Proposed Google OSS-Fuzz Integration
Closed this issue · 4 comments
Hi there,
In this PR I've done an initial integration of Cachetools into the Google OSS-Fuzz project google/oss-fuzz#9957 .
Coverage is pretty good. No bugs found so far.
I was wondering if you would like to integrate continuous fuzzing into cachetools by way of OSS-Fuzz?
If you would like to integrate, the only thing I need is a list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of this configuration file project.yaml.
@sg3-141-592: I'm not familiar with OSS-Fuzz, but everything trying to improve code quality gets my squeal of approval ;-)
Since this is not a PR, I'd like to see what changes to the project/code would have to be made before I give a final verdict, though.
Thanks @tkem ,
For the PR linked above, this would integrate your library into the OSS-Fuzz'es regular overnight fuzzing. This is a project to try and find security and stability issues in key open source libraries.
These are the reports for all of the latest fuzzed projects https://storage.googleapis.com/oss-fuzz-introspector/index.html .
I wasn't looking to make any changes to cachetools. Instead we nightly pull the latest cachetools from Github and run the fuzzer against it (fuzz_cached.py). The fuzzer is trying lots of different cache types and sizes against your Fibonacci sequence example function.
The project has a separate portal only accessible by the users listed in the project.yaml file where you can see any exceptions or errors the Fuzzer manages to generate. You get an e-mail notification when a new issue is found.
You can have fuzz testing as part of the Pull Request process using Github Actions. I think adding it to the overnight OSS-Fuzzing would be a lighter touch way to see if you're getting any value from fuzzing the library or not before changing anything in the cachetools project.
If you're happy to go ahead I can get this integrated into the overnight runs, and if you've got any e-mail addresses you'd like notified I'll add them to project.yaml.
@sg3-141-592 : Thanks for elaborating, I got confused since you were referring to the PR in OSS-Fuzz, not a PR in this project.
But I think I'm slowly beginning to understand now...
Please go ahead, but at least for now I'd prefer not to be notified by email - I guess I can check results via the link you posted above.
Thanks @tkem , I'll let you know if we get any interesting results.