date icon indicating copy to clipboard operation
date copied to clipboard
verified publisher icon HowardHinnant

OSSFuzz Integration

Open capuanob opened this issue 1 year ago • 9 comments

Hello!

I am inquiring to see if the project maintainers would be open to me submitting this project to Google's OSSFuzz program. As part of this effort, I would develop the necessary fuzz harnesses and build scripts needed to integrate the project for nightly fuzz-testing. I would just need the eventual PR review from the maintainers. Currently, I am thinking that time-zone parsing would be a good starting point for fuzz-testing, but am open to any other suggestions!

capuanob avatar Jan 19 '24 18:01 capuanob

I'm not too interested in fuzzing the time zone database, if that is what your intention is. The reason is that the time zone database isn't user input. It is strictly controlled by a very few maintainers under the auspices of the IANA. They don't produce a lot of variation in the database, and on the rare occasions they do, it is a huge deal and often reverted.

If you're referring to fuzz testing other aspects which would model variations in user input, I'd be more interested.

HowardHinnant avatar Jan 19 '24 18:01 HowardHinnant

@HowardHinnant Apologies for the confusion, I was referring specifically to the parse method found in the format conversion section of the timezone documentation. However, I would also add fuzz-testing for whichever entry-points that process user input as well.

Does this sound like a good approach?

capuanob avatar Jan 19 '24 18:01 capuanob

@HowardHinnant If so, I would just need a good Google account email address to serve as the primary contact for the repo . This email will be granted access to the ClusterFuzz dashboard to review security vulnerabilities and crashing testsuites.

capuanob avatar Jan 19 '24 18:01 capuanob

How about if you be the primary contact.

In the past I have made the mistake of agreeing to things with this repo which I don't have the time or expertise to support, and I don't want to make that mistake again.

HowardHinnant avatar Jan 19 '24 19:01 HowardHinnant

@HowardHinnant I could try that and link this conversation as justification. Thank you for your time, I'll get started as soon as they approve

capuanob avatar Jan 19 '24 19:01 capuanob

If they object could you not just point them to your fork of this repo?

HowardHinnant avatar Jan 19 '24 19:01 HowardHinnant

@HowardHinnant The fuzz harness has to be integrated upstream, since they want to continually fuzz the repository as it receives updates. However, I think they will be fine with it as you recommended I do so.

capuanob avatar Jan 19 '24 19:01 capuanob

If we get into this and I want to discontinue, is there an off button?

HowardHinnant avatar Jan 19 '24 19:01 HowardHinnant

@HowardHinnant There is, since the build script will be hosted here- they could simply be deleted to immediately halt any further fuzzing. Furthermore, it'd be as easy as having me or yourself raising the desire to do so and submitting a PR to remove the project folder from upstream to completely stop fuzzing.

capuanob avatar Jan 19 '24 19:01 capuanob