Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt

Use this file to discover all available pages before exploring further.

casr-dojo uploads CASR crash reports to DefectDojo, an open-source vulnerability management platform. It recursively scans an input directory for .casrep files, deduplicates them against findings already present in DefectDojo, and uploads only genuinely new crashes — along with their GDB supplementary reports and crash seed files — as structured findings with full CASR metadata in the description. This gives you a single entry point for all crashes analyzed with CASR across multiple targets and fuzzing campaigns.
casr-dojo requires the dojo feature flag at compile time. Install with:
cargo install -F dojo casr
Or when building from source:
cargo build -F dojo --release

How It Works

1

Fill default parameters

casr-dojo reads a TOML configuration file and fills in required DefectDojo API fields that were not explicitly specified (such as target_start, target_end, prod_type, engagement_type, and test_type). You can override any of these defaults in the TOML. The test.test_type field accepts either an integer ID or a human-readable string name — if a string is given, casr-dojo will look up or create the corresponding test_type entity automatically.
2

Get or create product, engagement, and test

Using the names specified in the TOML, casr-dojo looks up the corresponding DefectDojo entities. If a product, engagement, or test with the given name does not yet exist, it is created automatically. This maps naturally to CASR workflows: the product is the project being fuzzed, the engagement is the specific fuzz target or CI job, and the test is the fuzzer that found the crashes.
3

Download existing findings

casr-dojo fetches all active, false-positive, and out-of-scope findings for the product. This ensures that crashes you have already reviewed (and possibly marked as false positives or out of scope) are never re-uploaded.
4

Compute report hashes

For each downloaded finding that has an attached CASR report file, casr-dojo downloads the report and computes its deduplication key:
  • Non-UBSAN reports — a hash of the filtered stack trace (same algorithm as casr-cluster -d)
  • UBSAN reports — the crash source file and line number
5

Upload new unique reports

Each local .casrep file whose hash is not already present in DefectDojo is uploaded as a new finding. The finding description includes the crash line, severity classification, command line, OS/architecture info, source fragment, sanitizer output, and full stack trace. In addition to the .casrep file itself, casr-dojo uploads:
  • The .gdb.casrep file, if it exists alongside the primary report
  • The crash seed file (the original fuzzer input that triggered the crash)

TOML Configuration

casr-dojo requires a TOML file that specifies the DefectDojo entities to use. At minimum, [product] with a name field and [engagement] with a name field are required. The [test] section is optional and defaults to a test named "CASR Crash Reports".
[product]
name = "xlnt"

[engagement]
name = "load_fuzzer 2023-06-07T16:47:18+03:00"

[test]
test_type = "CASR DAST Report"

[product]

Maps to a DefectDojo product (the project or library being fuzzed).
KeyTypeDescription
namestringRequired. Product name. Used to look up or create the product.
descriptionstringProduct description. Defaults to the value of name.
prod_typeintegerProduct type ID. Defaults to 1 (R&D).

[engagement]

Maps to a DefectDojo engagement (a specific fuzzing target or CI job run).
KeyTypeDescription
namestringRequired. Engagement name. Including a timestamp (e.g. from date -Isec) makes each CI run a distinct engagement.
engagement_typestringDefaults to "CI/CD".
target_startstringStart date (YYYY-MM-DD). Defaults to today.
target_endstringEnd date (YYYY-MM-DD). Defaults to today.

[test]

Maps to a DefectDojo test (a specific fuzzer or test tool).
KeyTypeDescription
test_typestring or integerTest type name or ID. If a string is given, casr-dojo looks up or creates the matching test_type. Defaults to "CASR Crash Reports".
target_startstringInherited from [engagement] if not set.
target_endstringInherited from [engagement] if not set.
environmentintegerTest environment ID. Defaults to 3 (Production).

Usage

Usage: casr-dojo [OPTIONS] --url <URL> --token <TOKEN> --input <INPUT_DIR> <PARAMS>

Arguments:
  <PARAMS>  TOML file with parameters for DefectDojo product, engagement, and test

Options:
  -l, --log-level <log-level>  Logging level [default: info] [possible values: info, debug]
  -u, --url <URL>              DefectDojo base URL
  -t, --token <TOKEN>          DefectDojo API key
  -i, --input <INPUT_DIR>      Directory that is recursively searched for CASR reports
                               (also, crash seeds and CASR GDB reports if they are present)
  -h, --help                   Print help
  -V, --version                Print version
-l, --log-level
string
default:"info"
Logging verbosity. Use debug to see individual finding upload progress and hash computation details. Possible values: info, debug.
-u, --url
string
required
Base URL of your DefectDojo instance, e.g. http://localhost:8080. The tool appends /api/v2/ automatically.
-t, --token
string
required
DefectDojo API v2 key. Find or generate this in the DefectDojo web UI under API v2 Key in your user profile.
-i, --input
path
required
Directory to recursively search for .casrep files. For each .casrep file found, casr-dojo also looks for a .gdb.casrep file and a crash seed file (the file with the same name minus the .casrep extension) in the same location.

Deduplication Logic

casr-dojo uses the same deduplication strategy as casr-cluster -d:
  • ASAN / MSAN / GDB / Python / Java / JS reports — a filtered stack trace hash is computed. Frames matching CASR’s internal ignore list (standard library internals, fuzzer harness frames, etc.) are stripped before hashing.
  • UBSAN reports — the crash source file path and line number are used as the deduplication key.
A local report is uploaded only if its hash does not match any active, false positive, or out-of-scope finding that already has an attached CASR report file in DefectDojo.

DefectDojo Quick Start

If you do not already have a DefectDojo instance, spin one up with Docker Compose:
git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
./dc-build.sh
./dc-up.sh
# Wait for initialization to complete:
#   django-defectdojo_initializer_1 exited with code 0
# Retrieve the generated admin password:
docker-compose logs initializer | grep "Admin password:"
The instance will be available at http://localhost:8080. Generate an API key from the admin account’s profile page.

Example Upload

Create the TOML configuration on the fly and upload clustered CASR reports:
echo '[product]'                              > dojo.toml
echo 'name = "xlnt"'                         >> dojo.toml
echo '[engagement]'                           >> dojo.toml
echo "name = \"load_fuzzer $(date -Isec)\""  >> dojo.toml
echo '[test]'                                 >> dojo.toml
echo 'test_type = "CASR DAST Report"'        >> dojo.toml

casr-dojo \
    -i casr/tests/casr_tests/casrep/test_clustering_san \
    -u http://localhost:8080 \
    -t 382f5dfdf2a339f7c3bb35442f9deb9b788a98d5 \
    dojo.toml
Embed $(date -Isec) in the engagement name to create a new engagement for each CI run. This keeps findings from different fuzzing sessions separate in the DefectDojo UI while still deduplicating against all previously uploaded findings for the same product.
After the upload, each finding in DefectDojo contains:
  • A title in the format [product] [executable] <severity> in <crash line>
  • A rich description with crash line, severity, ASAN/UBSAN output, stack trace, source fragment, and environment variables
  • The .casrep file attached as CASR (finding <id>)
  • The .gdb.casrep file attached as CASR GDB (finding <id>), if present
  • The original crash seed attached as Crash seed (finding <id>)

Build docs developers (and LLMs) love