syoyo/tinyexr

Integrating with OSS-Fuzz

zchcai opened this issue · 9 comments

Greetings tinyexr developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:

  • Continuously run at scale all the fuzzers you write.
  • Alert you when it finds issues.
  • Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

We find you already have a fuzzing test folder and there exist some fuzzers. In this case, we can help you integrate your project into OSS-Fuzz. Later, when you add your fuzzers in your test folder, OSS-Fuzz will automatically run fuzzing test for you.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com.

Thanks!

Zhicheng and Tommy
OSS-Fuzz Team

Here is our initial preparation for your project, which can be a starting point for your project integration with OSS-Fuzz service. If you'd like to continue, we also need one google email address for bugs to be sent. Thanks.

syoyo commented

You can integrate TinyEXR to your project and run fuzzer on you side.

If you'd like to continue, we also need one google email address for bugs to be sent.

If you found a bug, please file it at github issue, not email.

@syoyo - we dont expect the bug volume to be huge. This is how we have 300+ open source projects integrated with OSS-Fuzz - https://github.com/google/oss-fuzz/tree/master/projects (e.g OpenSSL, curl, etc). The bugs are filed in monorail repo and we allow maintainers to triage/look at them, before moving it to their repo. Filing at github issue tracker directly is a feature we are looking into, but the problem has been that github does not allow private issues. Ssecurity vulnerabilities need to kept private to avoid hurting your users, so monorail tracker keep them private. Emails are just to notify you of new reports, but all data is in monorail and ClusterFuzz ui interface.

syoyo commented

You should not report Fuzz result directly to github issue.

You should include followings to the github issue if you found a bug:

  • minimal reproducible test data
  • Describe reason of error and investigation report.
  • Propose possible fix
  • Recommended: Submit PR

Here is an example issue report:

#116

@syoyo - it is not feasible for us to file individual bugs manually, OSS-Fuzz currently integrates with 300+ projects and has found 14000+ bugs in fully automated way (https://github.com/google/oss-fuzz#overview). Previous tooling from Google might have created some noise in your repo due to build configuration, but i assure you OSS-Fuzz is different and trusted in the open source community, see https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html
If you accept this OSS-Fuzz integration and do ideal integration, you can also get rewards for the work you do to improve security and stability of tinyexr. See https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

syoyo commented

@inferno-chromium Well, actually OSS-Fuzz is simply creating only noises for tinyexr and other projects(see OpenEXR for example: AcademySoftwareFoundation/openexr#724 ) It simply wastes people's precious time.

At least you should file the issue manually once you've found an issue using Fuzzer.

@syoyo - i am sorry to hear you feel that way. that bug is not from OSS-Fuzz, but from internal fuzzing from AutoFuzz team. It was just meant to give an example, but once you have build script and right sanitizer configuration, there are no false positive bugs.
OSS-Fuzz has a 90% fix rate, you can see yourself - https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%20%20-component%3AInfra%20OR%20status%3AVerified%20-component%3AInfra&can=1
It works with OSS developers in a seamless way - https://github.com/google/oss-fuzz/tree/master/projects
Please give someone a benefit of doubt.
And regarding OpenEXR, we have talked to @cary-ilm, they are getting onboard with OSS-Fuzz soon.

The OpenEXR does plan to integrate with OSS-Fuzz, in spite of our earlier reluctance. The expectation is that issues will come up infrequently, will be accompanied by easy-to-reproduce datasets, and will be reported in private for the project steering committee to deal with.

@syoyo - We would really appreciate if you can consider OSS-Fuzz integration, this is different from past fuzzing process. See 43 bugs fixed from OpenEXR and maybe talk to @cary-ilm on how automated the process has been (https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj%3Aopenexr%20status%3AFixed%2CVerified&can=1 you will be 25 public fixed, rest are still private).