Description
Hi, I was wondering if you would be interested in continuous fuzz testing for this project via an integration with Google's OSS-Fuzz platform.
I thought that fastarvo and it's user-base could benefit from the sort of security testing that continuous fuzzing provides considering it's a widely used parser library with an API implemented using native C extensions.
Just to be clear: I'm not affiliated with Google or OSS-Fuzz beyond my open source contributions. I've been contributing to OSS-Fuzz1 and projects using it2 as a means to give some meaningful value back to the open source community that's enabled me over the years, and fuzzing happens to be a topic that I find interesting and fun so it's a nice way to scratch that itch 😄
If You Are Interested - Next Steps
I am happy to set up the integration, assist with familiarizing you with the platform, and contributing as much or as little to its maintenance as you would find helpful.
An integration requires:
1. A PR on the OSS-Fuzz repo proposing the project with a comment from a maintainer approving it.
TL;DR: It would look like this PR I put up to integrate Dulwich: google/oss-fuzz#11900
This step would add some config files (see the GitPython files for reference) and request the OSS-Fuzz maintainers at Google to consider fastarvo for integration. Given this project is a parser with C extensions and a large footprint in the Python community, I'd expect the approval to be smooth, but if you happen to know of some high-profile or popular projects that depend on fastarvo, that would help inform Google's panel in their review.
2. A PR adding fuzz tests and some setup scripts used by OSS-Fuzz in this repo.
This step would be a PR on this repo that adds the actual fuzz tests and two OSS-Fuzz specific scripts.
Again, you can see a similar PR I put up for Dulwich as an example of what this would look like: https://github.com/jelmer/dulwich/pull/1304/files
About OSS-Fuzz
OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects to automate test-case generation with the goal of identifying bugs (such as memory corruption bugs in native extensions) that are difficult to find via traditional unit tests.
From the OSS-Fuzz project's README:
Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.
In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
What Happens When OSS-Fuzz Finds a Bug
Because of the nature of OSS-Fuzz as a security tool, bugs identified by fuzzing are reported privately on an issue tracker that requires a Gmail account to access.
The issue tracker has a 90-day disclosure policy so project maintainers (or anyone else that maintainers wish to add to the access allow list) can evaluate the impact of the bug and respond if necessary, before the logged issue becomes public.
Thanks for reading! Please let me know if there is anything I can clarify!
Footnotes
-
See my commit history on the OSS-Fuzz project repo. ↩
-
See, for example, the commit history of the files in the
fuzzing/directory in the GitPython and Dulwich projects. ↩