feat: add comprehensive fuzz testing and vulnerability scanning

- Implement 8 fuzz test functions for robust error handling validation
- Integrate govulncheck for automated vulnerability detection
- Enhance build tools with security-focused Makefile improvements
- Update CI/CD workflows with dependency verification
- Maintain full backward compatibility with zero breaking changes

Author: agilira

.github/workflows/ci.yml

@@ -27,6 +27,10 @@ jobs:
       run: |
         go install honnef.co/go/tools/cmd/staticcheck@latest
         go install github.com/securego/gosec/v2/cmd/gosec@latest
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+
+    - name: Verify Dependencies
+      run: go mod verify
 
     - name: Go Format Check
       run: |
@@ -49,6 +53,10 @@ jobs:
         gosec -conf .gosec.json ./... || true
         echo "Security scan completed"
 
+    - name: Vulnerability Check (govulncheck)
+      continue-on-error: true
+      run: govulncheck ./...
+
     - name: Test with Race Detection
       run: go test -race -timeout 5m -v ./...
 

.github/workflows/pr.yml

@@ -23,6 +23,9 @@ jobs:
 
     - name: Quick Quality Check
       run: |
+        # Verify dependencies
+        go mod verify
+        
         # Format check
         test -z "$(gofmt -l .)"
         

Makefile

@@ -1,7 +1,7 @@
 # Go Makefile - AGILira Standard
 # Usage: make help
 
-.PHONY: help test race fmt vet lint security check deps clean build install tools
+.PHONY: help test race fmt vet lint security check deps clean build install tools fuzz govulcheck
 .DEFAULT_GOAL := help
 
 # Variables
@@ -66,12 +66,40 @@ gosec: ## Run gosec security scanner
 	fi
 	@$(TOOLS_DIR)/gosec ./... || (echo "$(YELLOW)  gosec completed with warnings (may be import-related)$(NC)" && exit 0)
 
+govulcheck: ## Run govulncheck for vulnerability scanning
+	@echo "$(YELLOW)Running govulncheck for vulnerability scanning...$(NC)"
+	@if ! command -v govulncheck >/dev/null 2>&1; then \
+		echo "$(RED)govulncheck not found. Run 'make tools' to install.$(NC)"; \
+		exit 1; \
+	fi
+	govulncheck ./...
+
 lint: staticcheck errcheck ## Run all linters
 	@echo "$(GREEN)All linters completed.$(NC)"
 
-security: gosec ## Run security checks
+security: gosec govulcheck ## Run security checks
 	@echo "$(GREEN)Security checks completed.$(NC)"
 
+fuzz: ## Run fuzz tests for 30 seconds each
+	@echo "$(YELLOW)Running fuzz tests...$(NC)"
+	@echo "$(BLUE)Running FuzzNew...$(NC)"
+	go test -fuzz=FuzzNew$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzNewWithField...$(NC)"
+	go test -fuzz=FuzzNewWithField$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzWrap...$(NC)"
+	go test -fuzz=FuzzWrap$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzWithMethods...$(NC)"
+	go test -fuzz=FuzzWithMethods$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzHasCode...$(NC)"
+	go test -fuzz=FuzzHasCode$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzJSONMarshal...$(NC)"
+	go test -fuzz=FuzzJSONMarshal$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzValidateErrorCode...$(NC)"
+	go test -fuzz=FuzzValidateErrorCode$$ -fuzztime=30s
+	@echo "$(BLUE)Running FuzzStacktrace...$(NC)"
+	go test -fuzz=FuzzStacktrace$$ -fuzztime=30s
+	@echo "$(GREEN)Fuzz tests completed.$(NC)"
+
 check: fmt vet lint security test ## Run all checks (format, vet, lint, security, test)
 	@echo "$(GREEN)All checks passed!$(NC)"
 
@@ -83,12 +111,15 @@ tools: ## Install development tools
 	go install honnef.co/go/tools/cmd/staticcheck@latest
 	go install github.com/kisielk/errcheck@latest
 	go install github.com/securego/gosec/v2/cmd/gosec@latest
+	go install golang.org/x/vuln/cmd/govulncheck@latest
 	@echo "$(GREEN)Tools installed successfully!$(NC)"
 
 deps: ## Download and verify dependencies
 	@echo "$(YELLOW)Downloading dependencies...$(NC)"
 	go mod download
+	@echo "$(YELLOW)Verifying dependencies...$(NC)"
 	go mod verify
+	@echo "$(YELLOW)Tidying dependencies...$(NC)"
 	go mod tidy
 
 clean: ## Clean build artifacts and test cache
@@ -129,4 +160,5 @@ status: ## Show status of installed tools
 	@echo "$(BLUE)Development tools status:$(NC)"
 	@echo -n "staticcheck: "; [ -f "$(TOOLS_DIR)/staticcheck" ] && echo "$(GREEN)✓ installed$(NC)" || echo "$(RED)✗ missing$(NC)"
 	@echo -n "errcheck:    "; [ -f "$(TOOLS_DIR)/errcheck" ] && echo "$(GREEN)✓ installed$(NC)" || echo "$(RED)✗ missing$(NC)"
-	@echo -n "gosec:       "; [ -f "$(TOOLS_DIR)/gosec" ] && echo "$(GREEN)✓ installed$(NC)" || echo "$(RED)✗ missing$(NC)"
+	@echo -n "gosec:       "; [ -f "$(TOOLS_DIR)/gosec" ] && echo "$(GREEN)✓ installed$(NC)" || echo "$(RED)✗ missing$(NC)"
+	@echo -n "govulncheck: "; command -v govulncheck >/dev/null 2>&1 && echo "$(GREEN)✓ installed$(NC)" || echo "$(RED)✗ missing$(NC)"

Makefile.ps1

@@ -41,8 +41,10 @@ function Invoke-Help {
     Write-ColorOutput "  staticcheck   Run staticcheck" $Green
     Write-ColorOutput "  errcheck      Run errcheck" $Green
     Write-ColorOutput "  gosec         Run gosec security scanner" $Green
+    Write-ColorOutput "  govulcheck    Run govulncheck for vulnerability scanning" $Green
     Write-ColorOutput "  lint          Run all linters" $Green
     Write-ColorOutput "  security      Run security checks" $Green
+    Write-ColorOutput "  fuzz          Run fuzz tests" $Green
     Write-ColorOutput "  check         Run all checks (format, vet, lint, security, test)" $Green
     Write-ColorOutput "  check-race    Run all checks including race detector" $Green
     Write-ColorOutput "  tools         Install development tools" $Green
@@ -124,6 +126,17 @@ function Invoke-GoSec {
     }
 }
 
+function Invoke-GovulnCheck {
+    Write-ColorOutput "Running govulncheck for vulnerability scanning..." $Yellow
+    $govulnPath = Get-Command govulncheck -ErrorAction SilentlyContinue
+    if (-not $govulnPath) {
+        Write-ColorOutput "govulncheck not found. Run '.\Makefile.ps1 tools' to install." $Red
+        exit 1
+    }
+    govulncheck "./..."
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+}
+
 function Invoke-Lint {
     Invoke-StaticCheck
     Invoke-ErrCheck
@@ -132,9 +145,48 @@ function Invoke-Lint {
 
 function Invoke-Security {
     Invoke-GoSec
+    Invoke-GovulnCheck
     Write-ColorOutput "Security checks completed." $Green
 }
 
+function Invoke-Fuzz {
+    Write-ColorOutput "Running fuzz tests..." $Yellow
+    
+    Write-ColorOutput "Running FuzzNew..." $Blue
+    go test -fuzz='FuzzNew$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzNewWithField..." $Blue
+    go test -fuzz='FuzzNewWithField$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzWrap..." $Blue
+    go test -fuzz='FuzzWrap$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzWithMethods..." $Blue
+    go test -fuzz='FuzzWithMethods$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzHasCode..." $Blue
+    go test -fuzz='FuzzHasCode$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzJSONMarshal..." $Blue
+    go test -fuzz='FuzzJSONMarshal$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzValidateErrorCode..." $Blue
+    go test -fuzz='FuzzValidateErrorCode$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Running FuzzStacktrace..." $Blue
+    go test -fuzz='FuzzStacktrace$' -fuzztime=30s
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
+    Write-ColorOutput "Fuzz tests completed." $Green
+}
+
 function Invoke-Check {
     Invoke-Fmt
     Invoke-Vet
@@ -164,6 +216,9 @@ function Invoke-Tools {
     go install github.com/securego/gosec/v2/cmd/gosec@latest
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
+    go install golang.org/x/vuln/cmd/govulncheck@latest
+    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+    
     Write-ColorOutput "Tools installed successfully!" $Green
 }
 
@@ -172,9 +227,11 @@ function Invoke-Deps {
     go mod download
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
+    Write-ColorOutput "Verifying dependencies..." $Yellow
     go mod verify
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
+    Write-ColorOutput "Tidying dependencies..." $Yellow
     go mod tidy
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 }
@@ -250,6 +307,11 @@ function Invoke-Status {
     $gosecColor = if (Test-ToolExists "gosec") { $Green } else { $Red }
     Write-Host "gosec:       " -NoNewline
     Write-ColorOutput $gosecStatus $gosecColor
+    
+    $govulnStatus = if (Get-Command govulncheck -ErrorAction SilentlyContinue) { "✓ installed" } else { "✗ missing" }
+    $govulnColor = if (Get-Command govulncheck -ErrorAction SilentlyContinue) { $Green } else { $Red }
+    Write-Host "govulncheck: " -NoNewline
+    Write-ColorOutput $govulnStatus $govulnColor
 }
 
 # Main execution
@@ -263,8 +325,10 @@ switch ($Command.ToLower()) {
     "staticcheck" { Invoke-StaticCheck }
     "errcheck" { Invoke-ErrCheck }
     "gosec" { Invoke-GoSec }
+    "govulcheck" { Invoke-GovulnCheck }
     "lint" { Invoke-Lint }
     "security" { Invoke-Security }
+    "fuzz" { Invoke-Fuzz }
     "check" { Invoke-Check }
     "check-race" { Invoke-CheckRace }
     "tools" { Invoke-Tools }

changelog/v1.1.1.txt

@@ -0,0 +1,44 @@
+# Changelog - Version 1.1.1
+
+## Release Date
+2025-10-17
+
+## Overview
+Security and robustness enhancement release adding comprehensive fuzz testing and vulnerability scanning to strengthen error handling reliability.
+
+## New
+- Complete fuzz testing suite with 8 comprehensive test functions
+- Vulnerability scanning with govulncheck integration
+- Enhanced dependency verification with `go mod verify`
+- Improved build tooling with security-focused Makefiles
+
+## Security Enhancements
+- FuzzNew, FuzzNewWithField, FuzzWrap - Input validation fuzzing
+- FuzzJSONMarshal - JSON serialization robustness testing  
+- FuzzValidateErrorCode - Error code validation fuzzing
+- FuzzStacktrace - Stack trace handling edge case testing
+- FuzzWithMethods, FuzzHasCode - API method robustness validation
+- Vulnerability scanning integrated into CI/CD pipeline
+
+## Build & Development
+- Enhanced Makefile with `fuzz`, `govulcheck`, and improved `deps` targets
+- Cross-platform Makefile.ps1 with equivalent Windows PowerShell support
+- CI/CD workflows updated with vulnerability scanning
+- Comprehensive tool status reporting
+
+## Quality Assurance  
+- Randomized input testing protecting against edge case failures
+- UTF-8 validation for all string outputs
+- Panic prevention validation across all public APIs
+- Enhanced error chain validation testing
+
+## Compatibility
+- Maintains full backward compatibility with v1.1.0
+- No breaking changes to public API
+- Enhanced reliability through comprehensive edge case coverage
+- Zero additional runtime dependencies
+
+## Performance
+- Fuzz testing validates performance under randomized stress conditions
+- No performance degradation from security enhancements
+- Efficient fuzz test execution optimized for CI environments

doc.go

@@ -171,7 +171,7 @@
 //	// After
 //	return errors.Wrap(err, ErrCodeOperation, "operation failed")
 //
-// Copyright (c) 2025 AGILira
+// Copyright (c) 2025 AGILira - A. Giordano
 // Series: an AGLIra library
 // SPDX-License-Identifier: MPL-2.0
 package errors