High level conclusions

Fuzzers reach 57.28% of cyclomatic complexity.

Fuzzers reach 54.94% of all functions.

Fuzzer ssh_bind_config_fuzzer is blocked:

The runtime code coverage of ssh_bind_config_fuzzer covers 18.56% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ssh_client_config_fuzzer is blocked:

The runtime code coverage of ssh_client_config_fuzzer covers 2.711% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

483 / 879

Cyclomatic complexity statically reachable by fuzzers

4072 / 7108

Runtime code coverage of functions

433 / 879

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: ssh_known_hosts_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	95	25.3%
gold	[1:9]	17	4.53%
yellow	[10:29]	3	0.8%
greenyellow	[30:49]	1	0.26%
lawngreen	50+	259	69.0%
All colors	375	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
21	21	4 : View List ['ssh_crypto_finalize', 'ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_dh_finalize']	21	33	_ssh_finalize	call site: 00364	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_pki_key_ecdsa_name']	10	141	pki_import_pubkey_buffer	call site: 00284	/src/libssh/src/pki.c:1332
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00044	/src/libssh/src/dh.c:260
7	42	3 : View List ['_ssh_log', '__errno_location', 'ssh_strerror']	7	42	ssh_known_hosts_read_entries	call site: 00058	/src/libssh/src/knownhosts.c:236
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_add_data	call site: 00096	/src/libssh/src/buffer.c:318
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00082	/src/libssh/src/buffer.c:347
6	6	2 : View List ['BN_cmp', 'EC_KEY_get0_private_key']	6	6	pki_key_compare	call site: 00348	/src/libssh/src/pki_crypto.c:855
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00016	/src/libssh/src/libcrypto.c:1381
4	4	1 : View List ['ssh_key_is_private']	6	70	ssh_key_cmp	call site: 00331	/src/libssh/src/pki.c:672
4	4	2 : View List ['EVP_PKEY_free', 'RSA_free']	4	4	pki_pubkey_build_rsa	call site: 00248	/src/libssh/src/pki_crypto.c:1286
2	2	1 : View List ['explicit_bzero']	2	28	ssh_key_clean	call site: 00305	/src/libssh/src/pki.c:146
2	2	1 : View List ['abort']	2	2	ssh_buffer_unpack_va	call site: 00232	/src/libssh/src/buffer.c:1259

Runtime coverage analysis

Covered functions

81

Functions that are reachable but not covered

92

Reachable functions

172

Percentage of reachable functions covered

46.51%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_known_hosts_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	5
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/knownhosts.c	7
src/misc.c	8
src/base64.c	4
src/buffer.c	19
src/match.c	3
src/pki.c	11
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	6
src/pki_ed25519_common.c	1

Fuzzer: ssh_client_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	648	97.7%
gold	[1:9]	14	2.11%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	0.15%
All colors	663	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
39	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	39	39	ssh_crypto_init	call site: 00012	/src/libssh/src/libcrypto.c:1381
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00040	/src/libssh/src/dh.c:260
0	0	None	10	10	ssh_dh_init	call site: 00035	/src/libssh/src/dh.c:239
0	0	None	10	10	ssh_dh_init	call site: 00036	/src/libssh/src/dh.c:243
0	0	None	10	10	ssh_dh_init	call site: 00037	/src/libssh/src/dh.c:248
0	0	None	10	10	ssh_dh_init	call site: 00038	/src/libssh/src/dh.c:252
0	0	None	10	10	ssh_dh_init	call site: 00039	/src/libssh/src/dh.c:256
0	0	None	6	92	_ssh_init	call site: 00003	/src/libssh/src/init.c:66
0	0	None	6	6	_ssh_init	call site: 00004	/src/libssh/src/init.c:72
0	0	None	6	6	_ssh_init	call site: 00008	/src/libssh/src/init.c:78
0	0	None	6	6	_ssh_init	call site: 00011	/src/libssh/src/init.c:83
0	0	None	6	6	_ssh_init	call site: 00034	/src/libssh/src/init.c:88

Runtime coverage analysis

Covered functions

9

Functions that are reachable but not covered

287

Reachable functions

295

Percentage of reachable functions covered

2.71%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	2
src/log.c	10
src/dh.c	2
src/socket.c	6
src/poll.c	6
src/session.c	3
src/wrapper.c	4
src/error.c	3
src/buffer.c	5
src/misc.c	15
src/agent.c	3
src/channels.c	1
src/pcap.c	1
src/pki.c	2
src/pki_crypto.c	1
src/string.c	4
src/dh_crypto.c	1
src/messages.c	1
src/auth.c	2
src/options.c	2
src/kex.c	6
src/token.c	7
src/config.c	11
src/config_parser.c	6
src/match.c	3

Fuzzer: ssh_bind_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	579	76.6%
gold	[1:9]	40	5.29%
yellow	[10:29]	16	2.11%
greenyellow	[30:49]	3	0.39%
lawngreen	50+	117	15.4%
All colors	755	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_config_parse_line	call site: 00064	/src/libssh/src/bind_config.c:309
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00577	/src/libssh/src/options.c:2117
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00588	/src/libssh/src/options.c:2160
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00590	/src/libssh/src/options.c:2175
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00653	/src/libssh/src/options.c:2190
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00655	/src/libssh/src/options.c:2205
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00657	/src/libssh/src/options.c:2220
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00671	/src/libssh/src/options.c:2251
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00673	/src/libssh/src/options.c:2266
21	21	4 : View List ['ssh_crypto_finalize', 'ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_dh_finalize']	21	33	_ssh_finalize	call site: 00745	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00040	/src/libssh/src/dh.c:260
6	6	1 : View List ['ssh_log_custom']	6	6	ssh_log_function	call site: 00019	/src/libssh/src/log.c:118

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

215

Reachable functions

264

Percentage of reachable functions covered

18.56%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_bind_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	10
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/bind.c	2
src/bind_config.c	6
src/error.c	3
src/config_parser.c	2
src/options.c	5
src/pki.c	15
src/misc.c	3
src/pki_container_openssh.c	4
src/base64.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	13
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1
src/pki_ed25519_common.c	1
src/kex.c	6
src/token.c	7

Fuzzer: ssh_client_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1299	60.8%
gold	[1:9]	74	3.46%
yellow	[10:29]	74	3.46%
greenyellow	[30:49]	16	0.74%
lawngreen	50+	672	31.4%
All colors	2135	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8692	11095	8 : View List ['ssh_buffer_add_u8', 'ssh_message_new', '_ssh_buffer_unpack', 'strcmp', 'ssh_message_global_request_reply_success', '_ssh_set_error_oom', 'ssh_message_queue', 'ssh_packet_send']	8692	11375	ssh_packet_global_request	call site: 00000	/src/libssh/src/messages.c:1526
2052	2122	2 : View List ['ssh_send_rekex', '_ssh_log']	2052	2122	ssh_packet_socket_callback	call site: 01623	/src/libssh/src/packet.c:1376
763	776	10 : View List ['strcspn', 'ssh_knownhosts_entry_free', 'ssh_known_hosts_parse_line', 'ssh_list_append', 'known_hosts_read_line', 'fclose', 'ssh_list_get_iterator', 'ssh_known_hosts_entries_compare', 'ssh_list_new', '__ctype_b_loc']	763	776	ssh_known_hosts_read_entries	call site: 00979	/src/libssh/src/knownhosts.c:236
251	251	2 : View List ['ssh_pcap_context_write', 'strlen']	251	251	ssh_send_banner	call site: 00721	/src/libssh/src/client.c:228
247	249	2 : View List ['ssh_buffer_get', 'ssh_pcap_context_write']	2428	9290	ssh_packet_socket_callback	call site: 00893	/src/libssh/src/packet.c:1273
247	247	1 : View List ['ssh_pcap_context_write']	247	1207	packet_send2	call site: 01309	/src/libssh/src/packet.c:1699
234	234	1 : View List ['server_set_kex']	242	800	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:391
222	258	9 : View List ['ssh_knownhosts_entry_free', 'ssh_list_remove', 'ssh_list_get_iterator', 'ssh_list_free', 'ssh_remove_duplicates', 'ssh_list_count', 'ssh_known_host_sigs_from_hostkey_type', 'strlen', 'strncat']	222	258	ssh_known_hosts_get_algorithms_names	call site: 01213	/src/libssh/src/knownhosts.c:571
123	170	6 : View List ['ssh_find_all_matching', 'FIPS_mode', 'ssh_keep_fips_algos', '_ssh_set_error_oom', 'ssh_append_without_duplicates', 'free']	123	310	ssh_client_select_hostkeys	call site: 00971	/src/libssh/src/kex.c:674
91	91	1 : View List ['ssh_add_to_default_algos']	145	228	ssh_options_set_algo	call site: 00269	/src/libssh/src/options.c:248
54	54	1 : View List ['ssh_remove_from_default_algos']	108	191	ssh_options_set_algo	call site: 00270	/src/libssh/src/options.c:250
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	channel_default_bufferize	call site: 00000	/src/libssh/src/channels.c:975

Runtime coverage analysis

Covered functions

318

Functions that are reachable but not covered

319

Reachable functions

577

Percentage of reachable functions covered

44.71%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_fuzzer.c	2
src/init.c	5
src/threads/pthread.c	3
src/threads.c	3
src/threads/libcrypto.c	2
src/libcrypto.c	8
src/log.c	12
src/dh.c	6
src/socket.c	23
src/poll.c	26
src/session.c	10
src/wrapper.c	10
src/error.c	4
src/buffer.c	30
src/misc.c	25
src/agent.c	3
src/channels.c	30
src/pcap.c	5
src/pki.c	13
src/pki_crypto.c	8
src/string.c	9
src/dh_crypto.c	6
src/messages.c	1
src/auth.c	6
src/options.c	4
src/kex.c	20
src/token.c	8
src/callbacks.c	5
src/client.c	11
src/config.c	11
src/config_parser.c	6
src/match.c	3
src/bignum.c	2
src/packet.c	19
src/packet_crypt.c	4
src/crypto_common.c	1
src/gzip.c	6
src/getrandom_crypto.c	1
src/knownhosts.c	10
src/base64.c	4
src/pki_ed25519_common.c	2
src/server.c	1
src/md_crypto.c	16
src/kdf.c	4
src/dh-gex.c	2
src/ecdh_crypto.c	3
src/curve25519.c	3
src/ecdh.c	1
src/connect.c	4
src/connector.c	19

Fuzzer: ssh_server_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1265	60.8%
gold	[1:9]	13	0.62%
yellow	[10:29]	11	0.52%
greenyellow	[30:49]	9	0.43%
lawngreen	50+	781	37.5%
All colors	2079	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2315	7379	7 : View List ['_ssh_buffer_pack', '_ssh_buffer_unpack', 'ssh_message_handle_channel_request', 'strcmp', 'ssh_list_get_iterator', 'ssh_packet_send', 'free']	2315	7729	channel_rcv_request	call site: 00000	/src/libssh/src/channels.c:796
2154	2254	13 : View List ['ssh_buffer_get_ssh_string', 'ssh_string_free', 'ntohl', 'ssh_buffer_get', 'channel_default_bufferize', 'ssh_buffer_get_len', 'ssh_buffer_pass_bytes', 'grow_window', 'ssh_list_get_iterator', 'ssh_string_data', 'ssh_buffer_get_u32', 'ssh_string_len', '_ssh_set_error']	2154	2464	channel_rcv_data	call site: 00000	/src/libssh/src/channels.c:592
2107	2107	1 : View List ['ssh_execute_message_callback']	2107	2107	ssh_message_queue	call site: 00000	/src/libssh/src/messages.c:443
2082	2176	10 : View List ['kex_select_kex_type', 'ssh_string_free', '_ssh_log', 'calloc', 'ssh_buffer_reinit', '_ssh_set_error_oom', 'strlen', 'strchr', 'free', 'dh_handshake']	2082	2176	ssh_send_kex	call site: 01818	/src/libssh/src/kex.c:1051
2053	2053	1 : View List ['ssh_message_global_request_reply_success']	2053	2088	ssh_packet_global_request	call site: 00000	/src/libssh/src/messages.c:1604
2052	2122	2 : View List ['ssh_send_rekex', '_ssh_log']	2052	2122	ssh_packet_socket_callback	call site: 01896	/src/libssh/src/packet.c:1376
2050	4159	3 : View List ['ssh_message_reply_default', '_ssh_log', 'ssh_message_channel_request_open_reply_accept_channel']	2050	4159	ssh_execute_server_request	call site: 00000	/src/libssh/src/messages.c:156
1729	1729	3 : View List ['ssh_bind_options_expand_escape', 'ssh_bind_config_parse_file', 'free']	1729	1729	ssh_bind_options_parse_config	call site: 00767	/src/libssh/src/options.c:2452
1145	1145	1 : View List ['ssh_set_client_kex']	1153	1711	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:391
740	740	1 : View List ['ssh_bind_import_keys']	752	1166	ssh_bind_accept_fd	call site: 00934	/src/libssh/src/bind.c:500
630	630	1 : View List ['ssh_pki_openssh_privkey_import']	630	630	ssh_pki_import_privkey_base64	call site: 00200	/src/libssh/src/pki.c:803
251	251	2 : View List ['ssh_pcap_context_write', 'strlen']	251	251	ssh_send_banner	call site: 01014	/src/libssh/src/client.c:228

Runtime coverage analysis

Covered functions

320

Functions that are reachable but not covered

297

Reachable functions

530

Percentage of reachable functions covered

43.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_server_fuzzer.c	3
src/bind.c	4
src/session.c	7
src/wrapper.c	11
src/socket.c	15
src/error.c	4
src/buffer.c	31
src/misc.c	23
src/agent.c	3
src/channels.c	1
src/pcap.c	5
src/poll.c	20
src/log.c	10
src/pki.c	21
src/pki_crypto.c	17
src/string.c	9
src/dh_crypto.c	6
src/messages.c	1
src/auth.c	2
src/options.c	9
src/pki_container_openssh.c	4
src/base64.c	4
src/bignum.c	2
src/libcrypto.c	7
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	16
src/external/blowfish.c	6
src/pki_ed25519_common.c	4
src/kex.c	20
src/token.c	8
src/server.c	7
src/callbacks.c	1
src/bind_config.c	6
src/config_parser.c	2
src/client.c	3
src/packet.c	19
src/packet_crypt.c	4
src/crypto_common.c	1
src/gzip.c	6
src/getrandom_crypto.c	1
src/knownhosts.c	10
src/match.c	3
src/dh.c	5
src/kdf.c	4
src/dh-gex.c	3
src/ecdh_crypto.c	3
src/curve25519.c	4
src/ecdh.c	2

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
ssh_userauth_publickey_auto	/src/libssh/src/auth.c	3	['struct.ssh_session_struct.862 *', 'char *', 'char *']	29	0	763	108	37	483	0	3194	552
ssh_packet_userauth_request	/src/libssh/src/messages.c	4	['struct.ssh_session_struct *', 'char', 'struct.ssh_buffer_struct *', 'char *']	28	0	714	143	41	398	0	2583	341
ssh_packet_server_dhgex_request	/src/libssh/src/dh-gex.c	4	['struct.ssh_session_struct *', 'char', 'struct.ssh_buffer_struct *', 'char *']	21	0	301	51	18	348	0	2139	95
ssh_pki_export_privkey_file	/src/libssh/src/pki.c	5	['struct.ssh_key_struct *', 'char *', 'func_type *', 'char *', 'char *']	11	0	163	26	10	113	0	493	87
channel_rcv_request	/src/libssh/src/channels.c	4	['struct.ssh_session_struct *', 'char', 'struct.ssh_buffer_struct *', 'char *']	28	0	731	134	42	368	0	2358	68
ssh_packet_server_dh_init	/src/libssh/src/dh.c	4	['struct.ssh_session_struct *', 'char', 'struct.ssh_buffer_struct *', 'char *']	16	0	31	3	2	383	0	2373	66
ssh_channel_select	/src/libssh/src/channels.c	4	['struct.ssh_channel_struct **', 'struct.ssh_channel_struct **', 'struct.ssh_channel_struct **', 'struct.ssh_timestamp *']	11	0	675	137	40	88	0	405	66
ssh_packet_kexinit	/src/libssh/src/kex.c	4	['struct.ssh_session_struct.121 *', 'char', 'struct.ssh_buffer_struct *', 'char *']	13	0	928	155	51	200	0	1267	64
ssh_session_update_known_hosts	/src/libssh/src/knownhosts.c	1	['struct.ssh_session_struct *']	9	0	283	43	15	124	0	776	59
ssh_packet_server_curve25519_init	/src/libssh/src/curve25519.c	4	['struct.ssh_session_struct *', 'char', 'struct.ssh_buffer_struct *', 'char *']	21	0	419	69	25	381	0	2372	45

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

595 / 879

Cyclomatic complexity statically reachable by fuzzers

5453 / 7108

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
ssh_dh_init	36	19	52.77%	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
hmac_init	38	17	44.73%	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
pki_pubkey_build_rsa	33	18	54.54%	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_bind_options_set	357	154	43.13%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
ssh_userauth_get_response	41	17	41.46%	['ssh_client_fuzzer']
ssh_channel_new	44	22	50.0%	['ssh_client_fuzzer']
channel_rcv_change_window	35	18	51.42%	[]
channel_default_bufferize	45	16	35.55%	[]
ssh_connect	114	60	52.63%	['ssh_client_fuzzer']
ssh_curve25519_init	59	31	52.54%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
sshkdf_derive_key	38	19	50.0%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_client_select_hostkeys	70	27	38.57%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_send_kex	89	48	53.93%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_hashbufout_add_cookie	31	17	54.83%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_known_hosts_get_algorithms_names	75	25	33.33%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_message_free	56	24	42.85%	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_channel_open	94	46	48.93%	[]
ssh_packet_global_request	116	46	39.65%	[]
ssh_path_expand_escape	130	46	35.38%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_options_set	648	118	18.20%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_options_apply	105	50	47.61%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_send	59	21	35.59%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_encrypt	90	37	41.11%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_key_signature_to_char	33	16	48.48%	[]
ssh_socket_close	33	15	45.45%	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_bind_accept_fd	114	42	36.84%	['ssh_server_fuzzer']
ssh_packet_channel_open_conf	51	20	39.21%	[]
channel_rcv_request	135	12	8.888%	[]
ssh_retrieve_dhgroup	52	16	30.76%	[]
ssh_message_queue	35	18	51.42%	[]
ssh_execute_server_request	205	30	14.63%	[]
ssh_pki_import_privkey_file	63	27	42.85%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
ssh_pki_export_signature_blob	47	25	53.19%	[]
pki_key_dup	176	66	37.5%	['ssh_server_fuzzer']
pki_private_key_from_base64	108	35	32.40%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
pki_sign_data	82	44	53.65%	[]
ssh_get_key_params	44	20	45.45%	[]
ssh_auth_reply_default	44	12	27.27%	[]

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libssh/src/packet.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/libcrypto.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/config_parser.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer']
/src/libssh/src/config.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/tests/fuzz/ssh_client_config_fuzzer.c	['ssh_client_config_fuzzer']	[]
/src/libssh/src/external/blowfish.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/socket.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/connect.c	['ssh_client_fuzzer']	[]
/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c	['ssh_known_hosts_fuzzer']	['ssh_known_hosts_fuzzer']
/src/libssh/src/buffer.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/client.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/threads/libcrypto.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/poll.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/ecdh.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/bind.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/misc.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_server_fuzzer.c	['ssh_server_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/packet_cb.c	[]	[]
/src/libssh/src/getrandom_crypto.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/error.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/pcap.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/kdf.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/kex.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/threads/pthread.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/crypto_common.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/pki_ed25519_common.c	['ssh_known_hosts_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/auth.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_bind_config_fuzzer.c	['ssh_bind_config_fuzzer']	['ssh_bind_config_fuzzer']
/src/libssh/src/server.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/pki_crypto.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/md_crypto.c	['ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/base64.c	['ssh_known_hosts_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer']
/src/libssh/src/dh_crypto.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/bignum.c	['ssh_known_hosts_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/pki_container_openssh.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/ecdh_crypto.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/gzip.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/session.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/log.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/messages.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/curve25519.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/dh-gex.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/packet_crypt.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/channels.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/init.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/external/bcrypt_pbkdf.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	[]
/src/libssh/src/bind_config.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer']
/src/libssh/src/wrapper.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/match.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer']
/src/libssh/src/callbacks.c	['ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/knownhosts.c	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/agent.c	['ssh_client_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/connector.c	['ssh_client_fuzzer']	[]
/src/libssh/src/options.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/dh.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/tests/fuzz/ssh_client_fuzzer.c	['ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/pki.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/token.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/threads.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/string.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']

Directories in report

Directory
/src/libssh/src/external/
/src/libssh/src/
/src/libssh/src/threads/
/src/libssh/tests/fuzz/