-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better support for fuzzing Go, remaining - code coverage #2714
Comments
I am not sure if it fits here, but I would like to see "LAST TESTED REVISION" on oss-fuzz.com for golang projects |
Interesting! I guess you meant Dockerfile using oss-fuzz/projects/gonids/Dockerfile Line 19 in e82397b
Yeah, looks like our srcmap script should grab revisions from the repos isntalled via |
Exactly Thanks @Dor1s for patching, I did not know where to look, or I would have proposed a patch myself ;-) |
Tracking items:
fyi - @lukasz-milewski @mdempsky |
Thanks @inferno-chromium, I've updated the issue description with more of these. Also added code coverage (#2817) and srcmap support (#3355). Regarding
I'm not sure this would belong to OSS-Fuzz repo, as OSS-Fuzz docs focus on using OSS-Fuzz and do not cover how to write fuzz targets in general (e.g. https://google.github.io/oss-fuzz/getting-started/new-project-guide/ also doesn't have any C/C++ examples). https://github.com/google/fuzzing might be a better place, or we can point to https://godoc.org/github.com/google/gofuzz |
@inferno-chromium thanks a ton for adding the new instrumentation support (#3633) and migrating all Go projects to use it (#3638). Marking the first AI as done! If you plan to work more on this, I think we should also unify the Updating the docs after that is the third item :) |
I thought about 2) and 3). i think it will create more confusion for folks when they want to do ideal integration (which we recommend, most projects should have build.sh in their repo). They would have to look this helper script and then integrate it as well. for 2-3 build commands, it feels like a hassle. e.g. https://go.googlesource.com/protobuf/+/d8bc21f7e13fa476be55b17983bd5d43ad8c7121/internal/fuzz/oss-fuzz-build.sh. i prefer to keep it in current way. |
Ah, right, great point! |
…4671) * Golang coverage summary for each fuzz target * Document usage of compile_go_fuzzer * update the documentation change Co-authored-by: Max Moroz <[email protected]>
I think @catenacyber completed this by adding code coverage support for go. |
As of today, ClusterFuzz supports fuzzing Go in the
gofuzz_libfuzzer
mode: https://github.com/dvyukov/go-fuzz#libfuzzer-supportBut it's not really convenient to integrate a new Golang project. I think we should do the following:
Upgrade the base-builder image to include a recent version of Go toolchain and go-fuzz, so that it was possible to run
go
andgo-fuzz-build
commands frombuild.sh
without any problems.Document it :)
Action items
go-fuzz-build
and build fuzz targets using the standard toolchain (available since Go 1.14, we're already on 1.14.2, as we always install the latest stable version).srcmap
script to work with Go deps (Update srcmap to collect information for Go projects #3355).The text was updated successfully, but these errors were encountered: