API
We provide an API for accessing the data stored on this website. The primary goal is to enable tool development for external parties and make it easier to query the state of open source fuzzing.
We are always interested in hearing ideas for new APIs to get certain data exposed and we are happy to maintain a large set of APIs. In the event you have ideas or requests for certain data, then please reach out on Fuzz Introspector's issues or OSS-Fuzz's issues.
APIs
/api/annotated-cfg?project={project_name}
Gets the functions targeted by a specific fuzzer in the target code. Specifically, this is used to identify the main entrypoints into the target code that is being fuzzed.
JSON Schema
{
"project": {
"name": string,
"annotated_cfg": [ {
"fuzzer_name": string,
"destinations": [ {
"accummulated_cyclomatic_complexity": integer,
"arg_names": [string],
"arg_types": [string],
"cyclomatic_complexity": integer,
"function_name": string,
"raw_function_name": string,
"return_type": string,
"source_file": string,
} ],
"source_file": string,
} ],
},
"result": string
}
Example Extracting the data of the main json-c project which has a single fuzzer tokener_parser_ex fuzzer using the URL: https://introspector.oss-fuzz.com/api/annotated-cfg?project=json-c:
$ curl -L https://introspector.oss-fuzz.com/api/annotated-cfg?project=json-c | python3 -m json.tool
{
"project": {
"annotated_cfg": [
{
"destinations": [
{
"accummulated_cyclomatic_complexity": 51,
"arg_names": [],
"arg_types": [],
"cyclomatic_complexity": 2,
"function_name": "json_tokener_new",
"raw_function_name": "json_tokener_new",
"return_type": "struct.json_tokener *",
"source_file": "/src/json-c/json_tokener.c"
},
{
"accummulated_cyclomatic_complexity": 688,
"arg_names": [
"tok",
"str",
"len"
],
"arg_types": [
"struct.json_tokener *",
"char *",
"int"
],
"cyclomatic_complexity": 280,
"function_name": "json_tokener_parse_ex",
"raw_function_name": "json_tokener_parse_ex",
"return_type": "struct.json_object *",
"source_file": "/src/json-c/json_tokener.c"
},
{
"accummulated_cyclomatic_complexity": 32,
"arg_names": [
"jso"
],
"arg_types": [
"struct.json_object *"
],
"cyclomatic_complexity": 4,
"function_name": "json_object_put",
"raw_function_name": "json_object_put",
"return_type": "int",
"source_file": "/src/json-c/json_object.c"
},
{
"accummulated_cyclomatic_complexity": 41,
"arg_names": [
"tok"
],
"arg_types": [
"struct.json_tokener *"
],
"cyclomatic_complexity": 3,
"function_name": "json_tokener_free",
"raw_function_name": "json_tokener_free",
"return_type": "void",
"source_file": "/src/json-c/json_tokener.c"
}
],
"fuzzer_name": "tokener_parse_ex_fuzzer",
"source_file": "/src/tokener_parse_ex_fuzzer.cc"
}
],
"name": "json-c"
},
"result": "success"
}
/api/far-reach-but-low-coverage?project={project_name}
Gets the functions in the target project that has a lot of complexity but has low code coverage. The main point behind this data point is that it shows promising new functions to hit for a given target.
JSON Schema
{
"functions": [ {
"accummulated_complexity": integer,
"function_argument_names": [ string ],
"function_arguments": [ string ],
"function_name": string,
"function_filename": string,
"is_reached": boolean,
"raw_function_name": string,
"reached_by_fuzzers": [],
"return_type": string,
"runtime_coverage_percent": number
} ],
"result": string
}
Example Extracting the data of the main json-c project which has a single fuzzer tokener_parser_ex fuzzer using the URL: https://introspector.oss-fuzz.com/api/far-reach-but-low-coverage?project=json-c:
$ curl -L https://introspector.oss-fuzz.com/api/far-reach-but-low-coverage?project=json-c | python3 -m json.tool
{
"functions": [
{
"accummulated_complexity": 746,
"function_argument_names": [
"filename"
],
"function_arguments": [
"char *"
],
"function_filename": "/src/json-c/json_util.c",
"function_name": "json_object_from_file",
"is_reached": false,
"raw_function_name": "json_object_from_file",
"reached_by_fuzzers": [],
"return_type": "struct.json_object *",
"runtime_coverage_percent": 0.0
},
{
"accummulated_complexity": 739,
"function_argument_names": [
"fd"
],
"function_arguments": [
"int"
],
"function_filename": "/src/json-c/json_util.c",
"function_name": "json_object_from_fd",
"is_reached": false,
"raw_function_name": "json_object_from_fd",
"reached_by_fuzzers": [],
"return_type": "struct.json_object *",
"runtime_coverage_percent": 0.0
},
{
"accummulated_complexity": 737,
"function_argument_names": [
"fd",
"in_depth"
],
"function_arguments": [
"int",
"int"
],
"function_filename": "/src/json-c/json_util.c",
"function_name": "json_object_from_fd_ex",
"is_reached": false,
"raw_function_name": "json_object_from_fd_ex",
"reached_by_fuzzers": [],
"return_type": "struct.json_object *",
"runtime_coverage_percent": 0.0
},
...
],
"result": "success"
}
/api/project-summary?project={project_name}
Extracts a summary of a given project, including:
- - Runtime code coverage stats
- - Stats about the project, e.g. fuzzer count and function count
- - Stats about static reachability achieved
- - A list of fuzz-blockers definedby Branch-blockers, including the specific functions blocked
- - The annotated CFG (similar to output by /api/annotated-cfg
JSON Schema
{
"project": {
"introspector_data": {
"annotated_cfg": [ {
"fuzzer_name": string,
"destinations": [ {
"accummulated_cyclomatic_complexity": integer,
"arg_names": [string],
"arg_types": [string],
"cyclomatic_complexity": integer,
"function_name": string,
"raw_function_name": string,
"return_type": string,
"source_file": string,
} ],
"source_file": string,
} ],
"branch_pairs": [ {
"blocked_runtime_coverage": integer,
"function_name": string,
"project": string,
} ],
"coverage_lines": number,
"function_count": integer,
"functions_covered_estimate": nubber,
"fuzzer_count": integer,
"introspector_report_url": string,
"static_reachability": number
},
"name": string,
"runtime_coverage_data": {
"coverage_url": string,
"line_coverage": {
"count": integer,
"covered": integer,
"percent": number
}
}
},
"result": "success"
}
Example Extracting the data of the main json-c project which has a single fuzzer tokener_parser_ex fuzzer using the URL: https://introspector.oss-fuzz.com/api/project-summary?project=json-c:
$ curl -L https://introspector.oss-fuzz.com/api/project-summary?project=json-c | python3 -m json.tool
{
"project": {
"introspector-data": {
"annotated_cfg": [
{
"destinations": [
{
"accummulated_cyclomatic_complexity": 51,
"arg_names": [],
"arg_types": [],
"cyclomatic_complexity": 2,
"function_name": "json_tokener_new",
"raw_function_name": "json_tokener_new",
"return_type": "struct.json_tokener *",
"source_file": "/src/json-c/json_tokener.c"
},
{
"accummulated_cyclomatic_complexity": 688,
"arg_names": [
"tok",
"str",
"len"
],
"arg_types": [
"struct.json_tokener *",
"char *",
"int"
],
"cyclomatic_complexity": 280,
"function_name": "json_tokener_parse_ex",
"raw_function_name": "json_tokener_parse_ex",
"return_type": "struct.json_object *",
"source_file": "/src/json-c/json_tokener.c"
}, {
...
],
"fuzzer_name": "tokener_parse_ex_fuzzer",
"source_file": "/src/tokener_parse_ex_fuzzer.cc"
}
],
"branch_pairs": [
{
"blocked_runtime_coverage": 35,
"blocked_unique_functions": [
"get_dev_random_seed",
"get_time_seed"
],
"function_name": "json_c_get_random_seed",
"linenumber": "336",
"project": "json-c",
"source_file": "/src/json-c/random_seed.c"
},
...
],
"coverage_lines": 37.0,
"function_count": 182,
"functions_covered_estimate": 37.0,
"fuzzer_count": 1,
"introspector_report_url": "https://storage.googleapis.com/oss-fuzz-introspector/json-c/inspector-report/20231120/fuzz_report.html",
"static_reachability": 63.40996168582376
},
"name": "json-c",
"runtime_coverage_data": {
"coverage_url": "https://storage.googleapis.com/oss-fuzz-coverage/json-c/reports/20231120/linux/report.html",
"line_coverage": {
"count": 3150,
"covered": 1314,
"percent": 41.71
}
}
},
"result": "success"
}
/api/branch-blockers?project={project_name}
Extracts the branch blockers identified for a given project:
JSON Schema{
"project_blockers": [ {
"project_name": string,
"function_name": string,
"source_file": string,
"src_linenumber": string,
"unique_blocked_coverage": integer,
"blocked_unique_functions": [string],
} ],
"result": string,
}
Extracting the data of the main json-c project which has a single fuzzer tokener_parser_ex fuzzer using the URL: https://introspector.oss-fuzz.com/api/branch-blockers?project=json-c:
$ curl -L https://introspector.oss-fuzz.com/api/branch-blockers?project=json-c | python3 -m json.tool
{
"project_blockers": [
{
"blocked_unique_functions": [
"get_dev_random_seed",
"get_time_seed"
],
"function_name": "json_c_get_random_seed",
"project_name": "json-c",
"source_file": "/src/json-c/random_seed.c",
"src_linenumber": "336",
"unique_blocked_coverage": 35
},
{
"blocked_unique_functions": [
"__errno_location",
"_json_c_strerror"
],
"function_name": "get_getrandom_seed",
"project_name": "json-c",
"source_file": "/src/json-c/random_seed.c",
"src_linenumber": "190",
"unique_blocked_coverage": 19
},
{
"blocked_unique_functions": [
"json_abort"
],
"function_name": "json_object_array_shrink",
"project_name": "json-c",
"source_file": "/src/json-c/json_object.c",
"src_linenumber": "1566",
"unique_blocked_coverage": 7
}
],
"result": "success"
}
/api/all-functions?project={project_name}
Returns a json representation of all the functions in a given project:
JSON Schema{
"functions": [ {
"function_name": string,
"function_filename": string,
"raw_function_name": string,
"is_reached": boolean,
"accummulated_complexity": integer,
"function_argument_names": [string],
"function_arguments": [string],
"reached_by_fuzzers": [string],
"return_type": string,
"runtime_coverage_percent": number,
}],
"result": string,
}
Using this on ada-url: https://introspector.oss-fuzz.com/api/all-functions?project=ada-url:
$ curl -L https://introspector.oss-fuzz.com/api/all-functions?project=ada-url | python3 -m json.tool
{
"functions": [
{
"accummulated_complexity": 13,
"function_argument_names": [
"result",
"key",
"key_length",
"value",
"value_length"
],
"function_arguments": [
"char *",
"char *",
"size_t",
"char *",
"size_t"
],
"function_filename": "/src/ada-url/build/singleheader/ada.cpp",
"function_name": "ada_search_params_has_value",
"is_reached": false,
"raw_function_name": "ada_search_params_has_value",
"reached_by_fuzzers": [],
"return_type": "bool",
"runtime_coverage_percent": 0.0
},
{
"accummulated_complexity": 13,
"function_argument_names": [
"result",
"key",
"key_length"
],
"function_arguments": [
"char *",
"char *",
"size_t"
],
"function_filename": "/src/ada-url/build/singleheader/ada.cpp",
"function_name": "ada_search_params_has",
"is_reached": false,
"raw_function_name": "ada_search_params_has",
"reached_by_fuzzers": [],
"return_type": "bool",
"runtime_coverage_percent": 0.0
}
],
"result": "succes"
}