effcee icon indicating copy to clipboard operation
effcee copied to clipboard
verified publisher icon google

Integrating with OSS-Fuzz

Open Google-Autofuzz opened this issue 6 years ago • 3 comments

Greetings effcee developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:

  • Continuously run all the fuzzers you write.
  • Alert you when it finds issues.
  • Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

To help you getting started, we can provide an internal fuzzer for your project that you are welcome to use directly, or to use it as a starting point.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at [email protected].

Thanks!

Tommy OSS-Fuzz Team

Google-Autofuzz avatar Jul 22 '19 20:07 Google-Autofuzz

Here is a fuzz target you can use and uses a library called FuzzedDataProvider:

#include <queue>
#include <string>

#include "effcee/effcee.h"
#include "FuzzedDataProvider.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  FuzzedDataProvider stream(data, size);
  std::string text = stream.ConsumeRandomLengthString(size);
  std::string checks = stream.ConsumeRemainingBytesAsString();
  effcee::Match(text, checks);
  return 0;
}

Google-Autofuzz avatar Jul 29 '19 17:07 Google-Autofuzz

Thanks for your patience waiting for this delayed reply. Yes, I'm interested in integrating with OSS-Fuzz. Great project!

My team uses Effcee in googletest-based tests in our other projects, so Effcee normally handles only trusted inputs in very controlled ways. However, I appreciate and value the desire to fix any bugs OSS-Fuzz may find.

dneto0 avatar Aug 21 '19 21:08 dneto0

Thanks for your patience waiting for this delayed reply. Yes, I'm interested in integrating with OSS-Fuzz. Great project!

My team uses Effcee in googletest-based tests in our other projects, so Effcee normally handles only trusted inputs in very controlled ways. However, I appreciate and value the desire to fix any bugs OSS-Fuzz may find.

Glad to hear that you are interested in integrating Effcee with OSS-Fuzz! :)

Please let us know if you need help in integrating it to OSS-Fuzz. Here is the link that consists of a guide to upstream new project to OSS-Fuzz: https://github.com/google/oss-fuzz/blob/master/docs/getting-started/new_project_guide.me

Google-Autofuzz avatar Aug 22 '19 15:08 Google-Autofuzz