search

open-telemetry / opentelemetry-cpp

The OpenTelemetry C++ Client
https://opentelemetry.io/
Apache License 2.0
888 stars 421 forks source link

Request for Adding Fuzz Testing to OpenTelemetry-cpp Library #2247

Open esigo opened 1 year ago

esigo commented 1 year ago

Issue Description:

As a part of the OpenTelemetry-cpp community, we would like to request the addition of fuzz testing to the library. Fuzz testing is a valuable technique that complements traditional testing approaches and significantly enhances the overall testing and security of the library.

Why We Need Fuzz Testing:

  1. Bug Detection: Fuzz testing is excellent at finding edge cases and unexpected behavior that may not be discovered using traditional test cases. It can uncover hard-to-detect bugs and corner cases in the codebase.

  2. Security Vulnerability Detection: Fuzz testing can help identify potential security vulnerabilities such as buffer overflows, memory corruption, and other issues that could be exploited by malicious users.

  3. Improved Test Coverage: By generating a wide variety of random inputs, fuzz testing can achieve higher code coverage, ensuring that more parts of the library are exercised during testing.

  4. Early Bug Detection: Fuzz testing can be introduced early in the development process to continuously test and validate code changes. This helps identify regressions quickly and facilitates rapid bug fixes.

  5. Community Assurance: Implementing fuzz testing in OpenTelemetry-cpp will provide the community with an additional layer of assurance about the reliability and security of the library, increasing its overall trustworthiness.

Proposed Approach:

We propose integrating fuzz testing using the Google FuzzTest framework. This allows us to use fuzzed inputs as test cases for various components within the library.

Community Involvement:

We welcome contributions and feedback from the community regarding the implementation of fuzz testing. Community members are encouraged to participate in testing, review, and refining the fuzz targets to maximize the effectiveness of fuzz testing for OpenTelemetry-cpp.

We believe that adding fuzz testing to OpenTelemetry-cpp will significantly improve the library's robustness, security, and overall quality, and we kindly request the consideration and support of the maintainers and the community in this endeavor.

github-actions[bot] commented 1 year ago

This issue was marked as stale due to lack of activity.

github-actions[bot] commented 9 months ago

This issue was marked as stale due to lack of activity.

lalitb commented 6 months ago

Discussed the integration with OSS-fuzz integration in the maintainer's meeting today, basically legality for the copyright/licenses. The suggestion was to raise an issue in the community repo, and if required one of the TC/GC member would raise this further with CNCF.

vitorguidi commented 2 months ago

Has this initiative been abandoned? What are these legality issues?