Integration with google oss-fuzz fuzzing service

[manunio]

Hi, I would like to help integrate this project into oss-fuzz, I have also done similar integration for BurntSushi/toml.

• As an initial step for integration I have created this PR: https://github.com/google/oss-fuzz/pull/8368, it contains necessary logic from an OSS-Fuzz perspective to integrate go-toml. This includes developing initial fuzzers as well as integrating into OSS-Fuzz.

• Essentially, OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects.

• If you would like to integrate, could I please have an email(s), it must be associated with a google account like gmail (why?). by doing that, the provided email(s) will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats.

• Notice the email(s) affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.

[pelletier]

Let's give it a shot. You can use pelletier.thomas@gmail.com for this.

[manunio]

Hi @pelletier i have added your mail, later if you wish to add/update mail(s), please create a new issue at oss-fuzz or let me know. I have also added comments for your review and once the pr is merged, will update it here :)

[pelletier]

I've noticed that https://github.com/google/oss-fuzz/pull/8368 has been merged. Thank you!

Couple questions:

1. Did you know that go-toml already has a native fuzz test: https://github.com/pelletier/go-toml/blob/v2/fuzz_test.go ? I was reading https://google.github.io/oss-fuzz/getting-started/integration-rewards/ and it seems like using it may be encouraged?
2. How will I know when a bug is found? Will I receive an email at the address above or is there a website that I need to check?

[manunio]

1. Did you know that go-toml already has a native fuzz test: https://github.com/pelletier/go-toml/blob/v2/fuzz_test.go ? I was reading https://google.github.io/oss-fuzz/getting-started/integration-rewards/ and it seems like using it may be encouraged?

Yes, i was aware of native go fuzzing in go-toml, infact it was my first preference for integration, but unfortunately i was facing some issue while attempting to integrate native go fuzzer locally, so i decided to go with non native option, as for ideal integration native or non native fuzzers can be used, only requirement is for the fuzzer to be there in repo(go-toml) and it should be integrated to oss-build system. In this pr what we have done is called initial integration, where the fuzzer(non native FuzzToml) is not in go-toml, but it can be later moved in go-toml and can be worked towards ideal integration, you can do same with native fuzzers too but the main point is you have to integrate it with oss-fuzz. you can refer to this project https://github.com/sigstore/sigstore/tree/main/test/fuzz for native fuzzing example or this for build related info https://github.com/google/oss-fuzz/tree/master/projects/sigstore.

oss-fuzz supports native fuzzing but there are some requirements for that, you can find more details about them here https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#native-go-fuzzing-support

2. How will I know when a bug is found? Will I receive an email at the address above or is there a website that I need to check?

You will receive mail for issues filed by oss-fuzz in issue tracker(monorail) along with details related to it. or you can visit
oss-fuzz.com and login with your provided mail, there you can view all crashes, coverage report and build status. If you want to view build status for your project you can visit to https://oss-fuzz-build-logs.storage.googleapis.com/index.html (link is also there in oss-fuzz.com).

If you have anymore questions please let me know :)