oss-fuzz
oss-fuzz copied to clipboard
google
[credsweeper] Initial commit
Create initial config file with required info, before configurations
Credential leakage from repo source code is a huge vulnerability that might happen to any developer at any moment Modern tools for credential detection can automatically detect if developer accidentally committed their cred (password, key, etc). However, their disadvantage is the following: Too many false reports. Developers just don’t want to use them, as amount of false reporting is too high
That is why SR presented CredSweeper during Samsung Security Tech forum 2021 https://youtu.be/RDl81Jd83zc?t=14717
This scanner allows detecting credentials with much lower false positive rate than existing alternatives
SR opensourced both tool and related credential dataset, so other people can contribute and improve credential detection tools, or just use our tool to protect their repos from accidental credential leakage
Could you write a bit about why credsweeper is a critical open source project, i.e. who are the customers of credsweeper?
Could you write a bit about why credsweeper is a critical open source project, i.e. who are the customers of credsweeper?
As i know exactly - several projects of Samsung use the project. Suppose, Hyundai projects too https://github.com/Samsung/CredSweeper/network/members
@DavidKorczynski, the PR is ready. CredSweeper main repo is prepared to fuzzing without tensorflow. It takes much time for instrumenting and does not real coverage.
@DavidKorczynski, the PR is ready. CredSweeper main repo is prepared to fuzzing without tensorflow. It takes much time for instrumenting and does not real coverage.
I reran the CI but it's still failing
Could you write a bit about why credsweeper is a critical open source project, i.e. who are the customers of credsweeper?
As i know exactly - several projects of Samsung use the project. Suppose, Hyundai projects too https://github.com/Samsung/CredSweeper/network/members
@jonathanmetzman @oliverchang this one is ready for acceptance review. The first message of the PR also has notes on the project.
One mistake is you need a license header in oss-fuzz/projects/credsweeper/run.sh.
Unfortunately, not one. Credsweeper loads file with config but cannot find it in fuzz mode. Probably it is run from package. I have to mock json.load or put the file in correct place. PS: run.sh - is debug file to run docker locally.
Dears @jonathanmetzman @oliverchang , review please the PR. I think, all checks will pass.
Dears @jonathanmetzman @oliverchang , review please the PR. I think, all checks will pass.
triggered CI run
@DavidKorczynski @jonathanmetzman @oliverchang , could you give a decision about PR or estimate PR deadline? Thanks.
Hi @babenek We don't really think credsweeper has the userbase we want for acceptance into OSS-Fuzz yet. Would you like help in setting up clusterfuzzlite? Since ClusterFuzzLite is a new project I'm very happy to help potential users.