@elizaos/skills 2.0.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -0
- package/package.json +53 -0
- package/skills/1password/SKILL.md +70 -0
- package/skills/1password/references/cli-examples.md +29 -0
- package/skills/1password/references/get-started.md +17 -0
- package/skills/apple-notes/SKILL.md +77 -0
- package/skills/apple-reminders/SKILL.md +96 -0
- package/skills/bear-notes/SKILL.md +107 -0
- package/skills/bird/SKILL.md +224 -0
- package/skills/blogwatcher/SKILL.md +69 -0
- package/skills/blucli/SKILL.md +47 -0
- package/skills/bluebubbles/SKILL.md +131 -0
- package/skills/camsnap/SKILL.md +45 -0
- package/skills/canvas/SKILL.md +203 -0
- package/skills/clawhub/SKILL.md +77 -0
- package/skills/coding-agent/SKILL.md +284 -0
- package/skills/discord/SKILL.md +578 -0
- package/skills/eightctl/SKILL.md +50 -0
- package/skills/food-order/SKILL.md +48 -0
- package/skills/gemini/SKILL.md +43 -0
- package/skills/gifgrep/SKILL.md +79 -0
- package/skills/github/SKILL.md +77 -0
- package/skills/gog/SKILL.md +116 -0
- package/skills/goplaces/SKILL.md +52 -0
- package/skills/healthcheck/SKILL.md +245 -0
- package/skills/himalaya/SKILL.md +257 -0
- package/skills/himalaya/references/configuration.md +184 -0
- package/skills/himalaya/references/message-composition.md +199 -0
- package/skills/imsg/SKILL.md +74 -0
- package/skills/local-places/SERVER_README.md +101 -0
- package/skills/local-places/SKILL.md +102 -0
- package/skills/local-places/pyproject.toml +21 -0
- package/skills/local-places/src/local_places/__init__.py +2 -0
- package/skills/local-places/src/local_places/google_places.py +314 -0
- package/skills/local-places/src/local_places/main.py +65 -0
- package/skills/local-places/src/local_places/schemas.py +107 -0
- package/skills/mcporter/SKILL.md +61 -0
- package/skills/model-usage/SKILL.md +69 -0
- package/skills/model-usage/references/codexbar-cli.md +33 -0
- package/skills/model-usage/scripts/model_usage.py +310 -0
- package/skills/nano-banana-pro/SKILL.md +58 -0
- package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
- package/skills/nano-pdf/SKILL.md +38 -0
- package/skills/notion/SKILL.md +172 -0
- package/skills/obsidian/SKILL.md +81 -0
- package/skills/openai-image-gen/SKILL.md +89 -0
- package/skills/openai-image-gen/scripts/gen.py +240 -0
- package/skills/openai-whisper/SKILL.md +38 -0
- package/skills/openai-whisper-api/SKILL.md +52 -0
- package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
- package/skills/openhue/SKILL.md +51 -0
- package/skills/oracle/SKILL.md +125 -0
- package/skills/ordercli/SKILL.md +78 -0
- package/skills/peekaboo/SKILL.md +190 -0
- package/skills/sag/SKILL.md +87 -0
- package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
- package/skills/security-ask-questions-if-underspecified/README.md +24 -0
- package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
- package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
- package/skills/security-audit-context-building/README.md +58 -0
- package/skills/security-audit-context-building/commands/audit-context.md +21 -0
- package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
- package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
- package/skills/security-building-secure-contracts/README.md +241 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
- package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
- package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
- package/skills/security-burpsuite-project-parser/README.md +103 -0
- package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
- package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
- package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
- package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
- package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
- package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
- package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
- package/skills/security-constant-time-analysis/README.md +381 -0
- package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
- package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
- package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
- package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
- package/skills/security-constant-time-analysis/pyproject.toml +52 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
- package/skills/security-constant-time-analysis/uv.lock +8 -0
- package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
- package/skills/security-culture-index/README.md +79 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
- package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
- package/skills/security-differential-review/README.md +109 -0
- package/skills/security-differential-review/commands/diff-review.md +21 -0
- package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
- package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
- package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
- package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
- package/skills/security-dwarf-expert/README.md +38 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
- package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
- package/skills/security-entry-point-analyzer/README.md +74 -0
- package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
- package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
- package/skills/security-firebase-apk-scanner/README.md +85 -0
- package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
- package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
- package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
- package/skills/security-fix-review/README.md +118 -0
- package/skills/security-fix-review/commands/fix-review.md +24 -0
- package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
- package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
- package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
- package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
- package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills/security-insecure-defaults/README.md +45 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
- package/skills/security-modern-python/README.md +58 -0
- package/skills/security-modern-python/hooks/hooks.json +16 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
- package/skills/security-modern-python/hooks/test_helper.bash +75 -0
- package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills/security-property-based-testing/README.md +47 -0
- package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
- package/skills/semgrep-rule-creator/README.md +43 -0
- package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
- package/skills/semgrep-rule-variant-creator/README.md +86 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/session-logs/SKILL.md +115 -0
- package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
- package/skills/sharp-edges/README.md +48 -0
- package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/sherpa-onnx-tts/SKILL.md +103 -0
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
- package/skills/skill-creator/SKILL.md +370 -0
- package/skills/skill-creator/license.txt +202 -0
- package/skills/skill-creator/scripts/init_skill.py +378 -0
- package/skills/skill-creator/scripts/package_skill.py +111 -0
- package/skills/skill-creator/scripts/quick_validate.py +101 -0
- package/skills/slack/SKILL.md +144 -0
- package/skills/songsee/SKILL.md +49 -0
- package/skills/sonoscli/SKILL.md +46 -0
- package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
- package/skills/spec-to-code-compliance/README.md +67 -0
- package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/spotify-player/SKILL.md +64 -0
- package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/static-analysis/README.md +59 -0
- package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
- package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
- package/skills/summarize/SKILL.md +87 -0
- package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
- package/skills/testing-handbook-skills/README.md +241 -0
- package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
- package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
- package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
- package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
- package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
- package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
- package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
- package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
- package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
- package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
- package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
- package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
- package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
- package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
- package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
- package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
- package/skills/things-mac/SKILL.md +86 -0
- package/skills/tmux/SKILL.md +135 -0
- package/skills/tmux/scripts/find-sessions.sh +112 -0
- package/skills/tmux/scripts/wait-for-text.sh +83 -0
- package/skills/trello/SKILL.md +95 -0
- package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/variant-analysis/README.md +41 -0
- package/skills/variant-analysis/commands/variants.md +23 -0
- package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/video-frames/SKILL.md +46 -0
- package/skills/video-frames/scripts/frame.sh +81 -0
- package/skills/voice-call/SKILL.md +45 -0
- package/skills/wacli/SKILL.md +72 -0
- package/skills/weather/SKILL.md +54 -0
- package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
- package/skills/yara-authoring/README.md +131 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
|
@@ -0,0 +1,607 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: coverage-analysis
|
|
3
|
+
type: technique
|
|
4
|
+
description: >
|
|
5
|
+
Coverage analysis measures code exercised during fuzzing.
|
|
6
|
+
Use when assessing harness effectiveness or identifying fuzzing blockers.
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# Coverage Analysis
|
|
10
|
+
|
|
11
|
+
Coverage analysis is essential for understanding which parts of your code are exercised during fuzzing. It helps identify fuzzing blockers like magic value checks and tracks the effectiveness of harness improvements over time.
|
|
12
|
+
|
|
13
|
+
## Overview
|
|
14
|
+
|
|
15
|
+
Code coverage during fuzzing serves two critical purposes:
|
|
16
|
+
|
|
17
|
+
1. **Assessing harness effectiveness**: Understand which parts of your application are actually executed by your fuzzing harnesses
|
|
18
|
+
2. **Tracking fuzzing progress**: Monitor how coverage changes when updating harnesses, fuzzers, or the system under test (SUT)
|
|
19
|
+
|
|
20
|
+
Coverage is a proxy for fuzzer capability and performance. While coverage [is not ideal for measuring fuzzer performance](https://arxiv.org/abs/1808.09700) in absolute terms, it reliably indicates whether your harness works effectively in a given setup.
|
|
21
|
+
|
|
22
|
+
### Key Concepts
|
|
23
|
+
|
|
24
|
+
| Concept | Description |
|
|
25
|
+
|---------|-------------|
|
|
26
|
+
| **Coverage instrumentation** | Compiler flags that track which code paths are executed |
|
|
27
|
+
| **Corpus coverage** | Coverage achieved by running all test cases in a fuzzing corpus |
|
|
28
|
+
| **Magic value checks** | Hard-to-discover conditional checks that block fuzzer progress |
|
|
29
|
+
| **Coverage-guided fuzzing** | Fuzzing strategy that prioritizes inputs that discover new code paths |
|
|
30
|
+
| **Coverage report** | Visual or textual representation of executed vs. unexecuted code |
|
|
31
|
+
|
|
32
|
+
## When to Apply
|
|
33
|
+
|
|
34
|
+
**Apply this technique when:**
|
|
35
|
+
- Starting a new fuzzing campaign to establish a baseline
|
|
36
|
+
- Fuzzer appears to plateau without finding new paths
|
|
37
|
+
- After harness modifications to verify improvements
|
|
38
|
+
- When migrating between different fuzzers
|
|
39
|
+
- Identifying areas requiring dictionary entries or seed inputs
|
|
40
|
+
- Debugging why certain code paths aren't reached
|
|
41
|
+
|
|
42
|
+
**Skip this technique when:**
|
|
43
|
+
- Fuzzing campaign is actively finding crashes
|
|
44
|
+
- Coverage infrastructure isn't set up yet
|
|
45
|
+
- Working with extremely large codebases where full coverage reports are impractical
|
|
46
|
+
- Fuzzer's internal coverage metrics are sufficient for your needs
|
|
47
|
+
|
|
48
|
+
## Quick Reference
|
|
49
|
+
|
|
50
|
+
| Task | Command/Pattern |
|
|
51
|
+
|------|-----------------|
|
|
52
|
+
| LLVM coverage instrumentation (C/C++) | `-fprofile-instr-generate -fcoverage-mapping` |
|
|
53
|
+
| GCC coverage instrumentation | `-ftest-coverage -fprofile-arcs` |
|
|
54
|
+
| cargo-fuzz coverage (Rust) | `cargo +nightly fuzz coverage <target>` |
|
|
55
|
+
| Generate LLVM profile data | `llvm-profdata merge -sparse file.profraw -o file.profdata` |
|
|
56
|
+
| LLVM coverage report | `llvm-cov report ./binary -instr-profile=file.profdata` |
|
|
57
|
+
| LLVM HTML report | `llvm-cov show ./binary -instr-profile=file.profdata -format=html -output-dir html/` |
|
|
58
|
+
| gcovr HTML report | `gcovr --html-details -o coverage.html` |
|
|
59
|
+
|
|
60
|
+
## Ideal Coverage Workflow
|
|
61
|
+
|
|
62
|
+
The following workflow represents best practices for integrating coverage analysis into your fuzzing campaigns:
|
|
63
|
+
|
|
64
|
+
```
|
|
65
|
+
[Fuzzing Campaign]
|
|
66
|
+
|
|
|
67
|
+
v
|
|
68
|
+
[Generate Corpus]
|
|
69
|
+
|
|
|
70
|
+
v
|
|
71
|
+
[Coverage Analysis]
|
|
72
|
+
|
|
|
73
|
+
+---> Coverage Increased? --> Continue fuzzing with larger corpus
|
|
74
|
+
|
|
|
75
|
+
+---> Coverage Decreased? --> Fix harness or investigate SUT changes
|
|
76
|
+
|
|
|
77
|
+
+---> Coverage Plateaued? --> Add dictionary entries or seed inputs
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
**Key principle**: Use the corpus generated *after* each fuzzing campaign to calculate coverage, rather than real-time fuzzer statistics. This approach provides reproducible, comparable measurements across different fuzzing tools.
|
|
81
|
+
|
|
82
|
+
## Step-by-Step
|
|
83
|
+
|
|
84
|
+
### Step 1: Build with Coverage Instrumentation
|
|
85
|
+
|
|
86
|
+
Choose your instrumentation method based on toolchain:
|
|
87
|
+
|
|
88
|
+
**LLVM/Clang (C/C++):**
|
|
89
|
+
```bash
|
|
90
|
+
clang++ -fprofile-instr-generate -fcoverage-mapping \
|
|
91
|
+
-O2 -DNO_MAIN \
|
|
92
|
+
main.cc harness.cc execute-rt.cc -o fuzz_exec
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
**GCC (C/C++):**
|
|
96
|
+
```bash
|
|
97
|
+
g++ -ftest-coverage -fprofile-arcs \
|
|
98
|
+
-O2 -DNO_MAIN \
|
|
99
|
+
main.cc harness.cc execute-rt.cc -o fuzz_exec_gcov
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
**Rust:**
|
|
103
|
+
```bash
|
|
104
|
+
rustup toolchain install nightly --component llvm-tools-preview
|
|
105
|
+
cargo +nightly fuzz coverage fuzz_target_1
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
### Step 2: Create Execution Runtime (C/C++ only)
|
|
109
|
+
|
|
110
|
+
For C/C++ projects, create a runtime that executes your corpus:
|
|
111
|
+
|
|
112
|
+
```cpp
|
|
113
|
+
// execute-rt.cc
|
|
114
|
+
#include <stdio.h>
|
|
115
|
+
#include <stdlib.h>
|
|
116
|
+
#include <dirent.h>
|
|
117
|
+
#include <stdint.h>
|
|
118
|
+
|
|
119
|
+
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
|
|
120
|
+
|
|
121
|
+
void load_file_and_test(const char *filename) {
|
|
122
|
+
FILE *file = fopen(filename, "rb");
|
|
123
|
+
if (file == NULL) {
|
|
124
|
+
printf("Failed to open file: %s\n", filename);
|
|
125
|
+
return;
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
fseek(file, 0, SEEK_END);
|
|
129
|
+
long filesize = ftell(file);
|
|
130
|
+
rewind(file);
|
|
131
|
+
|
|
132
|
+
uint8_t *buffer = (uint8_t*) malloc(filesize);
|
|
133
|
+
if (buffer == NULL) {
|
|
134
|
+
printf("Failed to allocate memory for file: %s\n", filename);
|
|
135
|
+
fclose(file);
|
|
136
|
+
return;
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
long read_size = (long) fread(buffer, 1, filesize, file);
|
|
140
|
+
if (read_size != filesize) {
|
|
141
|
+
printf("Failed to read file: %s\n", filename);
|
|
142
|
+
free(buffer);
|
|
143
|
+
fclose(file);
|
|
144
|
+
return;
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
LLVMFuzzerTestOneInput(buffer, filesize);
|
|
148
|
+
|
|
149
|
+
free(buffer);
|
|
150
|
+
fclose(file);
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
int main(int argc, char **argv) {
|
|
154
|
+
if (argc != 2) {
|
|
155
|
+
printf("Usage: %s <directory>\n", argv[0]);
|
|
156
|
+
return 1;
|
|
157
|
+
}
|
|
158
|
+
|
|
159
|
+
DIR *dir = opendir(argv[1]);
|
|
160
|
+
if (dir == NULL) {
|
|
161
|
+
printf("Failed to open directory: %s\n", argv[1]);
|
|
162
|
+
return 1;
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
struct dirent *entry;
|
|
166
|
+
while ((entry = readdir(dir)) != NULL) {
|
|
167
|
+
if (entry->d_type == DT_REG) {
|
|
168
|
+
char filepath[1024];
|
|
169
|
+
snprintf(filepath, sizeof(filepath), "%s/%s", argv[1], entry->d_name);
|
|
170
|
+
load_file_and_test(filepath);
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
|
|
174
|
+
closedir(dir);
|
|
175
|
+
return 0;
|
|
176
|
+
}
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
### Step 3: Execute on Corpus
|
|
180
|
+
|
|
181
|
+
**LLVM (C/C++):**
|
|
182
|
+
```bash
|
|
183
|
+
LLVM_PROFILE_FILE=fuzz.profraw ./fuzz_exec corpus/
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
**GCC (C/C++):**
|
|
187
|
+
```bash
|
|
188
|
+
./fuzz_exec_gcov corpus/
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
**Rust:**
|
|
192
|
+
Coverage data is automatically generated when running `cargo fuzz coverage`.
|
|
193
|
+
|
|
194
|
+
### Step 4: Process Coverage Data
|
|
195
|
+
|
|
196
|
+
**LLVM:**
|
|
197
|
+
```bash
|
|
198
|
+
# Merge raw profile data
|
|
199
|
+
llvm-profdata merge -sparse fuzz.profraw -o fuzz.profdata
|
|
200
|
+
|
|
201
|
+
# Generate text report
|
|
202
|
+
llvm-cov report ./fuzz_exec \
|
|
203
|
+
-instr-profile=fuzz.profdata \
|
|
204
|
+
-ignore-filename-regex='harness.cc|execute-rt.cc'
|
|
205
|
+
|
|
206
|
+
# Generate HTML report
|
|
207
|
+
llvm-cov show ./fuzz_exec \
|
|
208
|
+
-instr-profile=fuzz.profdata \
|
|
209
|
+
-ignore-filename-regex='harness.cc|execute-rt.cc' \
|
|
210
|
+
-format=html -output-dir fuzz_html/
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
**GCC with gcovr:**
|
|
214
|
+
```bash
|
|
215
|
+
# Install gcovr (via pip for latest version)
|
|
216
|
+
python3 -m venv venv
|
|
217
|
+
source venv/bin/activate
|
|
218
|
+
pip3 install gcovr
|
|
219
|
+
|
|
220
|
+
# Generate report
|
|
221
|
+
gcovr --gcov-executable "llvm-cov gcov" \
|
|
222
|
+
--exclude harness.cc --exclude execute-rt.cc \
|
|
223
|
+
--root . --html-details -o coverage.html
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
**Rust:**
|
|
227
|
+
```bash
|
|
228
|
+
# Install required tools
|
|
229
|
+
cargo install cargo-binutils rustfilt
|
|
230
|
+
|
|
231
|
+
# Create HTML generation script
|
|
232
|
+
cat <<'EOF' > ./generate_html
|
|
233
|
+
#!/bin/sh
|
|
234
|
+
if [ $# -lt 1 ]; then
|
|
235
|
+
echo "Error: Name of fuzz target is required."
|
|
236
|
+
echo "Usage: $0 fuzz_target [sources...]"
|
|
237
|
+
exit 1
|
|
238
|
+
fi
|
|
239
|
+
FUZZ_TARGET="$1"
|
|
240
|
+
shift
|
|
241
|
+
SRC_FILTER="$@"
|
|
242
|
+
TARGET=$(rustc -vV | sed -n 's|host: ||p')
|
|
243
|
+
cargo +nightly cov -- show -Xdemangler=rustfilt \
|
|
244
|
+
"target/$TARGET/coverage/$TARGET/release/$FUZZ_TARGET" \
|
|
245
|
+
-instr-profile="fuzz/coverage/$FUZZ_TARGET/coverage.profdata" \
|
|
246
|
+
-show-line-counts-or-regions -show-instantiations \
|
|
247
|
+
-format=html -o fuzz_html/ $SRC_FILTER
|
|
248
|
+
EOF
|
|
249
|
+
chmod +x ./generate_html
|
|
250
|
+
|
|
251
|
+
# Generate HTML report
|
|
252
|
+
./generate_html fuzz_target_1 src/lib.rs
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
### Step 5: Analyze Results
|
|
256
|
+
|
|
257
|
+
Review the coverage report to identify:
|
|
258
|
+
|
|
259
|
+
- **Uncovered code blocks**: Areas that may need better seed inputs or dictionary entries
|
|
260
|
+
- **Magic value checks**: Conditional statements with hardcoded values that block progress
|
|
261
|
+
- **Dead code**: Functions that may not be reachable through your harness
|
|
262
|
+
- **Coverage changes**: Compare against baseline to track improvements or regressions
|
|
263
|
+
|
|
264
|
+
## Common Patterns
|
|
265
|
+
|
|
266
|
+
### Pattern: Identifying Magic Values
|
|
267
|
+
|
|
268
|
+
**Problem**: Fuzzer cannot discover paths guarded by magic value checks.
|
|
269
|
+
|
|
270
|
+
**Coverage reveals:**
|
|
271
|
+
```cpp
|
|
272
|
+
// Coverage shows this block is never executed
|
|
273
|
+
if (buf == 0x7F454C46) { // ELF magic number
|
|
274
|
+
// start parsing buf
|
|
275
|
+
}
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
**Solution**: Add magic values to dictionary file:
|
|
279
|
+
```
|
|
280
|
+
# magic.dict
|
|
281
|
+
"\x7F\x45\x4C\x46"
|
|
282
|
+
```
|
|
283
|
+
|
|
284
|
+
### Pattern: Handling Crashing Inputs
|
|
285
|
+
|
|
286
|
+
**Problem**: Coverage generation fails when corpus contains crashing inputs.
|
|
287
|
+
|
|
288
|
+
**Before:**
|
|
289
|
+
```bash
|
|
290
|
+
./fuzz_exec corpus/ # Crashes on bad input, no coverage generated
|
|
291
|
+
```
|
|
292
|
+
|
|
293
|
+
**After:**
|
|
294
|
+
```cpp
|
|
295
|
+
// Fork before executing to isolate crashes
|
|
296
|
+
int main(int argc, char **argv) {
|
|
297
|
+
// ... directory opening code ...
|
|
298
|
+
|
|
299
|
+
while ((entry = readdir(dir)) != NULL) {
|
|
300
|
+
if (entry->d_type == DT_REG) {
|
|
301
|
+
pid_t pid = fork();
|
|
302
|
+
if (pid == 0) {
|
|
303
|
+
// Child process - crash won't affect parent
|
|
304
|
+
char filepath[1024];
|
|
305
|
+
snprintf(filepath, sizeof(filepath), "%s/%s", argv[1], entry->d_name);
|
|
306
|
+
load_file_and_test(filepath);
|
|
307
|
+
exit(0);
|
|
308
|
+
} else {
|
|
309
|
+
// Parent waits for child
|
|
310
|
+
waitpid(pid, NULL, 0);
|
|
311
|
+
}
|
|
312
|
+
}
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
```
|
|
316
|
+
|
|
317
|
+
### Pattern: CMake Integration
|
|
318
|
+
|
|
319
|
+
**Use Case**: Adding coverage builds to CMake projects.
|
|
320
|
+
|
|
321
|
+
```cmake
|
|
322
|
+
project(FuzzingProject)
|
|
323
|
+
cmake_minimum_required(VERSION 3.0)
|
|
324
|
+
|
|
325
|
+
# Main binary
|
|
326
|
+
add_executable(program main.cc)
|
|
327
|
+
|
|
328
|
+
# Fuzzing binary
|
|
329
|
+
add_executable(fuzz main.cc harness.cc)
|
|
330
|
+
target_compile_definitions(fuzz PRIVATE NO_MAIN=1)
|
|
331
|
+
target_compile_options(fuzz PRIVATE -g -O2 -fsanitize=fuzzer)
|
|
332
|
+
target_link_libraries(fuzz -fsanitize=fuzzer)
|
|
333
|
+
|
|
334
|
+
# Coverage execution binary
|
|
335
|
+
add_executable(fuzz_exec main.cc harness.cc execute-rt.cc)
|
|
336
|
+
target_compile_definitions(fuzz_exec PRIVATE NO_MAIN)
|
|
337
|
+
target_compile_options(fuzz_exec PRIVATE -O2 -fprofile-instr-generate -fcoverage-mapping)
|
|
338
|
+
target_link_libraries(fuzz_exec -fprofile-instr-generate)
|
|
339
|
+
```
|
|
340
|
+
|
|
341
|
+
Build:
|
|
342
|
+
```bash
|
|
343
|
+
cmake -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ .
|
|
344
|
+
cmake --build . --target fuzz_exec
|
|
345
|
+
```
|
|
346
|
+
|
|
347
|
+
## Advanced Usage
|
|
348
|
+
|
|
349
|
+
### Tips and Tricks
|
|
350
|
+
|
|
351
|
+
| Tip | Why It Helps |
|
|
352
|
+
|-----|--------------|
|
|
353
|
+
| Use LLVM 18+ with `-show-directory-coverage` | Organizes large reports by directory structure instead of flat file list |
|
|
354
|
+
| Export to lcov format for better HTML | `llvm-cov export -format=lcov` + `genhtml` provides cleaner per-file reports |
|
|
355
|
+
| Compare coverage across campaigns | Store `.profdata` files with timestamps to track progress over time |
|
|
356
|
+
| Filter harness code from reports | Use `-ignore-filename-regex` to focus on SUT coverage only |
|
|
357
|
+
| Automate coverage in CI/CD | Generate coverage reports automatically after scheduled fuzzing runs |
|
|
358
|
+
| Use gcovr 5.1+ for Clang 14+ | Older gcovr versions have compatibility issues with recent LLVM |
|
|
359
|
+
|
|
360
|
+
### Incremental Coverage Updates
|
|
361
|
+
|
|
362
|
+
GCC's gcov instrumentation incrementally updates `.gcda` files across multiple runs. This is useful for tracking coverage as you add test cases:
|
|
363
|
+
|
|
364
|
+
```bash
|
|
365
|
+
# First run
|
|
366
|
+
./fuzz_exec_gcov corpus_batch_1/
|
|
367
|
+
gcovr --html coverage_v1.html
|
|
368
|
+
|
|
369
|
+
# Second run (adds to existing coverage)
|
|
370
|
+
./fuzz_exec_gcov corpus_batch_2/
|
|
371
|
+
gcovr --html coverage_v2.html
|
|
372
|
+
|
|
373
|
+
# Start fresh
|
|
374
|
+
gcovr --delete # Remove .gcda files
|
|
375
|
+
./fuzz_exec_gcov corpus/
|
|
376
|
+
```
|
|
377
|
+
|
|
378
|
+
### Handling Large Codebases
|
|
379
|
+
|
|
380
|
+
For projects with hundreds of source files:
|
|
381
|
+
|
|
382
|
+
1. **Filter by prefix**: Only generate reports for relevant directories
|
|
383
|
+
```bash
|
|
384
|
+
llvm-cov show ./fuzz_exec -instr-profile=fuzz.profdata /path/to/src/
|
|
385
|
+
```
|
|
386
|
+
|
|
387
|
+
2. **Use directory coverage**: Group by directory to reduce clutter (LLVM 18+)
|
|
388
|
+
```bash
|
|
389
|
+
llvm-cov show -show-directory-coverage -format=html -output-dir html/
|
|
390
|
+
```
|
|
391
|
+
|
|
392
|
+
3. **Generate JSON for programmatic analysis**:
|
|
393
|
+
```bash
|
|
394
|
+
llvm-cov export -format=lcov > coverage.json
|
|
395
|
+
```
|
|
396
|
+
|
|
397
|
+
### Differential Coverage
|
|
398
|
+
|
|
399
|
+
Compare coverage between two fuzzing campaigns:
|
|
400
|
+
|
|
401
|
+
```bash
|
|
402
|
+
# Campaign 1
|
|
403
|
+
LLVM_PROFILE_FILE=campaign1.profraw ./fuzz_exec corpus1/
|
|
404
|
+
llvm-profdata merge -sparse campaign1.profraw -o campaign1.profdata
|
|
405
|
+
|
|
406
|
+
# Campaign 2
|
|
407
|
+
LLVM_PROFILE_FILE=campaign2.profraw ./fuzz_exec corpus2/
|
|
408
|
+
llvm-profdata merge -sparse campaign2.profraw -o campaign2.profdata
|
|
409
|
+
|
|
410
|
+
# Compare
|
|
411
|
+
llvm-cov show ./fuzz_exec \
|
|
412
|
+
-instr-profile=campaign2.profdata \
|
|
413
|
+
-instr-profile=campaign1.profdata \
|
|
414
|
+
-show-line-counts-or-regions
|
|
415
|
+
```
|
|
416
|
+
|
|
417
|
+
## Anti-Patterns
|
|
418
|
+
|
|
419
|
+
| Anti-Pattern | Problem | Correct Approach |
|
|
420
|
+
|--------------|---------|------------------|
|
|
421
|
+
| Using fuzzer-reported coverage for comparisons | Different fuzzers calculate coverage differently, making cross-tool comparison meaningless | Use dedicated coverage tools (llvm-cov, gcovr) for reproducible measurements |
|
|
422
|
+
| Generating coverage with optimizations | `-O3` optimizations can eliminate code, making coverage misleading | Use `-O2` or `-O0` for coverage builds |
|
|
423
|
+
| Not filtering harness code | Harness coverage inflates numbers and obscures SUT coverage | Use `-ignore-filename-regex` or `--exclude` to filter harness files |
|
|
424
|
+
| Mixing LLVM and GCC instrumentation | Incompatible formats cause parsing failures | Stick to one toolchain for coverage builds |
|
|
425
|
+
| Ignoring crashing inputs | Crashes prevent coverage generation, hiding real coverage data | Fix crashes first, or use process forking to isolate them |
|
|
426
|
+
| Not tracking coverage over time | One-time coverage checks miss regressions and improvements | Store coverage data with timestamps and track trends |
|
|
427
|
+
|
|
428
|
+
## Tool-Specific Guidance
|
|
429
|
+
|
|
430
|
+
### libFuzzer
|
|
431
|
+
|
|
432
|
+
libFuzzer uses LLVM's SanitizerCoverage by default for guiding fuzzing, but you need separate instrumentation for generating reports.
|
|
433
|
+
|
|
434
|
+
**Build for coverage:**
|
|
435
|
+
```bash
|
|
436
|
+
clang++ -fprofile-instr-generate -fcoverage-mapping \
|
|
437
|
+
-O2 -DNO_MAIN \
|
|
438
|
+
main.cc harness.cc execute-rt.cc -o fuzz_exec
|
|
439
|
+
```
|
|
440
|
+
|
|
441
|
+
**Execute corpus and generate report:**
|
|
442
|
+
```bash
|
|
443
|
+
LLVM_PROFILE_FILE=fuzz.profraw ./fuzz_exec corpus/
|
|
444
|
+
llvm-profdata merge -sparse fuzz.profraw -o fuzz.profdata
|
|
445
|
+
llvm-cov show ./fuzz_exec -instr-profile=fuzz.profdata -format=html -output-dir html/
|
|
446
|
+
```
|
|
447
|
+
|
|
448
|
+
**Integration tips:**
|
|
449
|
+
- Don't use `-fsanitize=fuzzer` for coverage builds (it conflicts with profile instrumentation)
|
|
450
|
+
- Reuse the same harness function (`LLVMFuzzerTestOneInput`) with a different main function
|
|
451
|
+
- Use the `-ignore-filename-regex` flag to exclude harness code from coverage reports
|
|
452
|
+
- Consider using llvm-cov's `-show-instantiation` flag for template-heavy C++ code
|
|
453
|
+
|
|
454
|
+
### AFL++
|
|
455
|
+
|
|
456
|
+
AFL++ provides its own coverage feedback mechanism, but for detailed reports use standard LLVM/GCC tools.
|
|
457
|
+
|
|
458
|
+
**Build for coverage with LLVM:**
|
|
459
|
+
```bash
|
|
460
|
+
clang++ -fprofile-instr-generate -fcoverage-mapping \
|
|
461
|
+
-O2 main.cc harness.cc execute-rt.cc -o fuzz_exec
|
|
462
|
+
```
|
|
463
|
+
|
|
464
|
+
**Build for coverage with GCC:**
|
|
465
|
+
```bash
|
|
466
|
+
AFL_USE_ASAN=0 afl-gcc -ftest-coverage -fprofile-arcs \
|
|
467
|
+
main.cc harness.cc execute-rt.cc -o fuzz_exec_gcov
|
|
468
|
+
```
|
|
469
|
+
|
|
470
|
+
**Execute and generate report:**
|
|
471
|
+
```bash
|
|
472
|
+
# LLVM approach
|
|
473
|
+
LLVM_PROFILE_FILE=fuzz.profraw ./fuzz_exec afl_output/queue/
|
|
474
|
+
llvm-profdata merge -sparse fuzz.profraw -o fuzz.profdata
|
|
475
|
+
llvm-cov report ./fuzz_exec -instr-profile=fuzz.profdata
|
|
476
|
+
|
|
477
|
+
# GCC approach
|
|
478
|
+
./fuzz_exec_gcov afl_output/queue/
|
|
479
|
+
gcovr --html-details -o coverage.html
|
|
480
|
+
```
|
|
481
|
+
|
|
482
|
+
**Integration tips:**
|
|
483
|
+
- Don't use AFL++'s instrumentation (`afl-clang-fast`) for coverage builds
|
|
484
|
+
- Use standard compilers with coverage flags instead
|
|
485
|
+
- AFL++'s `queue/` directory contains your corpus
|
|
486
|
+
- AFL++'s built-in coverage statistics are useful for real-time monitoring but not for detailed analysis
|
|
487
|
+
|
|
488
|
+
### cargo-fuzz (Rust)
|
|
489
|
+
|
|
490
|
+
cargo-fuzz provides built-in coverage generation using LLVM tools.
|
|
491
|
+
|
|
492
|
+
**Install prerequisites:**
|
|
493
|
+
```bash
|
|
494
|
+
rustup toolchain install nightly --component llvm-tools-preview
|
|
495
|
+
cargo install cargo-binutils rustfilt
|
|
496
|
+
```
|
|
497
|
+
|
|
498
|
+
**Generate coverage data:**
|
|
499
|
+
```bash
|
|
500
|
+
cargo +nightly fuzz coverage fuzz_target_1
|
|
501
|
+
```
|
|
502
|
+
|
|
503
|
+
**Create HTML report script:**
|
|
504
|
+
```bash
|
|
505
|
+
cat <<'EOF' > ./generate_html
|
|
506
|
+
#!/bin/sh
|
|
507
|
+
FUZZ_TARGET="$1"
|
|
508
|
+
shift
|
|
509
|
+
SRC_FILTER="$@"
|
|
510
|
+
TARGET=$(rustc -vV | sed -n 's|host: ||p')
|
|
511
|
+
cargo +nightly cov -- show -Xdemangler=rustfilt \
|
|
512
|
+
"target/$TARGET/coverage/$TARGET/release/$FUZZ_TARGET" \
|
|
513
|
+
-instr-profile="fuzz/coverage/$FUZZ_TARGET/coverage.profdata" \
|
|
514
|
+
-show-line-counts-or-regions -show-instantiations \
|
|
515
|
+
-format=html -o fuzz_html/ $SRC_FILTER
|
|
516
|
+
EOF
|
|
517
|
+
chmod +x ./generate_html
|
|
518
|
+
```
|
|
519
|
+
|
|
520
|
+
**Generate report:**
|
|
521
|
+
```bash
|
|
522
|
+
./generate_html fuzz_target_1 src/lib.rs
|
|
523
|
+
```
|
|
524
|
+
|
|
525
|
+
**Integration tips:**
|
|
526
|
+
- Always use the nightly toolchain for coverage
|
|
527
|
+
- The `-Xdemangler=rustfilt` flag makes function names readable
|
|
528
|
+
- Filter by source files (e.g., `src/lib.rs`) to focus on crate code
|
|
529
|
+
- Use `-show-line-counts-or-regions` and `-show-instantiations` for better Rust-specific output
|
|
530
|
+
- Corpus is located in `fuzz/corpus/<target>/`
|
|
531
|
+
|
|
532
|
+
### honggfuzz
|
|
533
|
+
|
|
534
|
+
honggfuzz works with standard LLVM/GCC coverage instrumentation.
|
|
535
|
+
|
|
536
|
+
**Build for coverage:**
|
|
537
|
+
```bash
|
|
538
|
+
# Use standard compiler, not honggfuzz compiler
|
|
539
|
+
clang -fprofile-instr-generate -fcoverage-mapping \
|
|
540
|
+
-O2 harness.c execute-rt.c -o fuzz_exec
|
|
541
|
+
```
|
|
542
|
+
|
|
543
|
+
**Execute corpus:**
|
|
544
|
+
```bash
|
|
545
|
+
LLVM_PROFILE_FILE=fuzz.profraw ./fuzz_exec honggfuzz_workspace/
|
|
546
|
+
```
|
|
547
|
+
|
|
548
|
+
**Integration tips:**
|
|
549
|
+
- Don't use `hfuzz-clang` for coverage builds
|
|
550
|
+
- honggfuzz corpus is typically in a workspace directory
|
|
551
|
+
- Use the same LLVM workflow as libFuzzer
|
|
552
|
+
|
|
553
|
+
## Troubleshooting
|
|
554
|
+
|
|
555
|
+
| Issue | Cause | Solution |
|
|
556
|
+
|-------|-------|----------|
|
|
557
|
+
| `error: no profile data available` | Profile wasn't generated or wrong path | Verify `LLVM_PROFILE_FILE` was set and `.profraw` file exists |
|
|
558
|
+
| `Failed to load coverage` | Mismatch between binary and profile data | Rebuild binary with same flags used during execution |
|
|
559
|
+
| Coverage reports show 0% | Wrong binary used for report generation | Use the instrumented binary, not the fuzzing binary |
|
|
560
|
+
| `no_working_dir_found` error (gcovr) | `.gcda` files in unexpected location | Add `--gcov-ignore-errors=no_working_dir_found` flag |
|
|
561
|
+
| Crashes prevent coverage generation | Corpus contains crashing inputs | Filter crashes or use forking approach to isolate failures |
|
|
562
|
+
| Coverage decreases after harness change | Harness now skips certain code paths | Review harness logic; may need to support more input formats |
|
|
563
|
+
| HTML report is flat file list | Using older LLVM version | Upgrade to LLVM 18+ and use `-show-directory-coverage` |
|
|
564
|
+
| `incompatible instrumentation` | Mixing LLVM and GCC coverage | Rebuild everything with same toolchain |
|
|
565
|
+
|
|
566
|
+
## Related Skills
|
|
567
|
+
|
|
568
|
+
### Tools That Use This Technique
|
|
569
|
+
|
|
570
|
+
| Skill | How It Applies |
|
|
571
|
+
|-------|----------------|
|
|
572
|
+
| **libfuzzer** | Uses SanitizerCoverage for feedback; coverage analysis evaluates harness effectiveness |
|
|
573
|
+
| **aflpp** | Uses edge coverage for feedback; detailed analysis requires separate instrumentation |
|
|
574
|
+
| **cargo-fuzz** | Built-in `cargo fuzz coverage` command for Rust projects |
|
|
575
|
+
| **honggfuzz** | Uses edge coverage; analyze with standard LLVM/GCC tools |
|
|
576
|
+
|
|
577
|
+
### Related Techniques
|
|
578
|
+
|
|
579
|
+
| Skill | Relationship |
|
|
580
|
+
|-------|--------------|
|
|
581
|
+
| **fuzz-harness-writing** | Coverage reveals which code paths harness reaches; guides harness improvements |
|
|
582
|
+
| **fuzzing-dictionaries** | Coverage identifies magic value checks that need dictionary entries |
|
|
583
|
+
| **corpus-management** | Coverage analysis helps curate corpora by identifying redundant test cases |
|
|
584
|
+
| **sanitizers** | Coverage helps verify sanitizer-instrumented code is actually executed |
|
|
585
|
+
|
|
586
|
+
## Resources
|
|
587
|
+
|
|
588
|
+
### Key External Resources
|
|
589
|
+
|
|
590
|
+
**[LLVM Source-Based Code Coverage](https://clang.llvm.org/docs/SourceBasedCodeCoverage.html)**
|
|
591
|
+
Comprehensive guide to LLVM's profile instrumentation, including advanced features like branch coverage, region coverage, and integration with existing build systems. Covers compiler flags, runtime behavior, and profile data formats.
|
|
592
|
+
|
|
593
|
+
**[llvm-cov Command Guide](https://llvm.org/docs/CommandGuide/llvm-cov.html)**
|
|
594
|
+
Detailed CLI reference for llvm-cov commands including `show`, `report`, and `export`. Documents all filtering options, output formats, and integration with llvm-profdata.
|
|
595
|
+
|
|
596
|
+
**[gcovr Documentation](https://gcovr.com/)**
|
|
597
|
+
Complete guide to gcovr tool for generating coverage reports from gcov data. Covers HTML themes, filtering options, multi-directory projects, and CI/CD integration patterns.
|
|
598
|
+
|
|
599
|
+
**[SanitizerCoverage Documentation](https://clang.llvm.org/docs/SanitizerCoverage.html)**
|
|
600
|
+
Low-level documentation for LLVM's SanitizerCoverage instrumentation. Explains inline 8-bit counters, PC tables, and how fuzzers use coverage feedback for guidance.
|
|
601
|
+
|
|
602
|
+
**[On the Evaluation of Fuzzer Performance](https://arxiv.org/abs/1808.09700)**
|
|
603
|
+
Research paper examining limitations of coverage as a fuzzing performance metric. Argues for more nuanced evaluation methods beyond simple code coverage percentages.
|
|
604
|
+
|
|
605
|
+
### Video Resources
|
|
606
|
+
|
|
607
|
+
Not applicable - coverage analysis is primarily a tooling and workflow topic best learned through documentation and hands-on practice.
|