You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was wondering if you would be interested in continuous fuzz testing for this project via an integration with OSS-Fuzz. I've been contributing to OSS-Fuzz integrated projects recently1 as a means to learn more about fuzzing, and to give some meaningful value back to the open source community that's enabled me over the years, and I thought feedparser could benefit from such an integration.
About OSS-Fuzz
OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects to automate test-case generation and identify bugs that are difficult to find via traditional unit tests.
Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.
In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
What Happens When OSS-Fuzz Finds a Bug
Because the nature of OSS-Fuzz as a security tool, bugs identified by fuzzing are reported privately on an issue tracker that requires a Gmail account to access.
The issue tracker has a 90-day disclosure policy so project maintainers (or anyone else that maintainers wish to add to the access allow list) can evaluate the impact of the bug before it becomes public.
Next Steps if You Are Interested
I am happy to set up the integration and contribute as much or as little to it's maintenance as you would find helpful.
An integration requires:
1. A PR on the OSS-Fuzz repo proposing the project with a comment from a maintainer approving it.
This would add some config files (see the GitPython files for reference) and request the OSS-Fuzz maintainers at Google to consider feedparser for integration. Given this project is a parser with a large footprint in the Python community, I'd expect the approval to be smooth, but if you happen to know of some high profile or popular projects that depend on feedparser, that would help inform their review.
2. A PR adding fuzz tests and some setup scripts used by OSS-Fuzz in this repo.
Hi,
I was wondering if you would be interested in continuous fuzz testing for this project via an integration with OSS-Fuzz. I've been contributing to OSS-Fuzz integrated projects recently1 as a means to learn more about fuzzing, and to give some meaningful value back to the open source community that's enabled me over the years, and I thought feedparser could benefit from such an integration.
About OSS-Fuzz
OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects to automate test-case generation and identify bugs that are difficult to find via traditional unit tests.
From the OSS-Fuzz project's README:
What Happens When OSS-Fuzz Finds a Bug
Because the nature of OSS-Fuzz as a security tool, bugs identified by fuzzing are reported privately on an issue tracker that requires a Gmail account to access.
The issue tracker has a 90-day disclosure policy so project maintainers (or anyone else that maintainers wish to add to the access allow list) can evaluate the impact of the bug before it becomes public.
Next Steps if You Are Interested
I am happy to set up the integration and contribute as much or as little to it's maintenance as you would find helpful.
An integration requires:
1. A PR on the OSS-Fuzz repo proposing the project with a comment from a maintainer approving it.
This would add some config files (see the GitPython files for reference) and request the OSS-Fuzz maintainers at Google to consider feedparser for integration. Given this project is a parser with a large footprint in the Python community, I'd expect the approval to be smooth, but if you happen to know of some high profile or popular projects that depend on feedparser, that would help inform their review.
2. A PR adding fuzz tests and some setup scripts used by OSS-Fuzz in this repo.
I have already experimented with the setup in a fork prior to opening this issue, so you can see the changes to this repo that I'd propose via PR here: develop...DaveLak:feedparser:oss-fuzz-initial-integration
Thanks for reading! Let me know if there is anything I can clarify!
Footnotes
See the commit history of the files in GitPython's
fuzzing/directory for a detailed log: https://github.com/gitpython-developers/GitPython/tree/5f267792b7983bd85f4a4f6299b9d795516d0892/fuzzing ↩The text was updated successfully, but these errors were encountered: