Integrate with oss-fuzz

[naveensrinivasan]

We use this library in http://github.com/ossf/scorecard which is part of the https://openssf.org. This is critical for the project and would be good to have it integrated with oss-fuzz to find vulnerabilities.

I recently had sigstore integrated with oss-fuzz https://github.com/google/oss-fuzz/tree/master/projects/sigstore.

I did notice you have fuzz enabled with go 1.18 , but go 1.18 doesn't support libfuzzer and oss-fuzz required libfuzzer.

[mvdan]

You seem to just use the syntax parser and printer, which have been very well fuzzed for years. We used go-fuzz locally for a long time, then fuzzit as a continuous fuzzing service until it shut down - and now Go's native fuzzing in 1.18, since go-fuzz currently doesn't work well with the latest versions of Go.

Google wrote both oss-fuzz and Go's 1.18 native fuzzing support, so I imagine compatibility is planned at some point.

For now, is there a particular reason that using oss-fuzz is a must? If you're not sure that the fuzzers have been run for a long enough time, you could always throw a machine at them for 24h whenever you bump the version of this library :)

[mvdan]

Looks like oss-fuzz plans to be ready once Go 1.18 is released: https://github.com/google/oss-fuzz/issues/7020

I believe we can close this now, as there's not much else to do on my part. The only atlernative route for me is to go back to go-fuzz instead of native fuzzing, but that seems like a step backwards :)