Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⚠️ Remove OneFuzz from fuzzing checks #3666

Merged
merged 1 commit into from
Nov 13, 2023

Conversation

DavidKorczynski
Copy link
Contributor

This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz

Note that OneFuzz is not deprecated but development of it in the open source has stopped. In that sense I think it's a position statement from Scorecard: the project can still be used for fuzzing but is no longer maintained, should it be recommended as a fuzzing set up or considered in the scoring process?

I set this as a breaking feature since it's removing a probe, but am not sure if this should be considered breaking as such.

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

OneFuzz is recommended as a continuous fuzzing solution.

What is the new behavior (if this is a feature change)?**

OneFuzz is not considered when recommending fuzzing.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes: #3662

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)


This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz

Signed-off-by: David Korczynski <david@adalogics.com>
Copy link

codecov bot commented Nov 11, 2023

Codecov Report

Merging #3666 (12a5dad) into main (934f170) will decrease coverage by 5.59%.
The diff coverage is n/a.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3666      +/-   ##
==========================================
- Coverage   76.06%   70.48%   -5.59%     
==========================================
  Files         206      205       -1     
  Lines       14065    14032      -33     
==========================================
- Hits        10699     9890     -809     
- Misses       2733     3567     +834     
+ Partials      633      575      -58     

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that OneFuzz is not deprecated but development of it in the open source has stopped. In that sense I think it's a position statement from Scorecard: the project can still be used for fuzzing but is no longer maintained, should it be recommended as a fuzzing set up or considered in the scoring process?

So previously we did something similar for Sonatype Lift (#3605), which was a managed service. When it was shutdown, the tool no longer worked. I'm curious if being self-hosted changes how we handle this in the future. For anyone currently using OneFuzz, they would continue to benefit from it since it's self-hosted.

From some quick searching, there don't seem to be any public repos which use this on GitHub so I don't think we have an issue here. Eventually we'll run into the issue of a deprecated probe that we still want to score, but don't want to recommend.

@spencerschrock spencerschrock merged commit 87c2d3c into ossf:main Nov 13, 2023
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remove OneFuzz from Fuzzing Checks Remediation
2 participants