clusterfuzzlite icon indicating copy to clipboard operation
clusterfuzzlite copied to clipboard
verified publisher icon google

There should probably be an easier way to integrate CFLite into projects integrated into OSS-Fuzz

Open evverx opened this issue 4 years ago • 9 comments

Trying to integrate CFLite into my fork of elfutils in https://github.com/evverx/elfutils/pull/35, I basically just copied all the files from the elfutils directory to $SRC/

FROM gcr.io/oss-fuzz-base/base-builder:v1
RUN apt-get update && \
    apt-get install -y pkg-config make autoconf autopoint zlib1g-dev flex bison gawk
COPY . $SRC/elfutils
RUN git clone --depth 1 https://github.com/google/oss-fuzz && \
    cp oss-fuzz/projects/elfutils/build.sh $SRC/ && \
    cp oss-fuzz/projects/elfutils/fuzz-dwfl-core.c $SRC/ && \
    cp oss-fuzz/projects/elfutils/fuzz-dwfl-core_seed_corpus.zip $SRC/
WORKDIR elfutils

I wonder if there is an easier way to do that?

evverx avatar Dec 06 '21 19:12 evverx

In some sense ClusterFuzzLite is simply an interface into the same codebase as CIFuzz. So maybe we can make the CIFuzz entrypoint allow users to use run modes other than code-change fuzzing. Then (because the CIFuzz entrypoint is being used) you won't need a .clusterfuzzlite directory for oss-fuzz projects. I think that would solve this issue as well as https://github.com/google/clusterfuzzlite/issues/63 What do you think?

jonathanmetzman avatar Dec 07 '21 20:12 jonathanmetzman

On second thought there might be some issues with the above approach. For one, you wouldn't get build or corpus uploading.

jonathanmetzman avatar Dec 07 '21 20:12 jonathanmetzman

If we can't go with something simple like the above approach, I probably won't do anything to support this. I think it would just add too much complexity to account for OSS-Fuzz projects that are in ClusterFuzzLite.

jonathanmetzman avatar Dec 07 '21 20:12 jonathanmetzman

Is there any advantage to adding ClusterFuzzLite to projects already on OSS-Fuzz?

hickford avatar Feb 05 '22 13:02 hickford

It's compatible with forks so I think it depends on whether it's important for projects to test their forks or not. systemd uses it to test stable branches (where releases consumed by some distributions are kept): https://github.com/systemd/systemd/pull/22295

evverx avatar Feb 05 '22 14:02 evverx

If that's the only reason, maybe we should just add fork support to CIFuzz.

jonathanmetzman avatar Feb 07 '22 20:02 jonathanmetzman

I think it would be great but I'm not sure how it can be implemented. For example CIFuzz always downloads the latest builds but CFLite shouldn't do that because the latest upstream builds don't match the latest "fork" builds.

evverx avatar Feb 07 '22 20:02 evverx

I think it would be great but I'm not sure how it can be implemented. For example CIFuzz always downloads the latest builds but CFLite shouldn't do that because the latest upstream builds don't match the latest "fork" builds.

Ah makes sense.

jonathanmetzman avatar Feb 07 '22 20:02 jonathanmetzman

Regarding advantages I forgot to mention that CFLite is more configurable when it comes to forks in the sense that depending on what projects need they can either download public OSS-Fuzz corpora manually (https://github.com/systemd/systemd/pull/22302) and let CFLite discover issues that haven't been caught when forks were created and backport relevant patches or rely on "stable" seed corpora to make sure forks are more or less fine in general.

evverx avatar Feb 09 '22 00:02 evverx

Even though I still think it would be great if there was an easier way it's already possible to do it and probably it doesn't make much sense to complicate things to cover those niche use cases.

evverx avatar May 07 '23 22:05 evverx