go-tuf
go-tuf copied to clipboard
Implement Fuzzing
By implementing fuzzing it will improve the security posture of this library. Especially integrating with oss-fuzz is a great help in uncovering bugs.
Using https://github.com/dvyukov/go-fuzz is the unofficial standard for fuzzing go libraries.
Why not use go 1.18 fuzzing?
The go-fuzz is compatible with libfuzzer, which is supported by oss-fuzz. The go 1.18 doesn't have support for external fuzzer formats yet.
Related: https://github.com/rdimitrov/go-tuf-metadata/issues/12
As this issue was opened 2021 there have been updates to oss-fuzz to allow native Go fuzzing as well: https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#native-go-fuzzing-support
So I would rather work on implementing that in favor of pulling in a 3rdparty lib for this.
While I am in favor of adding oss-fuzz support, I know that getting a project accepted will take a bit of time (went through this process with two other projects already). Therefore I would firstly add support in general before extending CI to create long running tests on oss-fuzz.