Open Amir-Montazery opened 11 months ago
Hi all, we have started the fuzzing work for Node with the following three PRs:
We plan to add more fuzz coverage of native code primarily for now. In addition, I have added myself to the contact list of Nodes OSS-Fuzz integration: https://github.com/google/oss-fuzz/blob/3c4e2c6724f7d6f090b085f1c28d937bdeaf3918/projects/nodejs/project.yaml#L10 so I can keep track of the feedback from the added fuzzers. We will add new fuzzers in the same manner as the three PRs above.
In addition, we are also looking at the fuzz coverage of Nodes core dependencies to assess which improvements we can make there.
Hi @AdamKorcz great job, where can we see the reports?
Hi @AdamKorcz great job, where can we see the reports?
All email addresses in this file have access to findings: https://github.com/google/oss-fuzz/blob/master/projects/nodejs/project.yaml
It will need to be an email address associated with a Google account.
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
@Amir-Montazery @AdamKorcz Could we have some update about the fuzzing progress?
I can provide a quick update in the 2024-04-11 meeting and have also invited AdamKorcz to the next security-wg meeting.
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.
Thank you for your patience everyone. I believe we have everything we need to close out the engagement with the updated report from Aug 28th. Shall I join the next meeting to finalize with the group? I believe there is a session scheduled for September 4th. Thank you in advance!
Per discussion with the security wg at the 11/23/2023 wg meeting, an issue has been created to kick off and help track the fuzzing security initiative scheduled for December 2023. A general description of the work to be done can be found at: https://github.com/nodejs/security-wg/issues/1146.
We plan on working with David Korczynski (https://github.com/DavidKorczynski) on this initiative.