Continuous fuzzing by way of OSS-Fuzz

Question

Continuous fuzzing by way of OSS-Fuzz

DavidKorczynski opened this issue 2 years ago · comments

Hi,

I was wondering if you would like to integrate continuous fuzzing by way of OSS-Fuzz? Fuzzing is a way to automate test-case generation and has been heavily used for memory unsafe languages. Recently efforts have been put into fuzzing memory safe languages and Python is one of the languages where it would be great to use fuzzing.

In this PR google/oss-fuzz#8130 I did an initial integration into OSS-Fuzz. OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects. As Iniconfig is a rather small library OSS-Fuzz will dedicate smaller amounts of CPU power to fuzz the project, but still give the benefit of continuous monitoring.

If you would like to integrate, the only thing I need is a list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.

Ronny Pfannschmidt · Answer 1 · Wed Aug 03 2022 04:03:11 GMT+0800 (China Standard Time)

It's not clear to me what exactly is going to be fuzzed there, so the value add is absolutely unclear

Why is there a need for emails, can't issues go to the repo and stats be linked with a badge?

DavidKorczynski · Answer 2 · Wed Aug 03 2022 04:17:41 GMT+0800 (China Standard Time)

It's not clear to me what exactly is going to be fuzzed there, so the value add is absolutely unclear

The main target is identifying if loading .ini files can cause unexpected exceptions.

Why is there a need for emails, can't issues go to the repo and stats be linked with a badge?

The need for emails is that the bugs reported will only be visible to maintainers at first, i.e. there are many security-critical projects on OSS-Fuzz and they need proper disclosure. As such, bugs will be hidden behind authentication on oss-fuzz.com and https://bugs.chromium.org/. oss-fuzz.com has more details than bugs on bugs.chromium.org, e.g. including reproducer testcases and detailed stacktraces. For an example, see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36784 from an issue in Pillow.

OSS-Fuzz recently added support for reporting issues on Github. We can also enable such that all bugs will be freely accessible on bugs.chromium.org -- in these cases you don't need email to see the bugs.

Ronny Pfannschmidt · Answer 3 · Wed Aug 03 2022 04:52:53 GMT+0800 (China Standard Time)

For iniconfig direct reporting seems appropriate

DavidKorczynski · Answer 4 · Wed Aug 03 2022 19:02:04 GMT+0800 (China Standard Time)

Done! Thanks for the quick response @RonnyPfannschmidt