[mq] [skip ddci] working branch - merge 793b569 on top of main at 57916f4

gh-worker-dd-mergequeue-cf854d[bot] · web-flow · commit aed054ac75aa · 2026-06-10T15:19:02.000Z
{"baseBranch":"main","baseCommit":"57916f4cdf644682eb573c8d06372f401d963539","createdAt":"2026-06-10T15:18:42.588164Z","headSha":"793b56921a1fcb1690e0fe39ba5b1a9d73bbe8b3","id":"51361c71-4591-4ffb-9859-afbe7eae9f0b","priority":"200","pullRequestNumber":"587","queuedAt":"2026-06-10T15:18:42.585802Z","status":"STATUS_QUEUED"}
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -28,6 +28,7 @@ stages:
   - integration-test
   - reliability
   - benchmarks
+  - fuzz
   - notify
 
 # Detects newer images in registry and creates GitHub PR with updates
@@ -162,3 +163,4 @@ include:
   - local: .gitlab/reliability/.gitlab-ci.yml
   - local: .gitlab/dd-trace-integration/.gitlab-ci.yml
   - local: .gitlab/sanitizer-tests/.gitlab-ci.yml
+  - local: .gitlab/fuzzing/.gitlab-ci.yml
diff --git a/.gitlab/fuzzing/.gitlab-ci.yml b/.gitlab/fuzzing/.gitlab-ci.yml
@@ -0,0 +1,31 @@
+variables:
+  FUZZ_IMAGE: registry.ddbuild.io/java-profiler-fuzz
+  FUZZYDOG_VERSION: "0.28.0"
+
+fuzz_infra:
+  needs: []
+  extends: .retry-config
+  image: registry.ddbuild.io/images/docker:27.3.1
+  tags: ["arch:amd64"]
+  stage: fuzz
+  timeout: 30m
+  allow_failure: true
+  id_tokens:
+    DDSIGN_ID_TOKEN:
+      aud: image-integrity
+  rules:
+    - if: $NIGHTLY_BUILD == "true"
+    - when: manual
+  before_script:
+    - apt-get update -qq && apt-get install -y -qq curl unzip jq
+    - >-
+      curl -fsSL "https://binaries.ddbuild.io/fuzzing/fuzzydog/${FUZZYDOG_VERSION}/fuzzydog-tar.tar.gz"
+      | tar -xz -C /usr/local/bin fuzzydog-linux-amd64 &&
+      mv /usr/local/bin/fuzzydog-linux-amd64 /usr/local/bin/fuzzydog
+    - >-
+      curl -fsSL "https://releases.hashicorp.com/vault/1.21.1/vault_1.21.1_linux_amd64.zip"
+      -o /tmp/vault.zip &&
+      unzip -o /tmp/vault.zip -d /usr/local/bin vault &&
+      rm /tmp/vault.zip
+  script:
+    - .gitlab/scripts/fuzz_infra.sh
diff --git a/.gitlab/scripts/fuzz_infra.sh b/.gitlab/scripts/fuzz_infra.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+FUZZ_IMAGE="${FUZZ_IMAGE:-registry.ddbuild.io/java-profiler-fuzz}"
+GIT_SHA="${CI_COMMIT_SHORT_SHA:-$(git rev-parse --short HEAD)}"
+
+export FUZZYDOG_AUTH_TOKEN
+FUZZYDOG_AUTH_TOKEN=$(vault read -field=token identity/oidc/token/security-fuzzing-platform)
+
+# Build and push the compiled image (all fuzz binaries + fuzzydog)
+docker buildx build \
+    --target build \
+    -f docker/Dockerfile.fuzz \
+    --build-arg "FUZZYDOG_VERSION=${FUZZYDOG_VERSION}" \
+    -t "${FUZZ_IMAGE}:${GIT_SHA}" \
+    --push \
+    --metadata-file compiled-metadata.json \
+    .
+
+COMPILED_DIGEST=$(jq -r '."containerimage.digest"' compiled-metadata.json)
+
+# Extract binary list via the manifest target
+docker buildx build \
+    --target manifest \
+    -f docker/Dockerfile.fuzz \
+    --build-arg "FUZZYDOG_VERSION=${FUZZYDOG_VERSION}" \
+    --output "type=local,dest=manifest-out" \
+    .
+
+# For each binary: build thin per-binary image, sign, replicate, register
+while IFS= read -r binary; do
+    [ -z "${binary}" ] && continue
+    # Normalize to k8s-safe label: camelCase -> lowercase-hyphenated, prefixed with repo name
+    normalized=$(printf '%s' "${binary}" | sed 's/[A-Z]/-&/g' | tr '[:upper:]' '[:lower:]' | sed 's/^-//')
+    fuzz_app="java-profiler-${normalized}"
+    IMAGE_REF="${FUZZ_IMAGE}:${GIT_SHA}-${normalized}"
+
+    printf 'FROM %s@%s\nENV FUZZ_APP=%s\nENV FUZZ_BUILD_ID=%s\nRUN ln -sf /fuzzer/builds/%s /fuzzer/builds/%s\n' \
+        "${FUZZ_IMAGE}" "${COMPILED_DIGEST}" "${fuzz_app}" "${GIT_SHA}" "${binary}" "${GIT_SHA}" \
+        | docker buildx build - \
+            -t "${IMAGE_REF}" \
+            --push \
+            --metadata-file "meta-${binary}.json"
+
+    ddsign sign "${IMAGE_REF}" --docker-metadata-file "meta-${binary}.json"
+    ddsign replicate --to us1.ddbuild.io \
+        "${FUZZ_IMAGE}@$(jq -r '."containerimage.digest"' "meta-${binary}.json")"
+
+    fuzzydog fuzzer create "${fuzz_app}" \
+        --image "${IMAGE_REF}" \
+        --version "${GIT_SHA}" \
+        --type libfuzzer \
+        --team profiling \
+        --slack-channel profiling-java \
+        --repository-url https://github.com/DataDog/java-profiler
+done < manifest-out/fuzz_binaries.txt
diff --git a/build-logic/conventions/src/main/kotlin/com/datadoghq/native/fuzz/FuzzTargetsPlugin.kt b/build-logic/conventions/src/main/kotlin/com/datadoghq/native/fuzz/FuzzTargetsPlugin.kt
@@ -73,6 +73,13 @@ class FuzzTargetsPlugin : Plugin<Project> {
             }
         }
 
+        // Build-only aggregate: compiles and links all targets without running them
+        val buildFuzz = project.tasks.register("buildFuzz") {
+            onlyIf { hasFuzzer && !project.hasProperty("skip-tests") && !project.hasProperty("skip-native") && !project.hasProperty("skip-fuzz") }
+            group = "build"
+            description = "Build all fuzz targets without running them"
+        }
+
         if (!hasFuzzer) {
             val msg = if (PlatformUtils.currentPlatform == Platform.MACOS) {
                 "WARNING: libFuzzer not available on macOS — skipping fuzz targets. " +
@@ -168,6 +175,7 @@ class FuzzTargetsPlugin : Plugin<Project> {
                 }
 
                 fuzzAll.configure { dependsOn(executeTask) }
+                buildFuzz.configure { dependsOn(linkTask) }
             }
         }
 
diff --git a/docker/Dockerfile.fuzz b/docker/Dockerfile.fuzz
@@ -0,0 +1,39 @@
+ARG FUZZYDOG_VERSION=0.28.0
+
+FROM registry.ddbuild.io/images/base/gbi-ubuntu_2404:release AS build
+
+USER root
+
+ARG FUZZYDOG_VERSION
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -qq && apt-get install -y -qq \
+    clang llvm curl git openjdk-21-jdk \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
+ENV PATH=$JAVA_HOME/bin:$PATH
+
+WORKDIR /src
+COPY . .
+
+RUN ./gradlew :ddprof-lib:fuzz:buildFuzz --no-daemon
+
+RUN mkdir -p /fuzzer/builds && \
+    find ddprof-lib/fuzz/build/bin/fuzz -maxdepth 2 -type f -executable \
+        -exec cp {} /fuzzer/builds/ \; && \
+    ls /fuzzer/builds/ > /fuzz_binaries.txt
+
+RUN curl -fsSL "https://binaries.ddbuild.io/fuzzing/fuzzydog/${FUZZYDOG_VERSION}/fuzzydog-tar.tar.gz" \
+    | tar -xz -C /usr/local/bin fuzzydog-linux-amd64 && \
+    mv /usr/local/bin/fuzzydog-linux-amd64 /usr/local/bin/fuzzydog
+
+CMD fuzzydog fuzzer run "$FUZZ_APP" "$FUZZ_BUILD_ID" \
+    --type libfuzzer \
+    --team profiling \
+    --build-path /fuzzer/builds/ \
+    --skip-dl-build \
+    --repository-url https://github.com/DataDog/java-profiler
+
+FROM scratch AS manifest
+COPY --from=build /fuzz_binaries.txt /fuzz_binaries.txt

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,13 @@ class FuzzTargetsPlugin : Plugin<Project> {`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`
	`76`	`+ // Build-only aggregate: compiles and links all targets without running them`
	`77`	`+ val buildFuzz = project.tasks.register("buildFuzz") {`
	`78`	`+ onlyIf { hasFuzzer && !project.hasProperty("skip-tests") && !project.hasProperty("skip-native") && !project.hasProperty("skip-fuzz") }`
	`79`	`+ group = "build"`
	`80`	`+ description = "Build all fuzz targets without running them"`
	`81`	`+ }`
	`82`	`+`
`76`	`83`	`if (!hasFuzzer) {`
`77`	`84`	`val msg = if (PlatformUtils.currentPlatform == Platform.MACOS) {`
`78`	`85`	`"WARNING: libFuzzer not available on macOS — skipping fuzz targets. " +`
`@@ -168,6 +175,7 @@ class FuzzTargetsPlugin : Plugin<Project> {`
`168`	`175`	`}`
`169`	`176`
`170`	`177`	`fuzzAll.configure { dependsOn(executeTask) }`
	`178`	`+ buildFuzz.configure { dependsOn(linkTask) }`
`171`	`179`	`}`
`172`	`180`	`}`
`173`	`181`