Onefuzz Versions Save

A self-hosted Fuzzing-As-A-Service platform

8.9.0

6 months ago

8.9.0

Breaking change for SDK container automation ⚠

In this release we've published an update to the OneFuzz CLI SDK that could break automation.

We've added support for container retention periods and doing so required we add a new ContainerTemplate object to the SDK.

If you're defining or managing OneFuzz containers using the OneFuzz SDK library please be aware that JobHelper.containers objects were changed structurally from Dict[ContainerType, Container] to Dict[ContainerType, ContainerTemplate].

Added

  • Agent: Added fuzz tests for coverage recording #3322
  • Agent: Added version checking in local tasks #3517
  • Agent: Create directories from template specification in local task if they don't exist #3522
  • CLI: Added a new command for template creation in the local task onefuzz-task local create-template #3531
  • CLI/Deployment/Service: Support for retention policies on containers #3501
  • Service: Add onefuzz service version to job created events #3504
  • Service: Added a start time to job and task records #3440

Changed

  • Agent: Improved handling of unexpected breakpoints #3493
  • Agent: Updated windows interceptor list #3528, #3549
  • Agent: Reporting coverage on task start up, ensuring coverage_data is emitted at the beginning of every task instead of when new_coverage is identified #3502
  • CLI/Deployment: Updating onefuzz cli requirements.txt to accept >= onefuzztypes versions #3477, #3486
  • Service: Improve area/iteration path validation in notifications #3489
  • Service: Remove feature flag from heartbeat metrics #3505

Fixed

8.8.0

7 months ago

8.8.0

Added

  • Agent: Added Mariner Linux support for agent VMs #3306
  • Service: Added support for custom ado fields that mark work items as duplicate #3467
  • Service: Permanently store OneFuzz job result data - # crashing input, # regression crashing input, etc. - in Azure storage #3380, #3439
  • Service: Added validation for Iteration/AreaPath on notifications when a job is submitted with a notification config and for onefuzz debug notification test_template #3386

Changed

  • Agent: Updated libfuzzer-fuzz basic template to include required args and make it match cli #3429
  • Agent: Downgraded some debug logs from warn to debug #3450
  • CLI: Removed CLI commands from the local fuzzing tasks as they can now be described via yaml template #3428
  • Service: AutoScale table entries are now deleted on VMSS shutdown #3455

Fixed

8.7.1

7 months ago

8.7.1

Fixed

  • Service: Removed deprecated Azure retention policy setting that was causing scaleset deployment errors #3452

8.7.0

8 months ago

8.7.0

Added

  • Agent: Added a snapshot-based test to coverage implementation #3368
  • Agent/CLI/Service: Added ability to capture crash dumps from libfuzzer, when provided #2793 #3409
  • CLI/Service: Implemented --with_tasks option for onefuzz jobs get command to expand the task information #3343

Changed

  • Agent: Migrated all the task types to the template model #3397
  • Agent: Removed srcview code from OneFuzz since it is not currently utilized #3376
  • Agent: Updated default windows VM image to windows 11 #3374
  • Agent: Migrated winapi to windows-rs, the newer Microsoft supported version of the Windows API bindings for Rust #3050
  • Deployment: Updated the default deployment option for EnableWorkItemCreation feature flag to be enabled #3387

Fixed

  • Agent: Deserialize the coverage files directly into the output files #3410
  • Agent/Deployment/Service: Bumped several C#, Python, and Rust dependencies as well as the Rust edition across all Rust crates #3396, #3161, #3346, #3391, #2870, #3392, #3402
  • Agent: Fixed a bug in agent DirectoryMonitor by adding error tolerance when attempting to fetch metadata for CreateKind::Any or CreateKind::Other events #3393
  • Service: Fixed tag shadowing in logging by giving precedence to the tags produced by log messages over the tags added prior to the call, when the tag names clashed #3388

8.6.3

8 months ago

8.6.3

Fixed

  • Service: Fixed another duplicate Azure DevOps work item creation case by handling Microsoft.VSTS.Common.ResolvedReason field when present #3383

8.6.2

8 months ago

8.6.2

Fixed

  • Agent: Fixed tasks hanging when shutting down by forcefully shutting down the runtime before exiting the main task #3378
  • Service: Refactored Azure DevOps template rendering to fix duplicate bugs being filed due to title truncation and added several validation tests in this area #3370

8.6.1

8 months ago

8.6.1

Added

  • Service: Added feature flag to toggle Azure DevOps work item processing #3353
  • Service: Requeue Azure DevOps notifications when the feature flag for work item processing is set to 'disabled' #3358

8.6.0

8 months ago

8.6.0

Added

  • Agent: Implemented debuginfo caching #3280

Changed

  • Agent: Limit azcopy copy buffer to 512MB of RAM as the default maximum #3293
  • Agent: Define local fuzzing tasks relationships through new templating model #3117
  • Deployment: Replaced --upgrade flag with --skip_aad_setup flag in the deploy.py setup script #3345
  • Service: Make ServiceConfiguration eagerly evaluated #3136
  • Service: Improved TimerRetention performance through several UPN changes & fixes #3289

Fixed

  • Agent: Fixed resolution of sibling .NET DLLs #3325
  • Agent/Service: Bumped several C# and Rust dependencies #3319, #3320, #3317, #3297, #3301, #3291, #3195, #3328
  • CLI: Look for azcopy.exe in environment variable AZCOPY and determine if it's actually referencing a directory #3344
  • CLI: Updated repro get_files to handle regression reports #3340
  • CLI: Fixed missing target_timeout setting in the Libfuzzer basic template #3334
  • CLI: Fixed false 'missing' dependency warning #3331
  • CLI: Fixed the debug notification test_template command expecting a task_id #3308
  • Deployment: Update App Registration redirect URIs if deployment uses a custom domain #3341
  • Service: Fixed links in bugs filed from regression reports by populating InputBlob when possible #3342
  • Service: Fixed several storage issues to improve platform performance and reduce spurious 404s #3313
  • Service: Added extra logging when System.Title is too long #3332
  • Service: Render System.Title before trying to trim it to the max allowed size #3329
  • Service: Differentiate INVALID_JOB and INVALID_TASK error codes #3318

8.5.0

9 months ago

8.5.0

Added

  • Agent: Added tool to check source allowlists #3246
  • Agent: Precache debuginfo analysis for target exe in coverage example #3225
  • Agent/CLI/Service: Allow tasks environment variables to be set #3294
  • CLI/Service: Correlate cli to service to facilitate event lookups in AppInsights #3137
  • CLI: Added --target_timeout flag for qemu_user template command #3277
  • Documentation: Updated Threat Model #3215
  • Service: Added optional Unless condition when updating/re-opening Work Items #3227
  • Service: Include the task ID in the prerequisite task failure message #3219
  • Service: Added events retention policy passed-integration-tests #3186

Changed

  • Agent: Shrink published Rust debug info #3247, #3252
  • Agent: Get rid of yanked hermit-abi versions #3270
  • Documentation: Updated coverage docs to use correct quotes #3279
  • Service: Better errors from Download: Make GetFileSasUrl nullable #3229
  • Service: Changed template rendering from async to synchronous #3241
  • Service: Log webhook exception as an "error" since we are retrying anyways #3238
  • Service: Make WebhookMessageEventGrid compatible with the event grid format #3286

Fixed

  • Agent: Improved .dll redirection by setting up .local file before invoking LibFuzzer #3269
  • Agent/Service: Bumped several C#, Rust dependencies, and Rust version to 1.71 #3278, #3281, #3221, #3230, #3231, #3203, #3240, #3239, #3199, #3254, #3257, #3273, #3258, #3271, #3292
  • CLI/Service: Fixed regression bugs, file bugs on regression_report and properly reset state on duplicates #3263
  • Service: Improve Azure DevOps validation problem reporting and resiliency #3222
  • Service: Updated KeyVault access policy for Azure WebSites service account access #3109
  • Service: Switched to default HttpCompletion, which is ResponseRead to attempt to prevent webhooks occasionally failing to send #3259
  • Service: Fixed Timestamp response from API #3237
  • Service: Trim System.Title if length is longer than 128 characters #3284

8.4.0

9 months ago

8.4.0

Added

  • Agent: Include debug info in the release binaries to improve backtraces and debuggability #3194
  • Agent: Added a timeout when closing the app insight channels #3181
  • Agent: Require input marker in arguments when given an input corpus directory #3205
  • Agent/CLI/Service: Added extra_output container, rename extra container #3064
  • Agent: Creating CustomMetrics for Rust CustomEvents #3188
  • Agent: Added prereqs for implementing caching for coverage locations and debuginfo in coverage task #3218
  • CLI: Added command onefuzz repro get_files for downloading files to locally reproduce a crash #3160
  • CLI: Added command onefuzz debug notification test_template <template> [--task_id <task_id>] [--report <report>] to allow a report to be sent when debugging #3206
  • Documentation: Added documentation on how to use the validation tools #3212

Changed

  • Agent: Removed agent traces from AppInsights #3143
  • Agent: Include debug info in the release binaries to improve backtraces and debuggability #3194
  • Agent: Make coverage-recording errors non-fatal #3166
  • Deployment/Service: Enable custom metrics app config value #3190
  • Documentation: Renamed example coverage.rs to record.rs to match documentation #3204
  • Service: Moved authentication into middleware #3133
  • Service: Store authentication information in KeyVault #3127, #3223
  • Service: Port current logging implementation to ILogger #3173
  • Service: Added improved error reporting from scale-in protection modification #3184
  • Service: Downgraded queue error to warning when retrying because the message is too large #3224

Fixed