Potential new projects to integrate with OSS-Fuzz #402
Comments
|
Some potential others:
|
|
Added GStreamer : #905 |
|
from Dor1s, There are few new fuzz targets in Chromium, need to add those (ideally, upstream all the targets); https://cs.chromium.org/chromium/src/third_party/zlib/contrib/tests/fuzzers/ |
|
Some suggestions:
|
|
Hello, I was wondering if adding the solidity compiler, the official "smart contract" compiler implementation, to oss-fuzz makes sense. See ethereum/solidity#5278 Thank you. Edit: |
|
@bshastry, yes, most likely we would accept a PR for https://github.com/ethereum/solidity. |
Thank you, I will initiate a PR once ethereum/solidity#5278 has been approved and merged into upstream solidity. Edit: libFuzzer already found a compiler bug ethereum/solidity#5279 :-) |
I'm not sure what you are referring to. I have not worked on tcpdump fuzzing. |
hello @johannkoenig - very sorry, I messed up things and mistakenly tagged You instead of jonathanmetzman. Forgive me. Have a good day or night. |
|
@JulianVolodia there is an open PR for tcpdump integration here : #1757 with the specific discussion about it.
The tcpdump maintainers disagree for now and want to wait a bit longer |
|
Dovecot project added! #3502 |
|
Thanks @catenacyber for information with reference. Can I know which project could be integrated next (== by me)? I had glance and see that many are still WIP or already prepared, but not referenced. Also, don't want to repeat story about TCPdump tool. For example, other project from the list https://xerces.apache.org/xerces-c/ was initialy integrated and merged in PR #3083 . It is not 'checked' on the list above. Because of Google's requirements from projects that can't be just random one or not prepared, I reviewed some PR and projects last day and wonder if I should look at repo and check each of them. For now it's unclear if there is some better way to pick any project to work on. What you think? To not make more mess aka spam here and you could help me I will be very happy to read some rules of thumb (other than from docs which I read already). Thanks! |
|
No silver bullet here. But there is always the risk that someone is doing the same project already. |
|
Thanks @catenacyber for your reply. I see, and understand. That is both sad (that you can't do it) and good (because oss-fuzz is alive and prosper) at one time. I hope you will get interesting projects soon. I wish best to you and will follow your advice. (0) But, getting any project from repo which is integrated, but for example could have more fuzzers or sth will be the case here? (1) Could I get any project outside of repo not choosen by Google to integrate in OSS fuzzing? I started to check projects one by one here: https://github.com/google/oss-fuzz/tree/master/projects if they have fuzzers (in their repo or here), and I assume only integrated are merged. Upon the time, I going through items mentioned on 1st comment and PRs applying to them. Mention there this issue to show (like last mention about #3500 for Last but not least, (2) Could improvement to integration of projects be the case here? In example new harness files. I saw also, that there is some ideas to new ways of fuzzing out there, i.e. #1632 with data flow. Could I research on some? Does fuzzing open source kernels would be the case to fuzz? Reference: https://github.com/fgsect/unicorefuzz
I know that probably writing own harness and run it on own machine would be good but I highly believe in synergy and brainstorm before doing something. Best regards, and sorry for long messages (maybe I should have open another thread/issue for that discussion). Thanks for reading. |
|
@JulianVolodia please see some answers below:
yes, improving fuzzing coverage for projects that are already integrated is appreciated and rewarded (as an incremental ideal integration improvement)
Yes, go ahead an upload a quick pull request with only project.yaml to find out whether the project of your choice will be accepted into OSS-Fuzz or not.
Yes!
That's not so doable for an external contributor. Take a look at https://github.com/google/fuzzbench repo for ideas in this direction.
If it can be fuzzed in the user land, then it may be accepted into OSS-Fuzz. We don't do kernel fuzzing as of now. |
|
Thank You @Dor1s for your descriptive answers! Really appreciate. Btw. do You want some reminders/summaries if I do some issues brief read to forward summary update of whole, or it not wanted? Was said about abandon of entry "binutils cplus_demangle" in #3500. (which is not binutils but was written as it) |
|
No need for any reminders / summaries. As you finish improving one project, go ahead and submit this form choosing OSS-Fuzz Ideal Integration and providing all the details about the work you've done. Also make sure to check out https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html to better understand the rules and expectations. |
|
What about openvpn ? |
@catenacyber I don't see a reason why not :) |
inferno-chromium
changed the title
|
If I found security bug in one of libraries integrated with oss-fuzz, am I eligible for bounty?
For "improving fuzzing coverage " Is it include adding more seeds? |
No, only if you add fuzzers that can find that security bug and other interesting ones. We want continuous fuzzing to find existing bugs and new ones.
Sure, we will consider this on a case-by-case basis. More significant coverage improvements are preferred. |
|
@inferno-chromium After an integration finished, can I get bounty if I:
|
|
@TheCrott yes in both cases |
So how you distribute the bounty? |
|
Hi everyone! I have written a fuzz target for the libyuv, my code has been reviewed by the maintainer. #4363. If I modified my code and merged it to the OSS-Fuzz, Would I get a $1,000 bonus for the initial integration? |
|
@ToSeven we can't promise anything here in the comments. The only way to find out is to make your contribution and submit the integration reward form after that for the OSS-Fuzz reward panel to review. |
and others
Let's use this issue to maintain a list of projects that we want to see on oss-fuzz.
Volunteers welcome!
cplus_demangle(seen fuzzable bugs in the past)regex(e.g. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79539)graphviz @emdenrg (fuzz graphviz #182)(upstream not interested)(add to this list instead of creating a new comment)
The text was updated successfully, but these errors were encountered: