Follow the instruction to add Confuzz to your project: HOW_TO_PORT.

Identify all configuration tests in your project using the Confuzz identify goal:

mvn confuzz:identify

PS: You need to compile your module before running this goal. The goal will output two CSV files, one called confuzz_identify_ctest.csv that contains all identified configuration tests, and one called confuzz_identify_param.csv that contains all configuration parameters that are accessed by all ctests.

Fuzz a configuration using the fuzz goal:

mvn confuzz:fuzz
-Dconfuzz.generator=<G>
-Dmeringue.testClass=<C> 
-Dmeringue.testMethod=<M>
-DregexFile=<R>
[-Dmeringue.duration=<D>]
[-Dmeringue.outputDirectory=<O>]
[-Dmeringue.javaOptions=<P>]
[-DonlyCheckDefault]
[-Dconfuzz.debug]

Where:

• <G> is the fully-qualified name of the configuration generator class.
• <C> is the fully-qualified name of the test class.
• <M> is the name of the test method.
• <R> is the path of the configuration regex file.
• <D> is the maximum amount of time to execute the fuzzing campaign for specified in the ISO-8601 duration format ( e.g., 2 days, 3 hours, and 4 minutes is "P2DT3H4M"). The default value is one day.
• <O> is the path of the directory to which the output files should be written. The default value is ${project.build.directory}/meringue.
• <P> is a list of Java command line options that should be used for test JVMs.
• The presence of -DonlyCheckDefault checks whehter the current test can pass under default configuration in a same JVM twice.
• The presence of -Dconfuzz.debug indicates that campaign JVMs should suspend and wait for a debugger to attach on port 5005. By default, campaign JVMs do not suspend and wait for a debugger to attach.

Debug a configuration using the debug goal. This goal produces failures.json file under ${meringue.outputDirectory}.

mvn confuzz:debug
-Dconfuzz.generator=<G>
-Dmeringue.testClass=<C> 
-Dmeringue.testMethod=<M>
-DinjectConfigFile=<I>
[-Dmeringue.outputDirectory=<O>]

Where:

• <G> is the fully-qualified name of the configuration generator class.
• <C> is the fully-qualified name of the test class.
• <M> is the name of the test method.
• <I> is the path of the configuration file that should be injected.
• <O> is the path of the directory to which the output files should be written. The default value is ${project.build.directory}/meringue.

Use the coverage goal to calculate the coverage of a fuzzing campaign.

This goal produces a coverage directory under ${meringue.outputDirectory} that contains Jacoco exec file and a coverage_trend.csv file that contains the coverage trend of the campaign.

mvn confuzz:coverage
-Dconfuzz.generator=<G>
-Dmeringue.testClass=<C> 
-Dmeringue.testMethod=<M>
[-Dconfuzz.debug]

Where:

• <G> is the fully-qualified name of the configuration generator class.
• <C> is the fully-qualified name of the test class.
• <M> is the name of the test method.

Use the dumpCov goal to dump the merged jacoco exec file of a fuzzing campaign. You can later use Jacoco to generate the coverage report.

mvn confuzz:dumpCov
-Ddata.dir=<D>
-Doutput.dir=<O>

Where:

• <D> is the path of the directory that contains the .jed files of the campaign.
• <O> is the path of the directory to which the merged jacoco exec file should be written.

mvn confuzz:regex-check
-DregexFile=<R>

Where:

• <R> is the path of the configuration regex file.

Other goals can be found in the GOALS.

You can find our bug and false positive definition here.