Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initial fuzzing support #4037

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

Shivam7-1
Copy link

@Shivam7-1 Shivam7-1 commented Dec 23, 2024

Introducing initial fuzzing support for scancode-toolkit to identify and address potential bugs. As it have so many users

Upon merging this, I will create a pull request in the OSS-Fuzz repository to initiate fuzzing for this library using Google's infrastructure. Any detected issues will be communicated to the maintainers of scancode-toolkit.

Could you also Please review the OSS-Fuzz documentation and Bug Disclosure Guidelines before merging.

Thanks

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

@Shivam7-1
Copy link
Author

Hii @AyanSinhaMahapatra Could You please Review This PR
And let me know your Thoughts
Can I proceed with this?
Thanks

@pombredanne
Copy link
Member

@Shivam7-1 Thank you for this!

  1. Can you explain your goals? Ideally in an issue, rather than just a PR

  2. Can you explain what your code is doing? What is atheris? Who is maintaining it? Is this safe code? Why do you need this?

  3. Some of the more interesting parts of license detection relies on native code and not only Python code. Would this be something we need to fuzz separately?

  4. In all cases, submitting to OSS Fuzz should be the privilege of AboutCode maintainers, not yours, until we get to know you ;)

FWIW, https://en.wikipedia.org/wiki/XZ_Utils_backdoor involved submission to OSS Fuzz and malevolent code fixes that involved bypassing fuzzing failures, as explained in https://arxiv.org/html/2404.08987v1

In March 2023, the primary contact mail for a component in the testing infrastructure, Google OSS-Fuzz, was changed from lasse.collin@tukaani.org to jiat0218@gmail.com by opening a merge request on oss-fuzz. That change of contact was manually approved by Lasse Collin as the original maintainer, confirming that Jia Tan is an official co-maintainer of the XZ project (JiaT75, 2023c). After some months, a new contributor called “Hans Jansen” provided patches to the XZ Utils project that use the GNU indirect function (IFUNC) feature (Jansen, 2023b, a). After some reworks and discussions, Jia Tan merged that functionality to the repository. Only later, it turned out, that these patches are essential for the attack because using the IFUNC feature is the function hooking mechanism eventually used by the backdoor code. However, the use of IFUNC cannot be fuzzed by OSS-Fuzz, due to compatibility issues. As a consequence, Jia Tan opened a pull request (JiaT75, 2023a) with the OSS-Fuzz project, to disable IFUNC for the fuzzed XZ Utils build. The OSS-Fuzz repository incorporates a GitHub-action to automatically label pull requests as “ready to merge” if they originate from the maintainer of a fuzzed project by verifying that the committer has a contribution history for that project and is one of the responsible project contacts. As both applied to Jia Tan, the pull request was labeled as ready to merge by the bot, and then quickly approved and merged into OSS-Fuzz.

@pombredanne
Copy link
Member

You should start by fixing your DCO and displaying proper personal details on your account.
I also find your streak of OSS Fuzz PRs suspect in the light of the comments above at https://github.com/google/oss-fuzz/pulls?q=is%3Apr+Shivam7-1

You may have all the good intentions, but I cannot tell. I can see that @DavidKorczynski did close several of these. I think that if you are trying to do good, you must revise your approach and stop doing these PRs, and instead engage with each community first.

@oliverchang FYI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants