-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate with Google’s OSS Fuzz service #510
Comments
I am all in for this. I think it would be a great opportunity for the community to contribute. |
Looking into this a little bit more it seems like there is a whole process involved with this that I wasn't originally aware of that is outlined here https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/ |
@mhoad Thanks for looking into this. One day, we will "have a significant user base and/or be critical to the global IT infrastructure". |
@artursouza just one more thing. It seems there might be a viable path still. My understanding here is that the fuzzier itself is open source here https://github.com/CodeIntelligenceTesting/jazzer but the managed ongoing testing is it’s own separate thing. Is it an option still if we handle the infrastructure? Is that even a reasonable goal though? |
Let me reopen this in the meantime. Well, is this something we can run on GitHub actions? If you can try that out and it works, we can take a PR in. |
Hi @artursouza I'm keen to look into this. Could you kindly assign this task to me please? In the meantime, I'm happy to spend some time investigating different strategies in running Jazzer against the Dapr Java SDK code base and write down my thoughts here before raising a PR first. Thank you! |
I have created a sample repo to test out a path that we could potentially use for this using their autofuzz mode using Docker. Some observations
Some questions
I'm happy to cut a PR depending on whichever path we choose. Hoping to hear more thoughts on this :) |
This was only just released but looks as though it could be a good addition to the SDK test suite.
https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html?m=1
The text was updated successfully, but these errors were encountered: