Added fuzzer #1097
Added fuzzer #1097
Conversation
|
Looking at other projects, I believe this should be just a file with a build tag in the main package. See e.g. https://github.com/golang/go/blob/4ad13555184eb0697c2e92c64c1b0bdb287ccc10/src/html/fuzz.go I'm also not sure how much sense it makes to fuzz |
Sure, this should not be a problem to amend.
Fair enough, although parsers do cause crashes. This writeup and this as well provide some examples of that.
Yes, this can be added. I can confirm that the fuzzers are running fine on oss-fuzz's infrastructure without it. |
|
Ok sure, we have to start somewhere. |
|
|
LGTM. Thanks! |
|
Shall I setup continuous fuzzing for mysql through oss-fuzz as well? I have the fuzzer running on their infrastructure, and I will be happy to set it up. |
|
We would definitely appreciate it I just noticed that you didn't indicate who the copyright holder is (simple comment is enough) or made an addition to the AUTHORS file. Could you please also do that? |
|
Sure, I will get it added. Could you provide me with an email address for potential bug reports? |
|
@julienschmidt On the question of the copyright holder, will the existing header not suffice? Lines 1 to 9 in 128a673 |
|
@julienschmidt Kind ping regarding the email addresses for bug reports |
|
@AdamKorcz there is no common address, afaik. Can you create issues instead? Fuzzing results should (famous last words) not be security critical, the driver is as memory safe as Go is. Reports can be public ... unless a more active maintainer disagrees. |
|
@arnehormann We can add any number of maintainers' email addresses to the list of bug reports - it doesn't have to be a single email address. |
The fuzzer targets the `Open` function, which can be run locally as well as through oss-fuzz's infrastructure.
The fuzzer targets the `Open` function, which can be run locally as well as through oss-fuzz's infrastructure.
This PR adds a fuzzer in an added
/fuzzingdirectory. The fuzzer targets theOpen-function.The fuzzer can be run locally, and I also managed to run it through oss-fuzz's infrastructure. I suggest integrating Go-MySQL-Driver into oss-fuzz. oss-fuzz will run the fuzzers continuously on their platform, and if a bug is encountered, a report will be sent to the maintainers on the contact list. It is a free service that is offered with an expectation that bugs are fixed, so that the fuzzers can keep running and check for other bugs.
The current fuzzer is a good starting point. I would like to write more fuzzers for Go-MySQL-Driver to progressively increase code coverage and optimize their effectiveness.
If there is interest in integrating with oss-fuzz, I will be happy to do that. All I need are the email addresses to add to the contact list. Please note that this list will be public and can be modified at any time.