Closed DaveLak closed 5 months ago
jelmer
commented
5 months ago I'd be interested in seeing OSS-fuzz for Dulwich, so would welcome work to set that up. I doubt it's something I'll personally have time to work on soon, but happy to review/comment if somebody else wanted to.
DaveLak
commented
5 months ago I'd be interested in seeing OSS-fuzz for Dulwich, so would welcome work to set that up.
Great, I already have most of it ready, so I'll go ahead and open a PR here and the corresponding downstream OSS-Fuzz PR and ping you for review.
The only thing I need is one or more Gmail addresses that will get access to the bug reports before their publicly disclosed.
Note that the emails will be public in the OSS-Fuzz repo, as they will be part of a configuration file, example.
I doubt it's something I'll personally have time to work on soon, but happy to review/comment if somebody else wanted to.
If you would like me to assist with triage of bug reports, let me know and I'll add myself as an auto_cc as I did in GitPython.
jelmer
commented
5 months ago I'd be interested in seeing OSS-fuzz for Dulwich, so would welcome work to set that up.
Great, I already have most of it ready, so I'll go ahead and open a PR here and the corresponding downstream OSS-Fuzz PR and ping you for review.
The only thing I need is one or more Gmail addresses that will get access to the bug reports before their publicly disclosed.
Note that the emails will be public in the OSS-Fuzz repo, as they will be part of a configuration file, example.
Can you use:
jvernooij@gmail.com
(It's fine for it to be public)
I doubt it's something I'll personally have time to work on soon, but happy to review/comment if somebody else wanted to.
If you would like me to assist with triage of bug reports, let me know and I'll add myself as an auto_cc as I did in GitPython.
Yeah, I'd appreciate that - thanks!
DaveLak
commented
5 months ago OSS-Fuzz has accepted and merged the integration request in https://github.com/google/oss-fuzz/pull/11900!
Since #1304 was merged as well, the fuzzers should start building and running within the next 48 hours, and coverage reports should begin showing up a day or two after that.
In the meantime I am going to close this issue as done and I'll get to work on adding more fuzz targets in follow-up PRs. 🚀
jelmer
commented
5 months ago Thanks, @DaveLak !
DaveLak
commented
1 month ago Hey @jelmer 👋
It's been a while since my last PR so I thought I'd drop in and let you know that I'm still around and haven't forgotten about the integration!
I'm working on some improvements, including trying to get the Rust extensions instrumented. Hope to get something into PR soon!
jelmer
commented
1 month ago Hi @DaveLak , thanks - looking forward to reviewing more PRs :)
Hi,
I've been working with the GitPython maintainers recently to improve the project's OSS-Fuzz integration[^1] when I came across Dulwich via the Pro Git book[^2]. Given how significant this project is, I was surprised to find no previous discussion about an OSS-Fuzz integration here so I wanted to ask if that is something you are interested in.
About OSS-Fuzz
OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects to automate test-case generation and identify bugs that are difficult to find via traditional unit tests.
From the OSS-Fuzz project's README:
What Happens When OSS-Fuzz Finds a Bug
Because the nature of OSS-Fuzz as a security tool, bugs identified by fuzzing are reported privately on an issue tracker that requires a Gmail account to access.
The issue tracker has a 90 day disclosure policy so project maintainers (or anyone else that maintainers wish to add to the access allow list) can evaluate the impact of the bug before it becomes public.
Next Steps if You Are Interested
I am happy to set up the integration and contribute as much or as little to it's maintenance as you'd like.
An integration requires:
1. A PR on the OSS-Fuzz repo proposing the project with a comment from a Dulwich maintainer approving it.
This would add some config files (seethe GitPython files for reference) and request the OSS-Fuzz maintainers at Google to consider Dulwich for integration. Given this projects large footprint in OSS and the Python community, I'd expect the approval to be smooth, but if you happen to know of some high profile or popular projects that depend on Dulwich that would help inform their review.
2. A PR adding fuzz tests and some setup scripts used by OSS-Fuzz in this repo.
I have already experimented with the setup in a fork prior to opening this issue, so you can see the changes to this repo that I'd propose via PR here: https://github.com/jelmer/dulwich/compare/master...DaveLak:dulwich:oss-fuzz-initial-integration
Thanks for reading! Let me know if there is anything I can clarify!
[^1]: See the commit history of the files in GitPython's
fuzzing/directory for a detailed log: https://github.com/gitpython-developers/GitPython/tree/5f267792b7983bd85f4a4f6299b9d795516d0892/fuzzing[^2]: Pro Git 2nd Edition, A2.5 Appendix B: Embedding Git in your Applications - Dulwich