xlnt -o casr/tests/tmp_tests_casr/casr_libfuzzer_out -- casr/tests/casr_tests/bin/load_fuzzer\n\nTriage Atheris crashes with casr-libfuzzer:\n\n    $ unzip casr/tests/casr_tests/python/ruamel.zip\n    $ casr-libfuzzer -i casr/tests/casr_tests/casrep/atheris_crashes_ruamel_yaml -o casr/tests/tmp_tests_casr/casr_libfuzzer_atheris_out -- casr/tests/casr_tests/python/yaml_fuzzer.py\n\nTriage Jazzer.js crashes with casr-libfuzzer (Jazzer.js installation [guide](https://github.com/CodeIntelligenceTesting/jazzer.js#quickstart)):\n\n    $ unzip casr/tests/casr_tests/js/xml2js.zip -d xml2js\n    $ mkdir -p casr/tests/tmp_tests_casr/xml2js_fuzzer_out\n    $ cp casr/tests/casr_tests/js/test_casr_libfuzzer_jazzer_js_xml2js.js casr/tests/tmp_tests_casr/xml2js_fuzzer_out/xml2js_fuzzer.js\n    $ sudo npm install xml2js\n    $ sudo npm install --save-dev @jazzer.js/core\n    $ casr-libfuzzer -i ./xml2js -o casr/tests/tmp_tests_casr/xml2js_fuzzer_out/out -- npx jazzer casr/tests/tmp_tests_casr/xml2js_fuzzer_out/xml2js_fuzzer.js\n\nTriage luzer crashes with casr-libfuzzer:\n\n    $ unzip casr/tests/casr_tests/lua/xml2lua.zip \u0026\u0026 cd xml2lua \u0026\u0026 luarocks --local build \u0026\u0026 cd .. \u0026\u0026 rm -rf xml2lua\n    $ git clone https://github.com/ligurio/luzer.git \u0026\u0026 cd luzer \u0026\u0026 luarocks --local build \u0026\u0026 cd .. \u0026\u0026 rm -rf luzer\n    $ eval $(luarocks path)\n    $ casr-libfuzzer -i casr/tests/casr_tests/casrep/luzer_crashes_xml2lua -o casr/tests/tmp_tests_casr/casr_libfuzzer_luzer_out -- casr/tests/casr_tests/lua/stdin_parse_xml.lua\n\nTriage LibAFL crashes with casr-libfuzzer:\n\n    $ casr-libfuzzer -i casr/tests/casr_tests/casrep/test_libafl_crashes -o casr/tests/tmp_tests_casr/casr_libafl_out -- casr/tests/casr_tests/bin/test_libafl_fuzzer @@\n\nUpload new and unique CASR reports to\n[DefectDojo](https://github.com/DefectDojo/django-DefectDojo):\n\n    $ echo '[product]' \u003e dojo.toml\n    $ echo 'name = \"xlnt\"' \u003e\u003e dojo.toml\n    $ echo '[engagement]' \u003e\u003e dojo.toml\n    $ echo \"name = \\\"load_fuzzer $(date -Isec)\\\"\" \u003e\u003e dojo.toml\n    $ echo '[test]' \u003e\u003e dojo.toml\n    $ echo 'test_type = \"CASR DAST Report\"' \u003e\u003e dojo.toml\n    $ casr-dojo -i casr/tests/casr_tests/casrep/test_clustering_san -u http://localhost:8080 -t 382f5dfdf2a339f7c3bb35442f9deb9b788a98d5 dojo.toml\n\n## Fuzzing Crash Triage Pipeline\n\nWhen you have crashes from fuzzing you may do the following steps:\n\n1. Create reports for all crashes via `casr-san`, `casr-gdb` (if no sanitizers\n   are present), `casr-python`, `casr-java`, `casr-js`, or `casr-csharp`.\n2. Deduplicate collected crash reports via `casr-cluster -d`.\n3. Cluster deduplicated crash reports via `casr-cluster -c`.\n4. Create reports and deduplicate them for all UBSAN errors via `casr-ubsan`.\n5. View reports from clusters using `casr-cli` or upload them to\n   [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) with\n   `casr-dojo`.\n\nIf you use [AFL++](https://github.com/AFLplusplus/AFLplusplus) or AFL-based\nfuzzer [Sharpfuzz](https://www.llvm.org/docs/LibFuzzer.html), the pipeline\n(without `casr-ubsan` and `casr-dojo`) could be done automatically by\n`casr-afl`.\n\nIf you use [libFuzzer](https://www.llvm.org/docs/LibFuzzer.html) based fuzzer\n(C/C++/[go-fuzz](https://github.com/dvyukov/go-fuzz)/[Atheris](https://github.com/google/atheris)\n/[Jazzer](https://github.com/CodeIntelligenceTesting/jazzer)/[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js)/\n[jsfuzz](https://github.com/fuzzitdev/jsfuzz)) or [LibAFL](https://github.com/AFLplusplus/LibAFL) based fuzzer,\nthe pipeline (without `casr-ubsan` and `casr-dojo`) could be done automatically by `casr-libfuzzer`.\n\n## Contributing\n\nFeel free to open [issues](https://github.com/ispras/casr/issues) or [PRs](https://github.com/ispras/casr/pulls) (especially pay attention to [help wanted](https://github.com/ispras/casr/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) issues)! We appreciate your support!\n\nPlease follow the next recommendations for your pull requests:\n\n- compile with *stable* rust\n- use `cargo fmt`\n- check the output of `cargo clippy --all-features --all --tests`\n- run tests `cargo test`\n- if you have updated usage of any casr tool, you could simply run\n  `update_usage.py` to change the `docs/usage.md` file properly\n\n## Cite Us\n\nSavidov G., Fedotov A. Casr-Cluster: Crash Clustering for Linux Applications. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51. DOI: [10.1109/ISPRAS53967.2021.00012](https://www.doi.org/10.1109/ISPRAS53967.2021.00012) \\[[paper](https://arxiv.org/abs/2112.13719)\\] \\[[slides](https://sydr-fuzz.github.io/papers/casr-cluster.pdf)\\]\n\n```bibtex\n@inproceedings{savidov2021casr,\n  title = {{{Casr-Cluster}}: Crash Clustering for Linux Applications},\n  author = {Savidov, Georgy and Fedotov, Andrey},\n  booktitle = {2021 Ivannikov ISPRAS Open Conference (ISPRAS)},\n  pages = {47--51},\n  year = {2021},\n  organization = {IEEE},\n  doi = {10.1109/ISPRAS53967.2021.00012},\n}\n```\n\nAndrey Fedotov, Alexey Vishnyakov. CASR: Your Life Vest in a Sea of Crashes. OFFZONE 2023. \\[[slides](https://vishnya.xyz/mirror/casr-offzone2023.pdf)\\] \\[[russian\u0026nbsp;video](https://youtu.be/EgEeICZQD9M?si=hiFEwPmDqnh0cEq6)\\]\n\nYegorov I., Savidov G. Crash Report Accumulation During Continuous Fuzzing with CASR. Ivannikov Memorial Workshop 2024, IEEE, 2024. \\[[paper](https://arxiv.org/abs/2405.18174)\\] \\[[slides](https://sydr-fuzz.github.io/papers/crash-accumulation.pdf)\\] \\[[russian\u0026nbsp;video](https://www.youtube.com/live/xI1LQS3C7eQ?si=dHNdm4-nZFc2QdQf\u0026t=27620)\\]\n\n```bibtex\n@inproceedings{yegorov2024accum,\n  title = {Crash Report Accumulation During Continuous Fuzzing},\n  author = {Yegorov, Ilya and Savidov, Georgy},\n  booktitle = {Ivannikov Memorial Workshop 2024},\n  publisher = {IEEE},\n  year = {2024},\n  url = {https://arxiv.org/abs/2405.18174},\n}\n```\n\n## License\n\nLicensed under [Apache-2.0](LICENSE).\n","funding_links":[],"categories":["Dynamic Checkers"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fispras%2Fcasr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fispras%2Fcasr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fispras%2Fcasr/lists"}