Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing: Introduced continuous fuzzing #3031

Merged
merged 1 commit into from
Dec 4, 2020
Merged

Testing: Introduced continuous fuzzing #3031

merged 1 commit into from
Dec 4, 2020

Conversation

AdamKorcz
Copy link
Contributor

What this PR does / why we need it:
This PR introduces fuzzing for Loki. Fuzzing is a way of testing applications whereby pseudo-random data is passed to a target function with the goal of finding bugs and vulnerabilities. The fuzzer in this PR is implemented with the go-fuzz fuzzing engine.

I have worked on setting continuous fuzzing up for these two fuzzers which will allow them to run for longer and find harder-to-find bugs as well. I will shortly set up the integration for Loki on OSS-fuzz, and upon merging the fuzzer here, it will be able to run continuously through OSS-fuzz. OSS-fuzz is a free service for open source projects, and if/when bugs are found, maintainers get notified with an email containing a link to a detailed bug report with stacktrace and reproducer test-case. While it is a free service it is offered with an implied expectation that bugs are fixed, so that the resources spent on fuzzing Loki go towards resolving bugs in the codebase.

All that is needed to setup continuous fuzzing would be at least one maintainer email address.

For some examples of previous bugs found from fuzzing Golang projects I recommend checking out the trophy list on the go-fuzz repository: https://github.com/dvyukov/go-fuzz#trophies

@CLAassistant
Copy link

CLAassistant commented Dec 3, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@AdamKorcz AdamKorcz mentioned this pull request Dec 3, 2020
Merged
@AdamKorcz
Copy link
Contributor Author

I have set up the integration for this fuzzer to be run continuously through OSS-fuzz here: google/oss-fuzz#4777

Once integrated, OSS-fuzz will run the fuzzer continuously and notify maintainers if bugs are found. Notifications will include detailed reports with reproducer-testcases and stacktraces. Maintainers also have access to statistics of fuzz runs and the effectiveness of the fuzzer (execution speed, OOM's, Timeouts etc).

@cyriltovena
Copy link
Contributor

How do we get notified exactly ?

@AdamKorcz
Copy link
Contributor Author

How do we get notified exactly ?

When a bug is found, an email is sent out to all maintainers with a link to the report. All previous reports are available when logging into the dashboard as well.

cyriltovena
cyriltovena approved these changes Dec 4, 2020
View reviewed changes
Copy link
Contributor

@cyriltovena cyriltovena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Thanks you !

@cyriltovena cyriltovena merged commit a3ae2f0 into grafana:master Dec 4, 2020
@AdamKorcz
Copy link
Contributor Author

Perfect. As mentioned, to complete the integration on the OSS-fuzz side, at least one maintainers email address is needed in the project.yaml file over there. Would you be able to leave an email in a comment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyriltovena cyriltovena cyriltovena approved these changes

Assignees
No one assigned
Labels
size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AdamKorcz @CLAassistant @cyriltovena