sybrenstuvel
commented
2 years ago Thanks for the offer! I'm quite curious to see what the fuzz tests can expose.
As for the pull request, I can't accept it as-is. The atheris module should be listed as optional development dependency, and the test should be gracefully skipped when it cannot be imported.
I'm also curious why the tests simply return on a ValueError or OverflowError. IMO this should be documented in a comment above the respective return statements, so that it's clear for anyone reading the code.
DavidKorczynski
Hi,
I was wondering if you would like to integrate continuous fuzzing of python-rsa by way of OSS-Fuzz? In this PR https://github.com/google/oss-fuzz/pull/7516 I do exactly that, namely created the necessary logic from an OSS-Fuzz perspective to integrate python-rsa.
This includes developing initial fuzzers as well as integrating into OSS-Fuzz, however, it is preferable to have the fuzzers upstream so I included it in this PR - if you are happy with having the fuzzers here then I will remove them from the OSS-Fuzz repository.
Essentially, OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects. The only expectation of integrating into OSS-Fuzz is that bugs will be fixed. This is not a "hard" requirement in that no one enforces this and the main point is if bugs are not fixed then it is a waste of resources to run the fuzzers, which we would like to avoid.
If you would like to integrate, the only thing I need is as list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.