Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Report generation date: 2024-09-08

Project overview: gitpython

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
9.0%
57 / 645
Cyclomatic complexity statically reachable by fuzzers
11.0%
240 / 2280
Runtime code coverage of functions
51.0%
329 / 645

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzer details

Fuzzer: fuzz_repo

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 93 45.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 111 54.4%
All colors 204 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
21 5 git.util.expand_path call site: 00005 typing.cast.object.resolve
16 45 git.util._is_cygwin_git call site: 00045 git.util.py_where
14 117 git.config.GitConfigParser.__init__ call site: 00117 git.config.get_config_path
7 65 git.util._is_cygwin_git call site: 00065 git.util.cygpath
6 89 git.repo.fun.is_git_dir call site: 00089 os.path.join
5 178 git.db.GitCmdObjectDB.__init__ call site: 00178 git.db.GitCmdObjectDB.__init__
4 161 git.repo.fun.find_worktree_git_dir call site: 00161 stat.S_ISREG
3 110 git.repo.base.Repo._get_config_path call site: 00110 git.types.assert_never
3 153 git.repo.fun.find_submodule_git_dir call site: 00153 os.path.dirname
2 98 git.repo.base.Repo.__init__ call site: 00098 git.repo.base.Repo._get_config_path
2 142 git.repo.base.Repo.__init__ call site: 00142 configparser.RawConfigParser.get
1 0 EP call site: 00000 atheris.FuzzedDataProvider

Runtime coverage analysis

Covered functions
386
Functions that are reachable but not covered
95
Reachable functions
123
Percentage of reachable functions covered
22.76%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/ 1
...gitpython.fuzzing.fuzz-targets.fuzz_repo 15
git.repo.base 37
git.util 55
git.cmd 3
git.repo.fun 20
git.config 15
git.db 1
git.objects.tree 2
git.objects.fun 4
git.compat 2

Fuzzer: fuzz_diff

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 293 66.7%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 146 33.2%
All colors 439 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
82 279 git.cmd.Git.AutoInterrupt._terminate call site: 00279 git.util.finalize_process
40 5 git.util.expand_path call site: 00005 typing.BinaryIO.resolve
38 232 ...gitpython.fuzzing.fuzz-targets.fuzz_diff.TestOneInput call site: 00232 git.diff.Diff._index_from_patch_format
25 388 git.util.finalize_process call site: 00388 git.diff.Diff.__init__
24 414 ...gitpython.fuzzing.fuzz-targets.fuzz_diff.BytesProcessAdapter.__init__ call site: 00414 git.diff.Diff._handle_diff_line
16 64 git.util._is_cygwin_git call site: 00064 git.util.py_where
14 136 git.config.GitConfigParser.__init__ call site: 00136 git.config.get_config_path
7 84 git.util._is_cygwin_git call site: 00084 git.util.cygpath
7 213 git.objects.base.IndexObject.__init__ call site: 00213 git.objects.base.IndexObject.__init__
6 108 git.repo.fun.is_git_dir call site: 00108 os.path.join
5 223 ...gitpython.fuzzing.fuzz-targets.fuzz_diff.TestOneInput call site: 00223 fdp.ConsumeBytes
4 180 git.repo.fun.find_worktree_git_dir call site: 00180 stat.S_ISREG

Runtime coverage analysis

Covered functions
386
Functions that are reachable but not covered
252
Reachable functions
288
Percentage of reachable functions covered
12.5%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/ 1
...gitpython.fuzzing.fuzz-targets.fuzz_diff 15
git.repo.base 37
git.util 128
git.cmd 68
git.repo.fun 20
git.config 15
git.db 1
git.diff 40
git.objects.util 4
git.objects.base 1

Fuzzer: fuzz_config

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 19 19.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 81 81.0%
All colors 100 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
13 72 git.config.GitConfigParser._included_paths call site: 00072 git.config.GitConfigParser.items
4 90 git.config.GitConfigParser.read call site: 00090 typing.cast
1 1 ...gitpython.fuzzing.fuzz-targets.fuzz_config.TestOneInput call site: 00001 git.config.GitConfigParser.read
1 98 git.config.GitConfigParser.read call site: 00098 .str

Runtime coverage analysis

Covered functions
385
Functions that are reachable but not covered
75
Reachable functions
83
Percentage of reachable functions covered
9.64%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/ 1
...gitpython.fuzzing.fuzz-targets.fuzz_config 3
git.config 80

Fuzzer: fuzz_submodule

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 32 20.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 128 80.0%
All colors 160 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
26 133 ...gitpython.fuzzing.fuzz-targets.fuzz_submodule.TestOneInput call site: 00133 fdp.ConsumeUnicodeNoSurrogates
4 121 ...gitpython.fuzzing.fuzz-targets.fuzz_submodule.TestOneInput call site: 00121 fdp.remaining_bytes
1 53 ...gitpython.fuzzing.fuzz-targets.fuzz_submodule.TestOneInput call site: 00053 repo.index.commit
1 127 ...gitpython.fuzzing.fuzz-targets.fuzz_submodule.TestOneInput call site: 00127 writer.release

Runtime coverage analysis

Covered functions
385
Functions that are reachable but not covered
81
Reachable functions
81
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/ 1
...gitpython.fuzzing.fuzz-targets.fuzz_submodule 80

Fuzzer: fuzz_blob

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 80 100.%
All colors 80 100

Runtime coverage analysis

Covered functions
386
Functions that are reachable but not covered
79
Reachable functions
79
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/ 1
...gitpython.fuzzing.fuzz-targets.fuzz_blob 78

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/gitpython/fuzzing/fuzz-targets/fuzz_repo.py

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['git.util.expand_path', 'git.util._is_cygwin_git', 'git.config.GitConfigParser.__init__', 'git.repo.fun.is_git_dir', 'git.db.GitCmdObjectDB.__init__', 'git.repo.fun.find_worktree_git_dir', 'git.repo.base.Repo._get_config_path', 'git.repo.fun.find_submodule_git_dir', 'git.repo.base.Repo.__init__']

/src/gitpython/fuzzing/fuzz-targets/fuzz_diff.py

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['git.cmd.Git.AutoInterrupt._terminate', 'git.util.expand_path', '...gitpython.fuzzing.fuzz-targets.fuzz_diff.TestOneInput', 'git.util.finalize_process', '...gitpython.fuzzing.fuzz-targets.fuzz_diff.BytesProcessAdapter.__init__', 'git.util._is_cygwin_git', 'git.config.GitConfigParser.__init__', 'git.objects.base.IndexObject.__init__', 'git.repo.fun.is_git_dir']

/src/gitpython/fuzzing/fuzz-targets/fuzz_config.py

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['git.config.GitConfigParser._included_paths', 'git.config.GitConfigParser.read', '...gitpython.fuzzing.fuzz-targets.fuzz_config.TestOneInput']

/src/gitpython/fuzzing/fuzz-targets/fuzz_submodule.py

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['...gitpython.fuzzing.fuzz-targets.fuzz_submodule.TestOneInput']

/src/gitpython/fuzzing/fuzz-targets/fuzz_blob.py

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
git.repo.base.Repo.blame_incremental 36 0 0.0% []
git.repo.base.Repo.blame 75 0 0.0% []
f.readline 55 20 36.36% []
repo.git.read_tree 38 17 44.73% []
git.objects.submodule 38 20 52.63% []
git.cmd.handle_process_output.pump_stream 51 2 3.921% []
git.cmd.Git.refresh 35 12 34.28% []
git.cmd.Git.execute.communicate 34 16 47.05% []
git.remote.PushInfo._from_line 32 0 0.0% []
git.remote.FetchInfo._from_line 56 0 0.0% []
git.remote.Remote._get_fetch_info_from_stderr 39 0 0.0% []
git.util.RemoteProgress._parse_progress_line 44 0 0.0% ['fuzz_diff']
git.repo.fun.rev_parse 97 22 22.68% []
git.index.base.IndexFile.checkout.handle_stderr 75 0 0.0% []
stream.read 299 141 47.15% ['fuzz_repo', 'fuzz_diff']
git.diff.Diffable.diff 38 4 10.52% []
git.diff.Diff.__str__ 33 0 0.0% ['fuzz_diff']
git.diff.Diff._handle_diff_line 38 0 0.0% ['fuzz_diff']
git.objects.util.parse_date 46 2 4.347% []
e.append 61 30 49.18% ['fuzz_config']
git.objects.commit.Commit._deserialize 53 27 50.94% []
git.objects.submodule.base.Submodule.add 56 30 53.57% []
git.objects.submodule.base.Submodule.update 94 13 13.82% []
git.objects.submodule.base.Submodule.move 48 0 0.0% []
git.objects.submodule.base.Submodule.remove 60 0 0.0% []
buf.find 70 16 22.85% []
git.index.fun.aggressive_tree_merge 36 0 0.0% []
git.objects.submodule.root.RootModule.update 104 0 0.0% []
ref.set_reference 44 10 22.72% []

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
git.refs.log [] []
mimetypes [] []
contextlib [] []
git.refs.remote [] []
git.repo.base ['fuzz_repo', 'fuzz_diff'] []
tempfile [] []
git.remote [] []
git.refs.reference [] []
gitdb [] []
git.compat ['fuzz_repo'] []
collections [] []
git.index [] []
utils [] []
git.repo.fun ['fuzz_repo', 'fuzz_diff'] []
shutil [] []
git.objects.submodule.root [] []
git.index.typ [] []
...gitpython.fuzzing.fuzz-targets.fuzz_config ['fuzz_config'] []
git.cmd ['fuzz_repo', 'fuzz_diff'] []
functools [] []
git.index.fun [] []
...gitpython.fuzzing.fuzz-targets.fuzz_submodule ['fuzz_submodule'] []
[] []
git.objects.submodule.base [] []
git.refs [] []
git.objects.fun ['fuzz_repo'] []
weakref [] []
typing_extensions [] []
pathlib [] []
stat [] []
git.util ['fuzz_repo', 'fuzz_diff'] []
platform [] []
...gitpython.fuzzing.fuzz-targets.fuzz_diff ['fuzz_diff'] []
subprocess [] []
textwrap [] []
inspect [] []
getpass [] []
git.index.util [] []
datetime [] []
os [] []
git.refs.head [] []
urllib [] []
git.objects.submodule.util [] []
struct [] []
...gitpython.fuzzing.fuzz-targets.fuzz_blob ['fuzz_blob'] []
uuid [] []
git.objects.tag [] []
io [] []
...gitpython.fuzzing.fuzz-targets.fuzz_repo ['fuzz_repo'] []
git.objects.commit [] []
git.types [] []
git.config ['fuzz_repo', 'fuzz_diff', 'fuzz_config'] []
git.db ['fuzz_repo', 'fuzz_diff'] []
importlib [] []
enum [] []
itertools [] []
configparser [] []
git.index.base [] []
sys [] []
git.refs.symbolic [] []
git.objects.blob [] []
git.exc [] []
fnmatch [] []
logging [] []
git.objects.base ['fuzz_diff'] []
git.refs.tag [] []
calendar [] []
time [] []
warnings [] []
locale [] []
git.objects.tree ['fuzz_repo'] []
re [] []
git.objects.submodule [] []
git.diff ['fuzz_diff'] []
shlex [] []
threading [] []
git.objects [] []
atheris [] []
binascii [] []
typing [] []
gc [] []
git.objects.util ['fuzz_diff'] []
git.repo [] []
git [] []
glob [] []

Directories in report

Directory