oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard

Published 20 hours ago verified publisher icon google

skupper-router project initialization

Open ganeshmurthy opened this issue 1 year ago • 7 comments

ganeshmurthy avatar Oct 23 '24 19:10 ganeshmurthy

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Oct 23 '24 19:10 google-cla[bot]

ganeshmurthy is integrating a new project:
- Main repo: https://github.com/skupperproject/skupper-router.git
- Criticality score: 0.51218

github-actions[bot] avatar Oct 23 '24 19:10 github-actions[bot]

_ No description provided. _

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

vitorguidi avatar Oct 30 '24 13:10 vitorguidi

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

skupper-router is an open source project which is part of a larger project called Skupper (https://skupper.io/) Skupper is used to interconnect different clouds by forming Virtual Application Networks. Skupper is used in 6 downstream projects. One of our upstream users is Goldman Sachs. Unfortunately, we have no idea how large our upstream user base is. This might be helpful perhaps - https://hanadigital.github.io/grev/?user=skupperproject&repo=skupper

skupper-router uses the qpid-proton library which is already one of the oss-fuzz projects https://github.com/google/oss-fuzz/tree/master/projects/qpid-proton

skupper-router is capable of reading tcp traffic over a listening port. It sniffs the initial incoming tcp bytes to determine if the protocol being used is http1 or http2 or some other protocol. If say, the protocol is http2, it starts reading http2 frames to get some stats from the traffic like request method, url etc. OSS Fuzz can send in random data to these protocol observers and try to crash the router.

ganeshmurthy avatar Nov 07 '24 19:11 ganeshmurthy

We can merge this once the CI tests get fixed. @ganeshmurthy

vitorguidi avatar Nov 26 '24 16:11 vitorguidi

@ganeshmurthy we can merge this once the tests pass

vitorguidi avatar Jan 15 '25 13:01 vitorguidi

@ganeshmurthy we can merge this once the tests pass

I think I fixed a problem that I saw in the CI test failure. I pushed up a fix for it. Let's see if the CI passes this time

ganeshmurthy avatar Jan 15 '25 14:01 ganeshmurthy