Skip to content

Add fuzzing #819

Description

@spoorcc

See google/clusterfuzzlite#128

From ossf scorecard:

  • Integrate the project with OSS-Fuzz by following the instructions here.

Risk: Medium (possible vulnerabilities in code)

This check tries to determine if the project uses fuzzing by checking:

  • if the repository name is included in the OSS-Fuzz project list;
  • if ClusterFuzzLite is deployed in the repository;
  • if there are user-defined language-specified fuzzing functions in the repository.
    • currently only supports Go fuzzing,
    • a limited set of property-based testing libraries for Haskell including QuickCheck, Hedgehog, validity or SmallCheck,
    • a limited set of property-based testing libraries for JavaScript and TypeScript including fast-check.
    • a limited set of property-based testing libraries for Erlang, including proper and quickcheck.

Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws.

Note

A project that fulfills this criterion with other tools may still receive a low score on this test. There are many ways to implement fuzzing, and it is challenging for an automated tool like Scorecard to detect them all. A low score
is therefore not a definitive indication that the project is at risk.

Metadata

Metadata

Assignees

No one assigned

    Labels

    testingSomething wrong with tests

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions