Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fuzzing audit report for Collector #2432

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add fuzzing audit report for Collector #2432

wants to merge 2 commits into from

Conversation

AdamKorcz
Copy link

The Opentelemetry Collector has undergone a fuzzing audit in collaboration with the CNCF and @reyang @jpkrohling @codeboten

The CNCF asks that fuzzing audit reports are stored in the respective projects repository. We thought this community repo is a great way to do that.

We have done the same for all previous CNCF fuzzing audits. Some examples are:

  1. Helm (community repo): Report
  2. containerd (website repo): Report
  3. Envoy (core repo): Report
  4. Lima (core repo): Report
  5. Crossplane (core repo): Report

@AdamKorcz
Add fuzzing audit report for Collector
96e747c 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@reyang
Copy link
Member

reyang commented Nov 8, 2024

Thanks @AdamKorcz!

reyang
reyang approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@reyang reyang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I suggest that we change "Opentelemetry" to "OpenTelemetry" (check https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification#project-naming) in the pdf file, it'll be better if there is a way for folks to add comments in the PR if this is a markdown file, but I understand that CNCF prefers pdf.

image

@reyang
Copy link
Member

reyang commented Nov 8, 2024

@svrnm I think either this repo or https://github.com/open-telemetry/opentelemetry.io/ would work. Just want to get you informed in case you might have a strong preference.

@AdamKorcz
Change 'Opentelemetry' to 'OpenTelemetry' in entire report
2992691 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz
Copy link
Author

LGTM.

I suggest that we change "Opentelemetry" to "OpenTelemetry" (check https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification#project-naming) in the pdf file, it'll be better if there is a way for folks to add comments in the PR if this is a markdown file, but I understand that CNCF prefers pdf.

image

Updated in 2992691

@tigrannajaryan
Copy link
Member

@AdamKorcz it is great to see fuzz tests added to the Collector. I have a couple quick questions:

  1. Did fuzzing find any bugs so far?
  2. I am unable to locate the fuzz tests in the contrib repo. I can see them in the core repo but not in the contrib. I may be looking at the wrong place.

@AdamKorcz
Copy link
Author

AdamKorcz commented Nov 8, 2024
edited
Loading

@tigrannajaryan

  1. There are no public bugs from the fuzzers. I can't comment on any private crashes here as they might have security implications, but feel free to message me on the CNCF slack. Edit: All emails on this list can view the private crashes: https://github.com/google/oss-fuzz/blob/81b41ad37a95577aa34ffa1f0711d467f897a619/projects/opentelemetry/project.yaml#L5.
  2. The contrib fuzzers stalled in this PR: add fuzz tests to multiple receivers and processors opentelemetry-collector-contrib#35715, but they are running on OSS-Fuzz from my branch. Would be great to see them merged.

arminru
arminru approved these changes Nov 11, 2024
View reviewed changes
reports/ADA_Logics-collector-fuzzing-audit-2024.pdf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reports/ is a new top-level folder.
@austinlparker @svrnm is this a consistent addition to the repo or should it be included elsewhere in the existing structure?

Should we add a README.md there with a brief description/ToC, and link to it from root?

@svrnm
Copy link
Member

svrnm commented Nov 11, 2024

@svrnm I think either this repo or open-telemetry/opentelemetry.io would work. Just want to get you informed in case you might have a strong preference.

No strong preference, both is fine with me.

What we could do, if we want to have it on the website, is pairing it with a blog post, so it is not just put somewhere, but also shared with our community and end users, similar to https://opentelemetry.io/blog/2024/security-audit-results/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reyang reyang reyang approved these changes

@arminru arminru arminru approved these changes

@mx-psi mx-psi mx-psi approved these changes

@austinlparker austinlparker austinlparker approved these changes

@alolita alolita Awaiting requested review from alolita alolita is a code owner

@danielgblanco danielgblanco Awaiting requested review from danielgblanco danielgblanco is a code owner

@jpkrohling jpkrohling Awaiting requested review from jpkrohling jpkrohling is a code owner

@mtwo mtwo Awaiting requested review from mtwo mtwo is a code owner

@svrnm svrnm Awaiting requested review from svrnm svrnm is a code owner

@tedsuo tedsuo Awaiting requested review from tedsuo tedsuo is a code owner

@trask trask Awaiting requested review from trask trask is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@AdamKorcz @reyang @tigrannajaryan @svrnm @austinlparker @mx-psi @arminru