rayluo
commented
2 years ago If you would like to integrate, the only thing I need is as list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.
Are you talking about adding the email(s) to here? Sure. Go ahead to use my email, which you can find in my profile and/or my commits. By the way, are those existing emails in your current PR intended to be there?
When OSS-Fuzz finds bugs in the test subject (MSAL in this case), do we as the project maintainers need to periodically check your OSS-Fuzz bug list? Will OSS-Fuzz proactively send notifications to my email? Or, even better, can OSS-Fuzz create github issues to the corresponding upstream OSS projects? That way would be more reliable in the long term, after the initial individuals eventually moving out of the project.
I have some other specific questions on OSS-Fuzz. I'll leave comments into your PR there.
DavidKorczynski
Hi,
I was wondering if you would like to integrate continuous fuzzing by way of OSS-Fuzz? In this PR https://github.com/google/oss-fuzz/pull/7754 we do exactly this, namely created the necessary logic from an OSS-Fuzz perspective.
Essentially, OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects. The only expectation of integrating into OSS-Fuzz is that bugs will be fixed. This is not a "hard" requirement in that no one enforces this and the main point is if bugs are not fixed then it is a waste of resources to run the fuzzers, which we would like to avoid.
If you would like to integrate, the only thing I need is as list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.