Oss-fuzz integration

Gilles Caulier caulier.gilles at gmail.com
Thu Apr 2 20:57:50 BST 2020 

Maik,

I know that libraw already use fuzzy test. I also seen that Exiv2 plan
or already use this kind of test (i'm not sure).

For the rest i don't know. I can be very important that Qt5 and KF5
library follow the same fuzzy test in the CI. But i don"t know
exactly.

Gilles

Le jeu. 2 avr. 2020 à 19:32, Maik Qualmann <metzpinguin at gmail.com> a écrit :
>
> Yes why not. Ok, we have to close all bugs, says Google. What about software
> over which we have less influence, e.g. if the problem is in external
> libraries?
>
> Maik
>
> Am Donnerstag, 2. April 2020, 10:04:25 CEST schrieb Gilles Caulier:
> > Hi Adam,
> >
> > Thanks for your proposal. I know the fuzz process to inject random
> > data stream in application components to see code quality. We plan to
> > use this way in my office for certain libraries used internally.
> >
> > Maik,
> >
> > Perhaps we can make a try with digiKam, what do you think about this?
> >
> > Best
> >
> > Gilles Caulier
> >
> > Le jeu. 2 avr. 2020 à 03:54, Adam Korczynski <Adam at adalogics.com> a écrit :
> > > Dear Digikam team,
> > >
> > > I am a security engineer at Adalogics, and I have been fuzzing your
> > > software, Digikam in order to find bugs and vulnerabilities before
> > > attackers do. From a high level point of view fuzzing is a process of
> > > sending large amounts of pseudo random data to an application and observe
> > > bug conditions. Your project would benefit from continuous fuzzing, and
> > > you could achieve that through integrating with Google OSS-fuzz project.
> > >
> > > Integration of your project in OSS-fuzz means that Google runs our fuzzers
> > > on their infrastructure and sends you report of any bugs that it finds.
> > > You will receive these report automatically. The entire process is
> > > provided by Google free of charge, and the only expectation from Googles
> > > side is that you fix the bugs that they find and report to you.
> > >
> > > Let me know if you are interested in having Digikam fuzzed on the OSS-fuzz
> > > platform, and I will commit the fuzzer I have for Digikam and integrate
> > > it with the OSS-fuzz project.
> > >
> > > Kind regards
> > > Adam Korczynski
> > > Security Engineer, Adalogics, +447885484453
>
>
>
>

More information about the Digikam-devel mailing list