Add ClusterfuzzLite #709
Add ClusterfuzzLite #709
Conversation
Signed-off-by: AdamKorcz <[email protected]>
github-actions
bot
added
area/schema
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
Hello there! Fuzzing is definitely something we'd like to add to our test suites. Google's ClusterfuzzLite looks pretty useful -- I like how containerd is leveraging it in their workflows as it doesn't introduce any new files into their repository. What is the advantage to using the AdaLogistics library over the built-in functionality in Go 1.18? |
The go-fuzz-headers library offers a number of useful features for fuzzing, but these do not conflict with the Go 1.18 fuzzing engine. If you would prefer to have a Go 1.18 fuzzer, I can rewrite it. |
|
I think using the Go 1.18 fuzzing is best until we can justify adding the dependency. I also took a look at Prometheus's usage of ClusterFuzz and it looks really good. |
|
@AdamKorcz any updates here? |
Sorry for the delay. I will look into changing the fuzzers to the 1.18 engine when I get a moment. Thanks for the ping! |
|
hey @AdamKorcz, thanks again for your contribution! we thought it would be good to get this over the finish line so I started investigating how it works in #830. We thought it would be a good idea to submit our project to ClusterFuzzLite docs indicate it is based on OSS-fuzz framework, but only supports EDIT: I found google/clusterfuzzlite#102, I think I can work with your submission and adjust it to use the native fuzzer I wrote in #830 |
|
OSS-Fuzz integration would be great.
I assume you mean in OSS-Fuzz? The answer is yes. |
|
@AdamKorcz I actually meant OssFuzzLite. The reason I ask is that I have doubts oss-fuzz will accept our submission in a promptly manner. There are 210 open PRs in the repository, so running ClusterFuzzLite ourselves in our CI pipeline would allow us to iterate faster. Thoughts? |
What is OssFuzzLite?
The OSS-Fuzz project should review the submission fairly fast. Your PR will not be 211 in line. However, do note that OSS-Fuzz will only accept the integration in case SpiceDB can disclosure a critical user base (companies, other open source projects etc) |
whoops meant ClusterFuzzLite
Understood! I think we can get started with ClusterFuzzLite using native go fuzzing, and once we have the submission ready we can move to oss-fuzz if we get accepted Thanks a ton! |
whoops meant ClusterFuzzLite, ah I see. Yes, |
|
@AdamKorcz My PR #830 seems to be finally running CFL (added you as co-author 😄 ), although it's running out of memory. Any advice on how to tune it to work with the resources available in Actions runners? Feel free to close this one! |
|
@AdamKorcz ping on this |
|
Closing; feel free to reopen if necessary |
This PR adds ClusterfuzzLite to the CI.
CFLite will run the fuzzer in this PR - as well as other fuzzers that get added - in the CI when a new PR is made.