{"id":18798915,"url":"https://github.com/cncf/cncf-fuzzing","last_synced_at":"2025-04-04T14:04:18.733Z","repository":{"id":36995192,"uuid":"421806901","full_name":"cncf/cncf-fuzzing","owner":"cncf","description":"✨🔐 CNCF Fuzzers","archived":false,"fork":false,"pushed_at":"2025-02-17T11:32:02.000Z","size":1110,"stargazers_count":122,"open_issues_count":9,"forks_count":48,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-03T22:38:42.714Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://cncf.io/projects","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cncf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-27T12:22:13.000Z","updated_at":"2025-03-31T09:37:10.000Z","dependencies_parsed_at":"2023-11-17T14:15:43.201Z","dependency_job_id":"40d994d3-f1d1-4827-a4eb-12a7052df6e3","html_url":"https://github.com/cncf/cncf-fuzzing","commit_stats":{"total_commits":549,"total_committers":28,"mean_commits":"19.607142857142858","dds":0.3387978142076503,"last_synced_commit":"14993ff3c0d5c4b34086aead3967670f15712603"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cncf%2Fcncf-fuzzing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cncf%2Fcncf-fuzzing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cncf%2Fcncf-fuzzing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cncf%2Fcncf-fuzzing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cncf","download_url":"https://codeload.github.com/cncf/cncf-fuzzing/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247184936,"owners_count":20897857,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T22:13:21.090Z","updated_at":"2025-04-04T14:04:18.714Z","avatar_url":"https://github.com/cncf.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cncf-fuzzing\nThis repository is related to fuzzing of CNCF projects. It holds fuzzers as well as documentation on fuzzing.\n\nSee the blog post [Improving security by fuzzing the cncf landscape](https://www.cncf.io/blog/2022/06/28/improving-security-by-fuzzing-the-cncf-landscape/) for details.\n\nAre you a CNCF project and would like to have it fuzzed? Please create an issue on this repository requesting to be fuzzed and we will assist.\n\n\n## Fuzzing handbook\nCNCF has a Fuzzing Handbook which introduces fuzzing in a pragmatic manner, and also has a chapter that goes into details with how to use OSS-Fuzz to establish a continuous fuzzing set up.\n\nThe handbook is available [here](https://github.com/cncf/tag-security/blob/main/community/resources/security-fuzzing-handbook/handbook-fuzzing.pdf)\n\n\n## CNCF projects and fuzzing\nFuzzing is a technique for automating stress testing of applications\nand it can be used to find reliability and security issues. The technique\nis traditionally used by security researchers to find security vulnerabilities, however,\nfuzzing has become more integrated into the software development lifecycle\nand is increasingly being used by developers.\n\nCNCF projects that use fuzzing include:\n- [Argo](https://github.com/cncf/cncf-fuzzing/tree/main/projects/argo)\n- [Containerd](https://github.com/containerd/containerd/tree/main/contrib/fuzz)\n- [CRI-O](https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf)\n- [Envoy](https://github.com/envoyproxy/envoy/tree/main/test/fuzz)\n- [Fluent-bit](https://github.com/fluent/fluent-bit/tree/master/tests/internal/fuzzers)\n- [FluxCD](https://github.com/fluxcd/source-controller/pull/443) and [full report, section 5](https://fluxcd.io/FluxFinalReport-v1.1.pdf)\n- [Kubernetes](https://github.com/kubernetes/kubernetes/tree/master/test/fuzz)\n- [Linkerd2-proxy](https://github.com/linkerd/linkerd2-proxy/blob/main/docs/FUZZING.md)\n- [Prometheus](https://github.com/prometheus/prometheus/blob/4c56a193c518ae6f56008b0a4c850a9c3f1477c6/promql/fuzz.go)\n- [RunC](https://github.com/opencontainers/runc/tree/master/tests/fuzzing)\n- [Vitess](https://github.com/vitessio/vitess/blob/main/doc/VIT-02-report-fuzzing-audit.pdf)\n- [Distribution](https://github.com/distribution/distribution)\n\nTalks on CNCF fuzzing:\n- [Finding Bugs and Vulnerabilities Automatically](https://www.youtube.com/watch?v=DSJePjhBN5E)\n- [Fuzzing the CNCF Landscape, Cloud Native SecurityCon, 2022](https://www.youtube.com/watch?v=zIyIZxAZLzo)\n- [Securing Fluent Bit by Way of Fuzzing, FluentCon, 2022](https://www.youtube.com/watch?v=Yp6IClswWQE)\n- [Fuzz Testing of Envoy - Adi Peleg \u0026 Teju Nareddy](https://www.youtube.com/watch?v=s-wXKdSIKZo)\n- [Lightning Talk: Securing Envoy: Catching Vulnerabilities With Continuous Fuzz Testing - Teju Nareddy](https://www.youtube.com/watch?v=2wM1Ks23DZU)\n\nDedicated fuzzing audit reports:\n- [Fluent Bit](https://github.com/fluent/fluent-bit/blob/master/doc-reports/cncf-fuzzing-audit.pdf)\n- [Argo](https://github.com/argoproj/argoproj/blob/dd7cae43d81c5a11f21ff4ea0a4afadcae4799c7/docs/audit_fuzzer_adalogics_2022.pdf)\n- [etcd](https://github.com/etcd-io/etcd/blob/main/security/FUZZING_AUDIT_2022.PDF)\n- [linkerd2-proxy](https://github.com/linkerd/linkerd2-proxy)\n- [Envoy](https://github.com/envoyproxy/envoy)\n- [Vitess](https://github.com/vitessio/vitess/blob/master/doc/VIT-02-report-fuzzing-audit.pdf)\n\n## Integrate fuzzing into your project\nIntegrating fuzzing into a project takes a lot effort and is often done\nover a long period of time. Fuzzing can be integrated into your project\nwith various levels of maturity. There are three essential tasks when integrating fuzzing into your project:\n- Develop fuzzers\n- Execute the fuzzers\n- Analyse crashes\n\nThe following describes three common steps in integrating fuzzing into your project.\n\n### 1) Local fuzzing set up\nThe first step in integrating fuzzing into a project is to develop a set of fuzz\ndrivers for your project. The specific fuzzer you need to use depends on the\nprogramming language of your project. The following list provides links to\ncommon fuzzers for various languages:\n- C/C++: [libFuzzer](https://llvm.org/docs/LibFuzzer.html)\n- Rust: [Cargo-fuzz](https://github.com/rust-fuzz/cargo-fuzz)\n- Go: [Go-fuzz](https://github.com/dvyukov/go-fuzz) and [native go fuzzing](https://go.dev/blog/fuzz-beta)\n- Python: [Atheris fuzzer](https://github.com/google/atheris)\n- Java: [jazzer fuzzer](https://github.com/CodeIntelligenceTesting/jazzer)\n\nThe specific purpose of a fuzz driver vary greatly. In essence, they are\nclosely related to unit tests and the difference is the fuzz driver takes\na random input which is used to enforce diverse code execution of the target\ncode. Common goals of a fuzz driver include:\n\n- Execute large amounts of code to achieve high code coverage\n- Execute a specific complex piece of code, e.g. parsing routines\n- Execute code relative to the threat model of project\n\nThis step is usually the most time-consuming and making it possible to write fuzz\n drivers for your project can sometimes be a large effort. However, once you have\nfuzz drivers for you project you should be able to run these locally and observe results.\n\n### 2) Integrate continuous fuzzing with OSS-Fuzz\nOnce you have developed a local fuzzing set up for your project, the next\nstep is to run the fuzzers in a continuous manner. Modern fuzzers rely on genetic\nalgorithms to build up an input corpus, which, in a simplified manner, means that\nthe fuzzer by nature increases it’s quality in proportion to how long it has run.\nContinuously running a fuzzer is thus important to ensure high quality of the fuzzing\nand continuous fuzzing is also important in order to capture bugs that may occur\nas a project progresses.\n\n[OSS-Fuzz](https://github.com/google/oss-fuzz) is a service for running fuzzers\ncontinuously for open source projects.\nOSS-Fuzz comes with a convenient management infrastructure with a dashboard as well\nas bug-tracking features, which makes managing running of the fuzzers easy. We recommend\nintegrating with OSS-Fuzz, and several CNCF projects are integrated already.\n\n### 3) Integrate fuzzing into CI\nFuzzing can be integrated in your CI, e.g. a GitHub action, such that the fuzzers run\nfor a short amount of time on pull requests and/or push actions. This is in many ways\nsimilar to running tests as part of your CI to ensure regressions don’t occur. Once\nyou have integrated with OSS-Fuzz, you can get CI integration by way of [CIFuzz](https://google.github.io/oss-fuzz/getting-started/continuous-integration/) for free.\n\n## What results to expect\nFuzzing works best with projects that have high code complexity, e.g. parsers, decoders, etc. but can be used in many other projects. You can fuzz projects in many languages and the type of bug you will find depends on which language your project is written in.\n\n- Envoy has invested significantly in fuzzing and OSS-Fuzz has reported more than [700](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Denvoy%20Type%3DBug\u0026can=1) bugs as well as [81](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Denvoy%20Type%3DBug-Security\u0026can=1) security relevant bugs\n- Fluent-bit has been fuzzed for slightly more than a year, and OSS-Fuzz has reported more than [100](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Dfluent-bit%20Type%3DBug\u0026can=1) reliability issues and more than [50](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Dfluent-bit%20Type%3DBug-Security\u0026can=1) security issues.\n\nFor an example where fuzzing was determined to have limited effects consider [Cloud custodian](https://github.com/cloud-custodian/cloud-custodian). Cloud custodian is a project written in Python and is very horizontal in its architecture in that it does not have deep code complexities. This is an example where fuzzing will have limited results as discussed in detail in a [PR](https://github.com/cloud-custodian/cloud-custodian/pull/6832) on the Cloud Custodian repository. However, Cloud Custodian still benefited from fuzzing finding a bug in the code of Cloud Custodian where fuzzing could be applied, but, in comparison to the other projects mentioned above Cloud Custodian is not integrated into OSS-Fuzz.\n\nThe following list indicates some common software properties that means your code is likely to benefit from fuzzing\n- High code complexity\n- Deep code paths\n- Accepts untrusted input\n- If a reliability or reliability issue occur then it can have significant consequences for systems\n- Is used as a library by other applications\n- Projects in memory unsafe languages should have a high priority for being fuzzed (but fuzzing is not exclusive to memory unsafe languages)\n\n## Fuzzing hours\n\nWe have monthly fuzzing hours on every second Friday of each month at 2PM GMT+1.\n\nURL: [https://us05web.zoom.us/j/86181802116](https://us05web.zoom.us/j/86181802116)\nPasscode: LBw6fY\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcncf%2Fcncf-fuzzing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcncf%2Fcncf-fuzzing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcncf%2Fcncf-fuzzing/lists"}