-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate into Google OSS Fuzz #149
Comments
Interesting. What would that mean? I’m sure @ChristianMurphy has thoughts on this |
It doesn't mean much for this repository itself - unless CIFuzz is integrated. Plus, if either you or @ChristianMurphy also wants to do this, OSS Fuzz also offers monetary rewards for projects integrated into the platform. |
I'm all for fuzzing, we already have an initial fuzz integration https://github.com/wooorm/markdown-rs/tree/main/fuzz I do have some mild concerns over https://google.github.io/oss-fuzz/advanced-topics/bug-fixing-guidance#should-all-reported-issues-be-solved
I read this as OSS Fuzz expects every thing that is found to either be fixed, or for the fuzzer to be patched to avoid it. Either done promptly.
Sort of, they only pay in certain circumstances
https://bughunters.google.com/about/rules/open-source/5097259337383936/oss-fuzz-reward-program-rules |
I see—those points especially make sense. I am especially surprised by |
That is a question for ossf. [{
"collection_date": "2024-09-18 12:15:07.243799 UTC",
"default_score": "0.43774",
"depsdev": {
"dependent_count": "22"
},
"legacy": {
"closed_issues_count": "20",
"commit_frequency": "0.56",
"contributor_count": "16",
"created_since": "27",
"github_mention_count": "86",
"issue_comment_frequency": "4.0",
"org_count": "7",
"recent_release_count": "6",
"updated_issues_count": "27",
"updated_since": "0"
},
"repo": {
"url": "https://github.com/wooorm/markdown-rs",
"created_at": "2022-06-08 13:52:16.000000 UTC",
"updated_at": "2024-09-19 09:23:50.000000 UTC",
"star_count": "905",
"license": "MIT License",
"language": "Rust"
},
"worker_commit_id": "e8e782083145e40b4f285717048378ef9b1a079c"
}] They throw this info through the formula: |
https://crates.io/crates/markdown/reverse_dependencies reports 84+ just from public projects. |
Interesting - I'm opening an issue for
|
OSS Fuzz keeps a backlog of bugs - it doesn't expect maintainers to fix them, but they exist - some projects choose to simply ignore them until they have the time. They do hold a single expectation that vulnerabilities are fixed; though, I will close this issue as the criticality score is much too low compared to other markdown/commonmark rust libraries. |
That could work!
If they'll accept a PR, I think we'd be happy to have the additional fuzzing resources. |
I'll open a PR then and link it to this issue! |
This project uses libfuzzer, which is compatible with Google OSS Fuzz. Integration with this would allow
markdown-rs
to be constantly fuzzed.I would be open to working on this issue.
The text was updated successfully, but these errors were encountered: