Skip to content

test(graphrag): add Drain miner fuzz target (Scorecard Fuzzing)#115

Merged
aksOps merged 1 commit into
mainfrom
chore/scorecard-fuzzing
Jun 18, 2026
Merged

test(graphrag): add Drain miner fuzz target (Scorecard Fuzzing)#115
aksOps merged 1 commit into
mainfrom
chore/scorecard-fuzzing

Conversation

@aksOps

@aksOps aksOps commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What

Adds FuzzDrainMatch, a Go native fuzz test over the Drain log-template miner's Match() (internal/graphrag/drain_fuzz_test.go).

Match() is the ingestion hot path every untrusted log body flows through (LogsServer.Export → LogCallback → Drain.Match), so it's the right surface to fuzz. The test asserts Match never panics on malformed input and holds two invariants:

  • empty / whitespace-only tokenization → nil template;
  • any non-nil result is well-formed (non-empty tokens, ID == templateID(tokens)).

It also checks that Preprocess+tokenize are deterministic. Seeds cover empty, whitespace, IPs/UUIDs/timestamps/emails/hex pointers, NUL + high-byte binary, multibyte UTF-8, and an over-depth token run.

Why

OpenSSF Scorecard's Fuzzing check currently scores 0 — it detects no native Go fuzz function. One FuzzXxx(*testing.F) flips it. This is the highest-value parser on the untrusted-input path that wasn't already fuzzed.

Verification

  • go build ./... — success
  • go vet ./internal/graphrag/ — clean
  • go test ./internal/graphrag/ — 101 pass (fuzz seed corpus runs as unit tests)
  • go test -fuzz=FuzzDrainMatch -fuzztime=10s — no crashers

🤖 Generated with Claude Code

Add FuzzDrainMatch, a Go native fuzz test over the Drain log-template
miner's Match() — the ingestion hot path every untrusted log body flows
through (LogsServer.Export -> LogCallback -> Drain.Match). It asserts
Match never panics on malformed input and holds two invariants: empty
or whitespace-only tokenization yields a nil template, and any non-nil
result is well-formed (non-empty tokens, ID == templateID(tokens)). It
also checks Preprocess+tokenize determinism.

Seeds cover empty, whitespace, IPs/UUIDs/timestamps/emails/hex pointers,
NUL + high-byte binary, multibyte UTF-8, and an over-depth token run.

Satisfies OpenSSF Scorecard's Fuzzing check (detects a native Go fuzz
function). Verified: go build/vet/test green (101 tests), and
go test -fuzz=FuzzDrainMatch -fuzztime=10s found no crashers.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG
@sonarqubecloud

Copy link
Copy Markdown

@aksOps aksOps merged commit 55cc830 into main Jun 18, 2026
17 checks passed
@aksOps aksOps deleted the chore/scorecard-fuzzing branch June 18, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant