feat: fuzz testing for GoModParser (intel#3434)

fixes intel#3325

fuzz/fuzz_go.py

@@ -0,0 +1,73 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.go_mod_pb2 as go_mod_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.go import GoParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def GoModBuilder(data):
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        module_name = json_data.get("module_name", "")
+        go_version = json_data.get("go_version", "")
+
+        f.write(f"module {module_name}\n")
+        f.write(f"go {go_version}\n")
+
+        f.write("require (\n")
+        for dependency in json_data.get("require", []):
+            module_name = dependency.get("module_name", "")
+            version = dependency.get("version", "")
+            f.write(f"{module_name} {version}\n")
+        f.write(")\n")
+
+        f.write("replace (\n")
+        for replacement in json_data.get("replace", []):
+            old_module = replacement.get("old_module", "")
+            old_version = replacement.get("old_version", "")
+            new_module = replacement.get("new_module", "")
+            new_version = replacement.get("new_version", "")
+            f.write(f"{old_module} {old_version} => {new_module} {new_version}\n")
+        f.write(")\n")
+
+        f.write("exclude (\n")
+        for exclusion in json_data.get("exclude", []):
+            module_name = exclusion.get("module_name", "")
+            version = exclusion.get("version", "")
+            f.write(f"{module_name} {version}\n")
+        f.write(")\n")
+
+
+def TestParseData(data):
+    try:
+        GoModBuilder(data)
+
+        go_parser = GoParser(cve_db, logger)
+        go_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "go.mod")
+
+atheris_libprotobuf_mutator.Setup(sys.argv, TestParseData, proto=go_mod_pb2.GoModFile)
+atheris.Fuzz()

fuzz/proto_files/go_mod.proto

@@ -0,0 +1,27 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+message GoModFile {
+     message ModuleDependency {
+      string module_name = 1;
+      float version = 2;
+     }
+     message ModuleReplacement {
+      string old_module = 1;
+      float old_version = 2;
+      string new_module = 3;
+      float new_version = 4;
+     }
+     message ModuleExclude {
+      string module_name = 1;
+      float version = 2;
+     }
+     string module_name = 1;
+     float go_version = 2;
+     repeated ModuleDependency require = 3;
+     repeated ModuleExclude exclude = 4;
+     repeated ModuleReplacement replace = 5;
+
+}