search

theupdateframework / go-tuf

Go implementation of The Update Framework (TUF)
https://theupdateframework.com
Apache License 2.0
605 stars 104 forks source link

Implement Fuzzing #177

Open naveensrinivasan opened 2 years ago

naveensrinivasan commented 2 years ago

By implementing fuzzing it will improve the security posture of this library. Especially integrating with oss-fuzz is a great help in uncovering bugs.

Using https://github.com/dvyukov/go-fuzz is the unofficial standard for fuzzing go libraries.

Why not use go 1.18 fuzzing?

The go-fuzz is compatible with libfuzzer, which is supported by oss-fuzz. The go 1.18 doesn't have support for external fuzzer formats yet.

rdimitrov commented 5 months ago

Related: https://github.com/rdimitrov/go-tuf-metadata/issues/12

MDr164 commented 4 months ago

As this issue was opened 2021 there have been updates to oss-fuzz to allow native Go fuzzing as well: https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#native-go-fuzzing-support

So I would rather work on implementing that in favor of pulling in a 3rdparty lib for this.

While I am in favor of adding oss-fuzz support, I know that getting a project accepted will take a bit of time (went through this process with two other projects already). Therefore I would firstly add support in general before extending CI to create long running tests on oss-fuzz.