New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fuzzing: Add 3 fuzzers #3458
Fuzzing: Add 3 fuzzers #3458
Conversation
282fcce
to
ac255e6
Compare
@brackendawson are there any updates on this PR? I think Adam resolved any issues and it would be great to get the fuzzing going. We have quite a bit more fuzzers for Distribution but am not sure what is the smartest approach to get them into the project and have them analyse Distribution if there is a fairly slow turnaround? It's a shame because we need to have the fuzzers in the project for them to be integrated with OSS-Fuzz (see the PR Adam mentioned google/oss-fuzz#6014) One solution is to create a dedicated repository containing the fuzzers where we can merge in faster. CC @caniszczyk |
I'm happy with the current state of this PR. It will need a maintainer to approve the github actions, approve & merge though. |
You will need to rebase to re-kick the actions. There is no way I can kick the GHA run otherwise 🤔 |
Great if we can finally get this merged @milosgajdos ! Could you see my initial message where I describe the OSS-Fuzz integration: are there any emails I can put in to receive bug reports? Notice that there are quite a few more fuzzers ready for Distribution and we would like to get these merged in as well https://github.com/cncf/cncf-fuzzing/tree/main/projects/distribution as such, how do you want to go about this? I can create another PR that uploads all of the fuzzers in one go? |
What do you mean by "bug reports"? Security vulnerabilities found by the fuzzers?
I'd welcome adding more fuzzers, indeed. Personally, I'd have no issue with having a single PR covering all of those, but I'm but a single maintainer. I can bring it up with other folks at the next call. In the meantime, can you please rebase so the GHA are run? |
Signed-off-by: AdamKorcz <adam@adalogics.com>
Codecov Report
@@ Coverage Diff @@
## main #3458 +/- ##
==========================================
- Coverage 56.38% 56.35% -0.04%
==========================================
Files 102 101 -1
Lines 7324 7307 -17
==========================================
- Hits 4130 4118 -12
+ Misses 2541 2534 -7
- Partials 653 655 +2
Continue to review full report at Codecov.
|
The goal is to find security and also reliability issues, so the fuzzer will report on both. There is most likely some false positives too if a fuzzer executes code in a way it should not.
Great, we will get these uploaded when the whole OSS-Fuzz integraion has been completed. We can then migrate the fuzzers from https://github.com/cncf/cncf-fuzzing to here Notice that I did join the meeting around the time of this PR to discuss this work. Essentially it's work we have been doing with the Linux Foundation to support various CNCF projects |
While we are waiting for review, which email address can we add for google/oss-fuzz#6014 ? |
I dont think we have any specific email address to reach all maintainers of distribution, so unfortunately I've no answer for you here. I wonder if @SteveLasker might know? |
We can always add more later, i.e. it's fine to start with a single email address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@AdamKorcz you should be able to email cncf-distribution-security at lists.cncf.io |
Thanks @milosgajdos - using a list won't work unfortunately. It needs to be email accounts linked to Google accounts as you need to log in to watch the reports. Example project.yamls for CNCF projects: |
Well, in that case I'd recommend grabbing the list of email addresses from https://github.com/distribution/distribution/blob/main/MAINTAINERS Do we need to do anything extra to get this sorted? Would apreciate some guidance here if the above is not enough. |
Thanks Milos! I will put those on. Nothing more now, we have everything in terms of getting the fuzzers up and running. Will ping you on the PR that does the OSS-Fuzz integration on the OSS-Fuzz repository. |
Hey folks, I've opend a CNCF service desk to update Milo's email. Are there any others that should be added to the security email list above? |
This PR adds 3 fuzzers for Distribution and a build script to run the fuzzers continuously through OSS-fuzz.
A PR has also been set up on the OSS-fuzz side to integrate Distribution: google/oss-fuzz#6014. Two of the fuzzers that were committed on the OSS-fuzz side are moved upstream in this PR and a third fuzzer is added.
Once this PR gets merged, I will amend the changes on OSS-fuzz to invoke the build script in this PR.
For those unfamiliar with fuzzing and/or OSS-fuzz: Fuzzing (or fuzz testing) is a way of testing software whereby pseudo-random data is passed to a target application with the goal of finding bugs and vulnerabilities. It has been useful in finding bugs, including security-critical bugs, in many open source Go projects to date. Some can be found here, https://github.com/dvyukov/go-fuzz#trophies and others include this CVE in Kubernetes and this CVE in the Go standard library found by fuzzing Go-ethereum.
OSS-fuzz is a free service offered by Google into which critical open source projects can integrate and have their fuzzers run continuously. If any bugs are found, maintainers will get notified with an email containing a link to a detailed bug reports.
The fuzzers in this PR are all implemented by way of go-fuzz which is the Golang engine supported by OSS-fuzz.
To complete the OSS-fuzz PR, at least one maintainers email address is needed for bug reports.
Other projects integrated into OSS-fuzz include Kubernetes, runC and containerd.