Feature: add other fuzzing platforms to the Fuzzing check #897
Comments
|
Another one to add would be clusterfuzzlite which is launching soon: https://github.com/google/clusterfuzzlite. |
|
Thanks Oliver. To detect clusterfuzzlite, we need to check for a workflow which uses |
|
If this is simple enough, should add this in check soon. |
|
What about results of this check from this Fuzz? |
|
On a different note should we add this check to scorecard? |
Yep! Just check for the
@naveensrinivasan Could you clarify what you mean here? Are you suggesting a more detailed check beyond just checking if Fuzzing is enabled? |
Yes , how do we report the results of these fuzz runs? |
great! Do you have cycles to add it before you officially release clusterfuzzlite? Or shall we add this to v4 milestone (~EOY)? |
I can probably knock this one out in the next week or so. |
|
Awesome. I've created #1148 and added to v4 milestone. |
|
Stale issue message |
|
@naveensrinivasan is there a special command/keyword we can use to say "this issue should not be closed automatically by the bot"? |
|
I wanted to also not that |
|
I think it fits in this issue. If you know how to check for its use (there's a command for it?) please let us know. Feel free to send. aPR if you have time for it. Thanks! |
|
I'll see what I can do :) |
|
I like the idea. In the future scorecard plans to provide fuzzing coverage. Having something like oss-fuzz provides an API to get the coverage metrics. I don't know how we can get it from go 1.18 and verify it is correct. |
|
I think oss-fuzz integrates with the native fizzing, but not sure how exactly. |
|
We need to look for the |
|
@georgettica @laurentsimon could we start with checking for |
|
I think |
|
https://go.dev/doc/fuzz/ mentions this as a requirement. But maybe this is not a hard requirement?
|
|
Did some local testing - |
|
yeah, same (verified aswell) |
|
I think it's fair to start with the regex @azeemshaikh38 provided. The warning is something Go team should fix, rather than us, no? Note that a while back, we were contemplating having a |
|
Yup, it's a go team thing. Noting it here as I didn't start the conversation there |
|
If we are extending the Fuzzing check to include looking for fuzzer definitions for Go (which I think is a good idea!), we should also extend this to other languages, which all have a consistent way to do this that we can detect. e.g. for C/C++, we can look for instances of LLVMFuzzerTestOneInput in c/cc/cxx/cpp files. |
|
@oliverchang - can someone from fuzzing team pick this, it will be nice to have this scorecard check comprehensive. |
|
@Navidem -- this (#897 (comment)) might be a interesting side project to tackle! |
|
@Navidem will start working on the C/C++ side of things this quarter. Is anyone working on the Go part? |
|
@Navidem feel free to ask questions if you need some pointers |
|
Fuzzing patterns to add:
|
|
Thanks @oliverchang ! /cc @aidenwang9867 |
Thanks Laurent & Oliver, I'll take the Go side. @laurentsimon @oliverchang Also, cc @Navidem :P |
|
In the merged PR#1979, I added support for checking Go built-in fuzzers as a part of scorecard's fuzzing check. Most of the important changes have been made in Built-in fuzzer patterns for other programming languages can be added here. I'll work on another feature for a while but I might implement some fuzzing supports for other languages if I have time. I'll ping you here if I start to do that. :) |
|
what about One-Fuzz? Can it be supported by Scorecard? Is there anything we can help with to support that? |
|
Absolutely. What does the integration in a repository look like? scorecard/checks/raw/fuzzing.go Line 120 in 69eb1cc If you tell us what we should be looking for in thee repo, we can add a function to check for it in the file linked above. |
|
@laurentsimon, sorry for the delay, how about something like that: #2141 😄 |
|
This issue is stale because it has been open for 60 days with no activity. |
Our current check only looks for OSS-Fuzz integration. We want to expand our list of supported platforms.
Which fuzzing platforms to support remains an open question. Suggestions welcome!
The text was updated successfully, but these errors were encountered: