I am reaching out to you because I have worked on integrating continous fuzzing into your project by way of OSS-fuzz. Fuzzing is a popular technique that is used to identify security vulnerabilities and bugs in your project. Although fuzzing is mainly known for its effectivenes in low-level languages like C and C++, fuzzing Go code has proven fruitful recently and many other Go projects are already integrated into OSS-fuzz, some of which are Prometheus, Kubernetes, https://github.com/valyala/fasthttp, fastjson, grpc-gateway, TiDB.
The fuzzer in this PR is implemented by means of go-fuzz which provides a simple api and is the most popular fuzzer for Go at the moment.
Fuzzers implemented in go-fuzz can be run both locally or continuously through a platform like OSS-fuzz, which is a project run by Google that dedicates hardware to run fuzzers free of charge. While OSS-fuzz is a free service, it is offered with an implied expectation that bugs are fixed and when a bug is found by OSS-fuzz maintainers get sent a link to a detailed bug report by email and the bug report is private for 90 days after which it becomes public.
ADA Logics is a contributor of open source security and we have integrated dozens of projects into OSS-fuzz. The fuzzer in this PR is tested on OSS-fuzz's infrastructure and all I need from your side are the email addresses that should receive the bug reports and then I am happy to complete the integration to OSS-fuzz.
I have included steps to run the fuzzer locally as well. These are found in the file itself.
Dear maintainers of Zoekt,
I am reaching out to you because I have worked on integrating continous fuzzing into your project by way of OSS-fuzz. Fuzzing is a popular technique that is used to identify security vulnerabilities and bugs in your project. Although fuzzing is mainly known for its effectivenes in low-level languages like C and C++, fuzzing Go code has proven fruitful recently and many other Go projects are already integrated into OSS-fuzz, some of which are Prometheus, Kubernetes, https://github.com/valyala/fasthttp, fastjson, grpc-gateway, TiDB.
The fuzzer in this PR is implemented by means of go-fuzz which provides a simple api and is the most popular fuzzer for Go at the moment.
Fuzzers implemented in go-fuzz can be run both locally or continuously through a platform like OSS-fuzz, which is a project run by Google that dedicates hardware to run fuzzers free of charge. While OSS-fuzz is a free service, it is offered with an implied expectation that bugs are fixed and when a bug is found by OSS-fuzz maintainers get sent a link to a detailed bug report by email and the bug report is private for 90 days after which it becomes public.
ADA Logics is a contributor of open source security and we have integrated dozens of projects into OSS-fuzz. The fuzzer in this PR is tested on OSS-fuzz's infrastructure and all I need from your side are the email addresses that should receive the bug reports and then I am happy to complete the integration to OSS-fuzz.
I have included steps to run the fuzzer locally as well. These are found in the file itself.
Kind regards Adam