google · duanehoward · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -3,21 +3,34 @@ on: [pull_request]
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
+   permissions:
+     security-events: write
    steps:
    - name: Build Fuzzers
+     id: build
      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
      with:
        oss-fuzz-project-name: 'gonids'
+       language: go
        dry-run: false
    - name: Run Fuzzers
      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
      with:
        oss-fuzz-project-name: 'gonids'
+       language: go
        fuzz-seconds: 600
        dry-run: false
+       output-sarif: true
    - name: Upload Crash
-     uses: actions/upload-artifact@v1
-     if: failure()
+     uses: actions/upload-artifact@v4
+     if: failure() && steps.build.outcome == 'success'
      with:
        name: artifacts
        path: ./out/artifacts
+   - name: Upload Sarif
+     if: always() && steps.build.outcome == 'success'
+     uses: github/codeql-action/upload-sarif@v3
+     with:
+      # Path to SARIF file relative to the root of the repository
+      sarif_file: cifuzz-sarif/results.sarif
+      checkout_path: cifuzz-sarif
diff --git a/lex.go b/lex.go
@@ -265,7 +265,7 @@ func lexProtocol(l *lexer) stateFn {
 		case r == ' ':
 			l.emit(itemProtocol, true)
 			return lexSourceAddress
-		case !(unicode.IsLetter(r) || unicode.IsDigit(r) || (l.len() > 0 && r == '-')):
+		case !unicode.IsLetter(r) && !unicode.IsDigit(r) && l.len() > 0 && r != '-':
 			return l.errorf("invalid character %q for a rule protocol", r)
 		}
 	}

diff --git a/parser.go b/parser.go
@@ -111,7 +111,7 @@ func parseContent(content string) ([]byte, error) {
 
 	b = hexRE.ReplaceAllStringFunc(b,
 		func(h string) string {
-			r, err := hex.DecodeString(strings.Replace(strings.Trim(h, "|"), " ", "", -1))
+			r, err := hex.DecodeString(strings.ReplaceAll(strings.Trim(h, "|"), " ", ""))
 			if err != nil {
 				panic("invalid hexRE regexp")
 			}
@@ -408,7 +408,7 @@ func unquote(s string) string {
 	if strings.IndexByte(s, '"') < 0 {
 		return s
 	}
-	return strings.Replace(s, `\"`, `"`, -1)
+	return strings.ReplaceAll(s, `\"`, `"`)
 }
 
 func inSlice(str string, strings []string) bool {
@@ -421,7 +421,7 @@ func inSlice(str string, strings []string) bool {
 }
 
 // comment decodes a comment (commented rule, or just a comment.)
-func (r *Rule) comment(key item, l *lexer) error {
+func (r *Rule) comment(key item) error {
 	if key.typ != itemComment {
 		panic("item is not a comment")
 	}
@@ -445,7 +445,7 @@ func (r *Rule) comment(key item, l *lexer) error {
 }
 
 // action decodes an IDS rule option based on its key.
-func (r *Rule) action(key item, l *lexer) error {
+func (r *Rule) action(key item) error {
 	if key.typ != itemAction {
 		panic("item is not an action")
 	}
@@ -457,7 +457,7 @@ func (r *Rule) action(key item, l *lexer) error {
 }
 
 // protocol decodes an IDS rule protocol based on its key.
-func (r *Rule) protocol(key item, l *lexer) error {
+func (r *Rule) protocol(key item) error {
 	if key.typ != itemProtocol {
 		panic("item is not a protocol")
 	}
@@ -469,7 +469,7 @@ func (r *Rule) protocol(key item, l *lexer) error {
 }
 
 // network decodes an IDS rule network (networks and ports) based on its key.
-func (r *Rule) network(key item, l *lexer) error {
+func (r *Rule) network(key item) error {
 	// Identify if the whole network component is negated.
 	tmp := strings.TrimPrefix(key.value, "!")
 	negated := len(tmp) < len(key.value)
@@ -598,7 +598,7 @@ func validNetworks(nets []string) bool {
 }
 
 // direction decodes an IDS rule direction based on its key.
-func (r *Rule) direction(key item, l *lexer) error {
+func (r *Rule) direction(key item) error {
 	if key.typ != itemDirection {
 		panic("item is not a direction")
 	}
@@ -930,7 +930,7 @@ func parseRuleAux(rule string, commented bool) (*Rule, error) {
 				// Ignore comment ending rule.
 				return r, nil
 			}
-			err = r.comment(item, l)
+			err = r.comment(item)
 			// Error here means that the comment was not a commented rule.
 			// So we're not parsing a rule and we need to break out.
 			if err != nil {
@@ -939,13 +939,13 @@ func parseRuleAux(rule string, commented bool) (*Rule, error) {
 			// This line was a commented rule.
 			return r, nil
 		case itemAction:
-			err = r.action(item, l)
+			err = r.action(item)
 		case itemProtocol:
-			err = r.protocol(item, l)
+			err = r.protocol(item)
 		case itemSourceAddress, itemDestinationAddress, itemSourcePort, itemDestinationPort:
-			err = r.network(item, l)
+			err = r.network(item)
 		case itemDirection:
-			err = r.direction(item, l)
+			err = r.direction(item)
 		case itemOptionKey:
 			err = r.option(item, l)
 			// We will continue to parse a rule with unsupported options.

diff --git a/rule.go b/rule.go
@@ -850,7 +850,7 @@ func (p PCRE) String() string {
 
 	// escape quote signs, if necessary
 	if bytes.IndexByte(pattern, '"') > -1 {
-		pattern = bytes.Replace(pattern, []byte(`"`), []byte(`\"`), -1)
+		pattern = bytes.ReplaceAll(pattern, []byte(`"`), []byte(`\"`))
 	}
 
 	var s strings.Builder