Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dear maintainers of Zoekt,
I am reaching out to you because I have worked on integrating continous fuzzing into your project by way of OSS-fuzz. Fuzzing is a popular technique that is used to identify security vulnerabilities and bugs in your project. Although fuzzing is mainly known for its effectivenes in low-level languages like C and C++, fuzzing Go code has proven fruitful recently and many other Go projects are already integrated into OSS-fuzz, some of which are Prometheus, Kubernetes, https://github.com/valyala/fasthttp, fastjson, grpc-gateway, TiDB.
The fuzzer in this PR is implemented by means of go-fuzz which provides a simple api and is the most popular fuzzer for Go at the moment.
Fuzzers implemented in go-fuzz can be run both locally or continuously through a platform like OSS-fuzz, which is a project run by Google that dedicates hardware to run fuzzers free of charge. While OSS-fuzz is a free service, it is offered with an implied expectation that bugs are fixed and when a bug is found by OSS-fuzz maintainers get sent a link to a detailed bug report by email and the bug report is private for 90 days after which it becomes public.
ADA Logics is a contributor of open source security and we have integrated dozens of projects into OSS-fuzz. The fuzzer in this PR is tested on OSS-fuzz's infrastructure and all I need from your side are the email addresses that should receive the bug reports and then I am happy to complete the integration to OSS-fuzz.
I have included steps to run the fuzzer locally as well. These are found in the file itself.
Kind regards
Adam