Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: rauc
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz/bundle.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz/manifest.c
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
fuzz/bundle.c
Dictionary
Fuzzer function priority
fuzz/manifest.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Fuzz driver synthesis
New fuzzers
install.c
install_fixtures.c
main.c
update_handler.c
cgi.c
nbd.c
update_handler.c
Files and Directories in report
Files in report
Directories in report
Function call coverage
Function in each files in report
Metadata section
Sink analyser for CWEs
Sink functions/methods found for CWE22
Report generation date: 2025-07-11

Project overview: rauc

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
12.0%
115 / 974
Cyclomatic complexity statically reachable by fuzzers
20.0%
904 / 4498
Runtime code coverage of functions
4.0%
39 / 974

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz/bundle.c fuzz/bundle.c 382 859 10 20 741 904 bundle.c
fuzz/manifest.c fuzz/manifest.c 52 963 5 5 56 70 manifest.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz/bundle.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1461 80.8%
gold [1:9] 20 1.10%
yellow [10:29] 10 0.55%
greenyellow [30:49] 5 0.27%
lawngreen 50+ 312 17.2%
All colors 1808 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
322 1240 check_bundle call site: 01240 cms_verify_fd
310 252 check_remaining_keys call site: 00252 parse_slots
294 577 default_config call site: 00577 r_context_configure_target
197 915 is_remote_scheme call site: 00915 r_nbd_start_server
182 67 key_file_consume_string call site: 00067 r_semver_less_equal
43 1165 check_bundle call site: 01165 r_context
19 43 r_context_configure call site: 00043 load_config_verbose
17 1588 r_context_free_progress_step call site: 01588 cms_verify_sig
12 1569 r_context_end_step call site: 01569 r_context_set_step_percentage
9 565 check_remaining_groups call site: 00565 load_config_verbose
6 9 r_context_conf call site: 00009
5 18 signature_init call site: 00018

Runtime coverage analysis

Covered functions
2235
Functions that are reachable but not covered
260
Reachable functions
382
Percentage of reachable functions covered
31.94%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/bundle.c 13
fuzz/fuzz.h 1
src/context.c 84
src/network.c 16
src/signature.c 115
src/config_file.c 73
src/utils.c 51
src/bootchooser.c 7
src/install.c 1
src/event_log.c 10
src/slot.c 1
src/artifacts.c 1
src/status_file.c 6
src/bootloaders/custom.c 13
include/utils.h 7
src/bootloaders/efi.c 30
src/bootloaders/barebox.c 2
src/bundle.c 80
src/nbd.c 53
src/manifest.c 42

Fuzzer: fuzz/manifest.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 17 9.18%
gold [1:9] 5 2.70%
yellow [10:29] 7 3.78%
greenyellow [30:49] 3 1.62%
lawngreen 50+ 153 82.7%
All colors 185 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 112 parse_image call site: 00112
4 129 parse_image call site: 00129 r_ptr_array_addv
2 75 parse_manifest call site: 00075
1 4 LLVMFuzzerTestOneInput call site: 00004 fuzz_set_logging_func
1 6 fuzz_set_logging_func call site: 00006 load_manifest_mem
1 12 load_manifest_mem call site: 00012
1 68 parse_manifest call site: 00068
1 70 parse_manifest call site: 00070
1 78 parse_manifest call site: 00078
1 119 parse_image call site: 00119

Runtime coverage analysis

Covered functions
2235
Functions that are reachable but not covered
11
Reachable functions
52
Percentage of reachable functions covered
78.85%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/manifest.c 5
fuzz/fuzz.h 1
src/manifest.c 42
src/utils.c 13
include/utils.h 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
install_test_bundle /src/rauc/test/install.c 2 ['InstallFixture*', 'gconstpointer'] 12 0 44 5 5 641 1 1871 968
fixture_helper_set_up_bundle /src/rauc/test/install_fixtures.c 3 ['gchar*', 'gchar*', 'ManifestTestOptions*'] 11 0 52 9 8 465 10 1173 433
status_start /src/rauc/src/main.c 2 ['int', 'char**'] 11 0 107 22 22 366 0 1042 310
img_to_fs_handler /src/rauc/src/update_handler.c 4 ['RaucImage*', 'RaucSlot*', 'gchar*', 'GError**'] 14 0 25 8 10 286 0 731 213
convert_start /src/rauc/src/main.c 2 ['int', 'char**'] 17 0 52 9 15 477 0 1333 109
img_to_boot_gpt_switch_handler /src/rauc/src/update_handler.c 4 ['RaucImage*', 'RaucSlot*', 'gchar*', 'GError**'] 13 0 62 11 19 249 0 585 101
cgi_handler /src/rauc/contrib/cgi/src/cgi.c 2 ['int', 'char**'] 4 0 68 17 23 76 1 99 99
r_nbd_run_server /src/rauc/src/nbd.c 2 ['gint', 'GError**'] 5 0 118 15 23 80 1 116 95
img_to_boot_mbr_switch_handler /src/rauc/src/update_handler.c 4 ['RaucImage*', 'RaucSlot*', 'gchar*', 'GError**'] 13 0 61 11 19 220 0 582 80
test_update_handler /src/rauc/test/update_handler.c 2 ['UpdateHandlerFixture*', 'gconstpointer'] 9 0 217 37 43 262 0 572 79

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
50.0%
483 / 974
Cyclomatic complexity statically reachable by fuzzers
75.0%
3391 / 4498

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/bundle.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['check_bundle', 'check_remaining_keys', 'default_config', 'is_remote_scheme', 'key_file_consume_string', 'r_context_configure', 'r_context_free_progress_step', 'r_context_end_step', 'check_remaining_groups']

fuzz/manifest.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['parse_image', 'parse_manifest', 'LLVMFuzzerTestOneInput', 'fuzz_set_logging_func', 'load_manifest_mem']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
read_aliases 36 6 16.66%
g_checksum_update 32 12 37.5%
g_checksum_get_string 34 14 41.17%
g_string_insert_len 51 23 45.09%
g_unichar_to_utf8 45 16 35.55%
check_type_info_I 71 22 30.98%
check_value_table_I 54 19 35.18%
check_derivation_I 36 12 33.33%
type_data_ref_Wm 32 8 25.0%
OPENSSL_cpuid_setup 42 15 35.71%
check_bundle 175 85 48.57% ['/src/rauc/fuzz/bundle.c', '/src/rauc/fuzz/manifest.c']
r_context_configure 63 24 38.09% ['/src/rauc/fuzz/bundle.c', '/src/rauc/fuzz/manifest.c']
cms_get_unverified_manifest 57 29 50.87% ['/src/rauc/fuzz/bundle.c', '/src/rauc/fuzz/manifest.c']
matcher_optimize 33 12 36.36%
g_io_error_from_errno 129 7 5.426%
g_io_error_from_file_error 51 7 13.72%
g_io_modules_scan_all_in_directory_with_scope 95 12 12.63%
_g_io_module_get_default 95 51 53.68%
get_xattrs_from_fd 89 19 21.34%
sandbox_info_read 51 18 35.29%
g_convert_with_iconv 99 50 50.50%
convert_checked 39 12 30.76%
g_data_set_internal 102 39 38.23%
g_file_test 38 13 34.21%
g_file_error_from_errno 103 9 8.737%
g_file_set_contents_full 81 26 32.09%
write_to_file 46 25 54.34%
rename_file 33 8 24.24%
g_get_tmp_name 55 20 36.36%
g_logv 96 51 53.12%
msort_r 71 26 36.61%
msort_with_tmp 117 9 7.692%
g_close 32 6 18.75%
_g_locale_get_charset_aliases 92 32 34.78%
g_object_unref 87 44 50.57%
object_interface_check_properties 77 15 19.48%
g_object_new_internal 47 14 29.78%
g_signal_handlers_destroy 33 8 24.24%
signal_id_lookup 41 22 53.65%
g_type_interface_add_prerequisite 64 31 48.43%
check_add_interface_L 64 27 42.18%
type_check_is_value_type_U 32 16 50.0%
ossl_i2c_ASN1_BIT_STRING 50 25 50.0%
BIO_new_ex 31 14 45.16%
BIO_gets 40 21 52.5%
_dopr 265 106 40.0%
doapr_outch 38 10 26.31%
file_ctrl 102 18 17.64%
mem_ctrl 92 32 34.78%
def_load_bio 313 122 38.97%
str_copy 129 64 49.61%
CONF_modules_load 50 15 30.0%
d2i_DHxparams 34 12 35.29%
dh_new_intern 47 21 44.68%
dsa_new_intern 48 22 45.83%
ossl_ec_key_new_method_int 54 22 40.74%
ossl_ecx_key_op 63 11 17.46%
ossl_decoder_instance_new 49 25 51.02%
collect_decoder 56 29 51.78%
ossl_engine_table_select 74 11 14.86%
get_error_values 60 27 45.0%
evp_pkey_get_legacy 33 7 21.21%
ossl_crypto_new_ex_data_ex 40 21 52.5%
init_thread_deregister 48 20 41.66%
OSSL_PARAM_set_int32 48 14 29.16%
provider_activate 42 21 50.0%
provider_init 154 52 33.76%
ossl_rsa_todata 39 19 48.71%
ossl_ifc_ffc_compute_security_bits 39 21 53.84%
rsa_new_intern 49 23 46.93%
OPENSSL_sk_deep_copy 37 14 37.83%
X509_PURPOSE_add 50 27 54.0%
crl_cb 103 37 35.92%
deflt_query 32 9 28.12%

Fuzz driver synthesis

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

install.c

Target file: /src/rauc/test/install.c
Target functions: install_test_bundle 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target install_test_bundle */
  UNKNOWN_TYPE unknown_0;
  UNKNOWN_TYPE unknown_1;
  install_test_bundle(unknown_0, unknown_1);

  af_safe_gb_cleanup();
}

install_fixtures.c

Target file: /src/rauc/test/install_fixtures.c
Target functions: fixture_helper_set_up_bundle 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target fixture_helper_set_up_bundle */
  UNKNOWN_TYPE unknown_2;
  UNKNOWN_TYPE unknown_3;
  UNKNOWN_TYPE unknown_4;
  fixture_helper_set_up_bundle(unknown_2, unknown_3, unknown_4);

  af_safe_gb_cleanup();
}

main.c

Target file: /src/rauc/src/main.c
Target functions: status_start, convert_start 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target status_start */
  int new_var5 = ada_safe_get_int();
  char **new_var6 = af_get_double_char_p();
  status_start(new_var5, new_var6);

  /* target convert_start */
  int new_var11 = ada_safe_get_int();
  char **new_var12 = af_get_double_char_p();
  convert_start(new_var11, new_var12);

  af_safe_gb_cleanup();
}

update_handler.c

Target file: /src/rauc/src/update_handler.c
Target functions: img_to_fs_handler, img_to_boot_gpt_switch_handler, img_to_boot_mbr_switch_handler 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target img_to_fs_handler */
  UNKNOWN_TYPE unknown_7;
  UNKNOWN_TYPE unknown_8;
  UNKNOWN_TYPE unknown_9;
  UNKNOWN_TYPE unknown_10;
  img_to_fs_handler(unknown_7, unknown_8, unknown_9, unknown_10);

  /* target img_to_boot_gpt_switch_handler */
  UNKNOWN_TYPE unknown_13;
  UNKNOWN_TYPE unknown_14;
  UNKNOWN_TYPE unknown_15;
  UNKNOWN_TYPE unknown_16;
  img_to_boot_gpt_switch_handler(unknown_13, unknown_14, unknown_15, unknown_16);

  /* target img_to_boot_mbr_switch_handler */
  UNKNOWN_TYPE unknown_21;
  UNKNOWN_TYPE unknown_22;
  UNKNOWN_TYPE unknown_23;
  UNKNOWN_TYPE unknown_24;
  img_to_boot_mbr_switch_handler(unknown_21, unknown_22, unknown_23, unknown_24);

  af_safe_gb_cleanup();
}

cgi.c

Target file: /src/rauc/contrib/cgi/src/cgi.c
Target functions: cgi_handler 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target cgi_handler */
  int new_var17 = ada_safe_get_int();
  char **new_var18 = af_get_double_char_p();
  cgi_handler(new_var17, new_var18);

  af_safe_gb_cleanup();
}

nbd.c

Target file: /src/rauc/src/nbd.c
Target functions: r_nbd_run_server 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target r_nbd_run_server */
  UNKNOWN_TYPE unknown_19;
  UNKNOWN_TYPE unknown_20;
  r_nbd_run_server(unknown_19, unknown_20);

  af_safe_gb_cleanup();
}

update_handler.c

Target file: /src/rauc/test/update_handler.c
Target functions: test_update_handler 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target test_update_handler */
  UNKNOWN_TYPE unknown_25;
  UNKNOWN_TYPE unknown_26;
  test_update_handler(unknown_25, unknown_26);

  af_safe_gb_cleanup();
}

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
/src/rauc/test/stats.c [] []
/src/rauc/test/install_fixtures.c [] []
/src/rauc/test/utils.c [] []
/src/rauc/src/mbr.c [] []
/src/rauc/src/update_handler.c [] []
/src/rauc/src/checksum.c [] []
/src/rauc/include/emmc.h [] []
/src/rauc/test/progress.c [] []
/src/rauc/src/artifacts_composefs.c [] []
/src/rauc/test/boot_switch.c [] []
/src/rauc/src/bootloaders/efi.c ['fuzz/bundle.c'] []
/src/rauc/fuzz/bundle.c ['fuzz/bundle.c'] ['fuzz/bundle.c']
/src/rauc/src/bootloaders/uboot.c [] []
/src/rauc/src/main.c [] []
/src/rauc/test/checksum.c [] []
/src/rauc/src/update_utils.c [] []
/src/rauc/src/dm.c [] []
/src/rauc/test/status_file.c [] []
/src/rauc/src/config_file.c ['fuzz/bundle.c'] ['fuzz/bundle.c']
/src/rauc/src/bundle.c ['fuzz/bundle.c'] ['fuzz/bundle.c']
/src/rauc/src/emmc.c [] []
/src/rauc/src/bootchooser.c ['fuzz/bundle.c'] []
/src/rauc/test/event_log.c [] []
/src/rauc/src/shell.c [] []
/src/rauc/src/artifacts.c ['fuzz/bundle.c'] []
/src/rauc/src/context.c ['fuzz/bundle.c'] ['fuzz/bundle.c']
/src/rauc/src/utils.c ['fuzz/bundle.c', 'fuzz/manifest.c'] ['fuzz/bundle.c', 'fuzz/manifest.c']
/src/rauc/fuzz/fuzz.h ['fuzz/bundle.c', 'fuzz/manifest.c'] ['fuzz/bundle.c', 'fuzz/manifest.c']
/src/rauc/src/manifest.c ['fuzz/bundle.c', 'fuzz/manifest.c'] ['fuzz/bundle.c', 'fuzz/manifest.c']
/src/rauc/src/bootloaders/barebox.c ['fuzz/bundle.c'] []
/src/rauc/test/dm.c [] []
/src/rauc/test/network.c [] []
/src/rauc/include/manifest.h [] []
/src/rauc/test/boot_raw_fallback.c [] []
/src/rauc/test/manifest.c [] []
/src/rauc/test/hash_index.c [] []
/src/rauc/test/artifacts.c [] []
/src/rauc/test/common.h [] []
/src/rauc/test/slot.c [] []
/src/rauc/src/install.c ['fuzz/bundle.c'] []
/src/rauc/include/network.h [] []
/src/rauc/fuzz/localfuzzer.c [] []
/src/rauc/test/signature.c [] []
/src/rauc/test/config_file.c [] []
/src/rauc/src/event_log.c ['fuzz/bundle.c'] []
/src/rauc/test/bootchooser.c [] []
/src/rauc/src/gpt.c [] []
/src/rauc/src/bootloaders/grub.c [] []
/src/rauc/src/slot.c ['fuzz/bundle.c'] []
/src/rauc/include/artifacts_composefs.h [] []
/src/rauc/src/mark.c [] []
/src/rauc/test/nbd.c [] []
/src/rauc/src/bootloaders/custom.c ['fuzz/bundle.c'] []
/src/rauc/src/service.c [] []
/src/rauc/test/common.c [] []
/src/rauc/src/mount.c [] []
/src/rauc/include/utils.h ['fuzz/bundle.c', 'fuzz/manifest.c'] []
/src/rauc/src/crypt.c [] []
/src/rauc/src/status_file.c ['fuzz/bundle.c'] []
/src/rauc/test/context.c [] []
/src/rauc/contrib/cgi/src/cgi.c [] []
/src/rauc/src/nbd.c ['fuzz/bundle.c'] []
/src/rauc/test/install.c [] []
/src/rauc/src/verity_hash.c [] []
/src/rauc/src/signature.c ['fuzz/bundle.c'] ['fuzz/bundle.c']
/src/rauc/src/network.c ['fuzz/bundle.c'] []
/src/rauc/src/stats.c [] []
/src/rauc/src/hash_index.c [] []
/src/rauc/test/bundle.c [] []
/src/rauc/test/update_handler.c [] []
/src/rauc/fuzz/manifest.c ['fuzz/manifest.c'] ['fuzz/manifest.c']
/src/rauc/test/service.c [] []

Directories in report

Directory
/src/rauc/test/
/src/rauc/src/
/src/rauc/fuzz/
/src/rauc/contrib/cgi/src/
/src/rauc/include/
/src/rauc/src/bootloaders/

Function call coverage

This section shows a list of 3rd party function calls and their relative coverage information. By static analysis of the target project code, all of the 3rd party function call and their caller information, including the source file and line number that initiate the call are captured. The caller source code file and line number are shown in column 2 while column 1 is the function name of the 3rd party function call. Each occurrent of the 3rd party function call will occuply a separate row. Column 3 of each row indicate if the 3rd party call in the source file line is unreachable. Column 4 lists all fuzzers that have covered that particular system call in that specific location (source file and line)during their dynamic fuzzing.

Function in each files in report

Target sink Callsite location Reached by fuzzer Covered by Fuzzers

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz/bundle.c fuzzerLogFile-bundle.data fuzzerLogFile-bundle.data.yaml manifest_fuzzer.covreport , bundle_fuzzer.covreport
fuzz/manifest.c fuzzerLogFile-manifest.data fuzzerLogFile-manifest.data.yaml manifest_fuzzer.covreport , bundle_fuzzer.covreport

Sink analyser for CWEs

This section contains multiple tables, each table contains a list of sink functions/methods found in the project for one of the CWE supported by the sink analyser, together with information like which fuzzers statically reach the sink functions/methods and possible call path to that sink functions/methods if it is not statically reached by any fuzzers. Column 1 is the function/method name of the sink functions/methods found in the project. Column 2 lists all fuzzers (or no fuzzers at all) that have covered that particular function method statically. Column 3 shows a list of possible call paths to reach the specific function/method call if none of the fuzzers cover the target function/method calls. Lastly, column 4 shows possible fuzzer blockers that prevent an existing fuzzer from reaching the target sink functions/methods dynamically.

Sink functions/methods found for CWE22

Target sink Reached by fuzzer Function call path Possible branch blockers
copy_file [] Path 1
Path 2

N/A