Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply to/make use of Google's OSS-Fuzz (Fuzz testing/Sanitizers) #10360

Open
necros2k7 opened this issue Mar 9, 2019 · 14 comments
Open

Apply to/make use of Google's OSS-Fuzz (Fuzz testing/Sanitizers) #10360

necros2k7 opened this issue Mar 9, 2019 · 14 comments
Labels
Code cleanup Clean up the code while preserving the same outcome Feature request Project management

Comments

@necros2k7
Copy link

necros2k7 commented Mar 9, 2019

OSS-Fuzz: Continuous Fuzzing for Open Source Software

Apply to https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/

Fuzz testing


Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.

In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.

Currently, OSS-Fuzz supports C/C++, Rust, Go and Python code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.


Ref: https://github.com/google/oss-fuzz

Sanitizers


This project is the home for Sanitizers: AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer, and more The actual code resides in the LLVM repository. Here we keep extended documentation, bugfixes and some helper code.

The documentation for our tools:

AddressSanitizer (detects addressability issues) and LeakSanitizer (detects memory leaks)
ThreadSanitizer (detects data races and deadlocks) for C++ and Go
MemorySanitizer (detects use of uninitialized memory)
HWASAN, or Hardware-assisted AddressSanitizer, a newer variant of AddressSanitizer that consumes much less memory
UBSan, or UndefinedBehaviorSanitizer


Ref:https://github.com/google/sanitizers

@sledgehammer999 sledgehammer999 changed the title [Wishlist] Multiple wishes Multiple wishes May 18, 2020
@xavier2k6
Copy link
Member

@necros2k7 We really only allow one issue/request..... (I should close it, but.......)

Appveyor/Travis daily build in Releases tab

Elaborate on this, Do the GHA builds not suffice for you?

Update to :
libtorrent 2.0.1

WIP

OpenSSL 3

This is still in "ALPHA" Stage.

Apply to https://github.com/google/oss-fuzz

Unsure if this is required/needed.

@thalieht @FranciscoPombal thoughts?

@necros2k7 necros2k7 changed the title Multiple wishes Multiple feat.req. Mar 17, 2021
@necros2k7
Copy link
Author

What`s GHA builds?

@sakkamade
Copy link

@necros2k7
Copy link
Author

Github Actions
https://github.com/qbittorrent/qBittorrent/actions

can you point to actual latest binary?

@thalieht
Copy link
Contributor

can you point to actual latest binary?

In that list, which is sorted by time, if the middle column says "master" (or first column starts with "Merged pull request...") that is the latest change that was accepted and merged in master branch (which contains all changes since the last release). Every change comes in pairs of 2 lines. Pick the one that doesn't mention "file health", go down to "Artifacts" and dl what you want.

@xavier2k6
Copy link
Member

xavier2k6 commented Mar 17, 2021

can you point to actual latest binary?

In that list, which is sorted by time, if the middle column says "master" (or first column starts with "Merged pull request...") that is the latest change that was accepted and merged in master branch (which contains all changes since the last release). Every change comes in pairs of 2 lines. Pick the one that doesn't mention "file health", go down to "Artifacts" and dl what you want.

Simply get the newest/latest "master" that will always appear at the top of this list from below link (this excludes the "file health"):
https://github.com/qbittorrent/qBittorrent/actions/workflows/ci.yaml?query=branch%3Amaster

  • Click the newest/latest "Merge pull request #..... from"
  • Scroll down to Artifacts
  • Click on relevant named file for "Your OS" e.g. if running windows -> qBittorrent-CI_Windows-x64

@xavier2k6
Copy link
Member

@necros2k7 This should basically cover all from #10360 (comment) except for the OSS-Fuzz request.

The OSS-Fuzz request is legitimate enough & I would probably suggest to create a "new issue" for that & close this if you are satisfied that your previous needs have been fulfilled?!

@thalieht If necros2k7 creates a "new issue" for the OSS-Fuzz request we could potentially close #5449 in favour of it?

@thalieht
Copy link
Contributor

thalieht commented Mar 17, 2021

@thalieht If necros2k7 creates a "new issue" for the OSS-Fuzz request we could potentially close #5449 in favour of it?

I don't know, are they the same thing?

@necros2k7
Copy link
Author

@necros2k7 This should basically cover all from #10360 (comment) except for the OSS-Fuzz request.

The OSS-Fuzz request is legitimate enough & I would probably suggest to create a "new issue" for that & close this if you are satisfied that your previous needs have been fulfilled?!

@thalieht If necros2k7 creates a "new issue" for the OSS-Fuzz request we could potentially close #5449 in favour of it?

Last time I posted feat.req. for OSS Fuzz on some of my favorite projects - Github tried to ban me for spam, and during week I explained what I meant with techsup., so sorry I can`t make new issue) If anyone likes pls do.

@necros2k7
Copy link
Author

necros2k7 commented Mar 17, 2021

@thalieht If necros2k7 creates a "new issue" for the OSS-Fuzz request we could potentially close #5449 in favour of it?

I don't know, are they the same thing?

OSS fuzz is free service as I undersand and AFL is app, so maybe it can be beneficial to merge these two into something "Fuzzing" named issue

@necros2k7 necros2k7 changed the title Multiple feat.req. Fuzzing Mar 17, 2021
@xavier2k6
Copy link
Member

@thalieht

I don't know, are they the same thing?

OSS-Fuzz currently uses AFL but are replacing/integrating AFL++

Ref.:
Integrate afl++ with OSS-Fuzz, deprecate vanilla afl.

@thalieht
Copy link
Contributor

Guess we can close the other issue then.

@xavier2k6 xavier2k6 changed the title Fuzzing Fuzz testing - Apply to/make use of Google's OSS-Fuzz: Continuous Fuzzing for Open Source Software Mar 18, 2021
@xavier2k6 xavier2k6 added the Code cleanup Clean up the code while preserving the same outcome label Mar 18, 2021
@necros2k7
Copy link
Author

So I guess there is no need in OSSfuzz? Just correct AFL++ setup?

@xavier2k6
Copy link
Member

So I guess there is no need in OSSfuzz? Just correct AFL++ setup?

I believe there is a need for it or to at least implement our own parts of what is on offer......

OSSfuzz also includes sanitizers (AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer) so I think overall this would be a good idea to look in to more thoroughly indeed.

@xavier2k6 xavier2k6 changed the title Fuzz testing - Apply to/make use of Google's OSS-Fuzz: Continuous Fuzzing for Open Source Software Apply to/make use of Google's OSS-Fuzz (Fuzz testing/Sanitizers) Mar 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Code cleanup Clean up the code while preserving the same outcome Feature request Project management
Projects
None yet
Development

No branches or pull requests

5 participants