Google OSS-Fuzz integration #411
Conversation
|
This is looking good! I won't have a chance to run this myself for a few days, but it looks like I can run it manually? What about running it as part of our github actions? |
No worries. There are still some rough edges at the OSS-Fuzz side, hence I will be polishing it a bit more. Note that the PR is marked as
That is an excellent question! 🤩 Fuzzers are intended to be run for (preferably) long periods of time and regularly. To speed things up, you need to save your state (called corpus), and restore it in the next run. When a fuzzers fails, you need to take a snapshot of the context (preferably, somewhere not disclosed to public for security reasons, because you might have just stumbled upon a vulnerability) to allow reproduction, and continuously verify these reproductions as code base changes. This sophisticated pipeline also needs an administrative UI and reporting features. We can implement such a GitHub Actions workflow, leverage either ASF Subversion repository or some private GitHub repository for storage, etc. But this is a pretty big task! Good news is, this is what OSS-Fuzz exactly does! 😅 A beefy cluster continuously fuzzing, storing its state & findings to a GCP bucket, and giving visibility to its pipeline state using a web page. Last 2 months I've learned a lot while trying to integrate Log4j and Log4cxx to OSS-Fuzz. If I would do it all over again, and have more time+financial budget, I'd go the GHA route. This would not only put us in complete control, but also result in a product that any GitHub project can use. But alas there is a deadline I need to deliver this task. |
There was a problem hiding this comment.
This looks good to me. Once I installed docker and followed the directions, I was able to create the fuzzed data and run it. I let it run for a few hours before killing it; I'll let it run all day tomorrow and see what the results are.
Kindly squash merge when merging in.
In #12352, we used the `fuzzing` branch of the `apache/logging-log4cxx` repository while developing the Log4cxx integration. This work was successful and we eventually merged the `fuzzing` branch to `master` in apache/logging-log4cxx#411. Now we can point OSS-Fuzz to the permanent location of the Log4cxx fuzz tests.
As a deliverable of apache/logging-log4j2#2891 and apache/logging-log4j2#2892, this PR implements fuzz tests along with Google OSS-Fuzz integration. See the added
fuzzing.mdfor details.Note: Review request has been submitted in this
dev@post.