OSS-Fuzz - continuous fuzzing for open source software.

fuzzing fuzz-testing oss-fuzz security stability starred-google-repo starred-repo vulnerabilities

Go to file

jonathanmetzman 370fb73473 [build][infra] Improve build functions. (#6296 ) Important functional changes involve mostly improvements to the command line scripts (this doesn't affect the build infra, only local use): 1. Make sure scripts use the same builder as builds requested by infra, otherwise builds will be very slow and will fail for larger projects. 2. Allow users to specify --test-images to use base images with suffix "-testing" 3. Allow script users to specify --parallel for parallel builds. 4. Allow script users to specify --testing so that builds are uploaded to testing buckets. 5. Allow script users to specify --branch so that builds use specified branch instead of master. 6. Clone oss-fuzz with depth 1 for improved speed and space usage. 7. Use logging instead of writing to stderr or print. 8. Allow scripts to accept multiple projects. 9. Allow script to keep executing after failure to get build steps. 10. Change scripts to use python3. 11. Tag more so builds are easier to query. 12. Log the gcb page for each build. Other changes include major refactoring: 1. Don't construct image names from scratch using format strings each time they are used. Provide a helper function for this. 2. Provide a helper function, get_env instead of constructing the env from scratch each time. 3. Move compile step into its own function: get_compile_step. 4. Move upload steps into their own helper function get_upload_steps. 5. Don't misuse the name image_project when we really mean cloud project. 6. Move cleanup step into its own helper function: get_cleanup_step. 7. Exit with returncode of main function from build_project. 8. Add unittests for build_project. 9. Make request_build share run_build code with build_project. 10. Use proper spacing in comments. 11. Test builds other than libfuzzer-ASAN-x86_64. Test other sanitizers, fuzzers and architectures 12. Make build_and_run_coverage share more code with build_project. 13. Move tests for build_and_run_coverage_test.py out of requst_coverage_test.py into their own file. 14. Use single quotes for strings. 15. Store state for a build in Build object instead of passing it everywhere. 16. Don't abuse project_yaml dict for storing project state. Use a Project object instead. 17. Better variable naming. 18. Use more classes instead of passing around arguments. 19. Use more f-strings. 20. Make scripts share main function. 21. Begin comments with uppercase and end with period. 22. Don't import functions or classes as dictated by style guide. 23. Share more test code in test_utils Related: #6180.		2021-08-25 11:44:52 -07:00
.github/workflows	[cifuzz] Add basic end-to-end tests. (#6139 )	2021-08-03 15:40:31 -07:00
docs	docs: remove minijail doc. (#6285 )	2021-08-24 07:14:37 -07:00
infra	[build][infra] Improve build functions. (#6296 )	2021-08-25 11:44:52 -07:00
projects	[Ubuntu upgrade] Pin projects that fail on coverage (#6300 )	2021-08-25 09:13:32 -07:00
.dockerignore	[NFC][CIFuzz] Rename test_files to test_data and delete unneeded testcases directory (#5448 )	2021-03-19 11:49:38 -07:00
.gitignore	Improve CIFuzz tests (#4868 )	2020-12-18 10:37:56 -08:00
.pylintrc	Replace terms that are uninclusive. (#5045 )	2021-01-25 08:41:34 -08:00
.style.yapf	[infra] Add presubmit script (#3196 )	2020-01-10 10:19:42 -08:00
CONTRIBUTING.md	Delete unnecessary files and fix format in some MD pages (#4115 )	2020-07-16 15:27:29 -07:00
LICENSE	Create LICENSE	2016-10-03 12:24:25 -07:00
README.md	Update README.md	2021-06-05 19:21:43 -07:00

README.md

OSS-Fuzz: Continuous Fuzzing for Open Source Software

Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.

In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.

Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.

Overview

Documentation

Read our detailed documentation to learn how to use OSS-Fuzz.

Trophies

As of June 2021, OSS-Fuzz has found over 30,000 bugs in 500 open source projects.

Blog posts

2016-12-01 - Announcing OSS-Fuzz: Continuous fuzzing for open source software
2017-05-08 - OSS-Fuzz: Five months later, and rewarding projects
2018-11-06 - A New Chapter for OSS-Fuzz
2020-10-09 - Fuzzing internships for Open Source Software
2020-12-07 - Improving open source security during the Google summer internship program