How to exclude MSan false positives from the OSV database #7434
Comments
|
You should be able to mark these bugs as non-security from the detailed testcase page at https://oss-fuzz.com/testcase-detail. This should propagate to OSV and mark them as invalid as well. |
|
Thanks! I edited the bugs that had been closed as "verified". I'll fix the rest once #7401 is merged and CF confirms that they are gone. |
|
@oliverchang it seems CF has reported a few similar issues since this issue was opened. They weren't reported on Monorail because I marked MSan as "experimental" in #7424 but I wonder if they should be edited as well? My guess would be that they shouldn't but I'm not sure how the OSV database works exactly. |
I edited https://oss-fuzz.com/testcase-detail/5615954752569344, https://oss-fuzz.com/testcase-detail/5377548567052288 and https://oss-fuzz.com/testcase-detail/4977999500410880 anyway just in case. They were fixed by compiling zlib with msan. |
As far as I understand the Bug-Security label is automatically added to all issues found with MSan and because of that they eventually end up in the OSV database (which provides an API used to look for vulnerable packages or even generate CVEs automatically). I wonder how I can prevent MSan false positives like
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45647
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45676
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45706
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45631
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45633
from ending up in the database?
The text was updated successfully, but these errors were encountered: