Comments (4)
On a somewhat related note, once I unpin CFLite the "security posture" of systemd is going to get worse even more. it would be great if OSS-Fuzz/CIFuzz/CFLite can somehow affect the scorecard fuzzing check (which is totally bogus as this point: ossf/scorecard#1816 (comment)).
from clusterfuzzlite.
As mentioned in google/oss-fuzz#7206 (comment) I'm planning to unpin CFLite but looking at the action it appears for some reason it uses tags to download the docker images:
$ git grep v1 actions/ actions/build_fuzzers/action.yml: image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-build-fuzzers:v1' actions/run_fuzzers/action.yml: image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-run-fuzzers:v1'
The tags aren't exactly bogus. We're doing this in case we make breaking changes to the API in v2
from clusterfuzzlite.
On a somewhat related note, once I unpin CFLite the "security posture" of systemd is going to get worse even more. it would be great if OSS-Fuzz/CIFuzz/CFLite can somehow affect the scorecard fuzzing check (which is totally bogus as this point: ossf/scorecard#1816 (comment)).
I'm not happy about this situation either and i've complained to scorecards but it doesn't seem like they will budge. I agree I think pinning provides little security benefit, fuzzing (for C++) provides a big security benefit, so using CFLite without pinning makes a project more secure not less and that scorecards is wrong
from clusterfuzzlite.
The tags aren't exactly bogus. We're doing this in case we make breaking changes to the API in v2
Agreed. After a lengthy discussion in #96 I switched to the tags. For that to fully work https://github.com/google/clusterfuzzlite/releases/tag/v1 would have to be bumped automatically though. (@oliverchang bumped it yesterday manually)
using CFLite without pinning makes a project more secure not less and that scorecards is wrong
I have to admit I'm not even sure what scorecard
is trying to accomplish anymore with all those checks and a few new ones. I decided to just ignore it altogether.
from clusterfuzzlite.
Related Issues (20)
- Gitlab instructions do not just work. HOT 14
- Investigate providing reusable workflows for GitHub users
- build.sh example for go test -fuzz HOT 16
- Failing to build python project HOT 1
- run fuzzers with -jobs (or -workers?) for parallelism HOT 6
- ClusterfuzzLite does not check out submodules HOT 2
- Affordances for "local maxima" in coverage HOT 4
- Requesting addition of AFL++ Fuzzer Engine. HOT 5
- Document how to provide dictionaries and seed corpus to fuzzers HOT 6
- Empty Coverage Reports using ClusterFuzzLite with Prow and GO
- Allow to customize FUZZ_SECONDS option per target HOT 2
- Minimal gitlab configuration is failing to cp to default $OUT HOT 13
- Demo or sample project for Python? HOT 2
- Timeout in pruning job HOT 2
- Possible to continue fuzzing despite errors? HOT 2
- CFLite seems to fail to download the latest builds due to "Bad credentials" HOT 2
- Undefined references to C++ standard library symbols HOT 13
- Mention in docs that OSS-Fuzz has a lot of examples to learn from
- jazzer_driver not available in local infra/helper.py run_fuzzer command HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clusterfuzzlite.