CodeCompass icon indicating copy to clipboard operation
CodeCompass copied to clipboard
verified publisher icon Ericsson

Enable fuzzing on the project

Open barnabasdomozi opened this issue 2 years ago • 1 comments

See the OpenSSF security test (https://github.com/Ericsson/CodeCompass/issues/659).

 {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
  }

barnabasdomozi avatar Nov 06 '23 17:11 barnabasdomozi

How would we integrate fuzzing into our testing? Generating invalid source files or invalid parametrization for the commands?

mcserep avatar Nov 08 '23 22:11 mcserep