Bump github/codeql-action from 1 to 2

.github/workflows/mayhem.yml

@@ -0,0 +1,64 @@
+name: Mayhem
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  workflow_call:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    name: ${{ matrix.os }} shared=${{ matrix.shared }} ${{ matrix.build_type }}
+    runs-on: ${{ matrix.os }}
+    permissions:
+      packages: write
+      contents: write
+      security-events: write
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        shared: [false]
+        build_type: [Release]
+        include:
+          - os: ubuntu-latest
+            triplet: x64-linux
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Start analysis
+        uses: ForAllSecure/mcode-action@v1
+        with:
+          mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+          args: --image ${{ steps.meta.outputs.tags }} --duration 300
+          sarif-output: sarif
+
+      - name: Upload SARIF file(s)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif

Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3.8-bullseye
+RUN pip3 install atheris
+
+COPY . /fickling
+WORKDIR /fickling
+RUN python3 -m pip install . && chmod +x fuzz/fuzz_pickle_decompiler.py

Mayhemfile

@@ -0,0 +1,9 @@
+project: fickling
+target: fuzz_pickle_decompiler
+
+testsuite: 
+    - file://./fuzz/fuzz_corpus
+
+cmds:
+    - cmd: fuzz/fuzz_pickle_decompiler.py
+      libfuzzer: true

fuzz/fuzz_pickle_decompiler.py

@@ -0,0 +1,23 @@
+#!/usr/local/bin/python3
+from random import random
+from textwrap import indent
+import atheris
+import sys
+import io
+import os
+import random
+
+with atheris.instrument_imports():
+    import ast
+    from fickling.pickle import Pickled
+
+@atheris.instrument_func
+def TestOneInput(data):
+    try:
+        Pickled.load(data)
+    except ValueError:
+        pass
+
+
+atheris.Setup(sys.argv, TestOneInput)
+atheris.Fuzz()