Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/google/oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.
https://github.com/google/oss-fuzz

fuzz-testing fuzzing oss-fuzz security stability vulnerabilities

Last synced: 5 days ago
JSON representation

OSS-Fuzz - continuous fuzzing for open source software.

Host: GitHub
URL: https://github.com/google/oss-fuzz
Owner: google
License: apache-2.0
Created: 2016-07-20T19:39:50.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2024-04-12T10:44:48.000Z (7 months ago)
Last Synced: 2024-04-12T21:18:35.289Z (7 months ago)
Topics: fuzz-testing, fuzzing, oss-fuzz, security, stability, vulnerabilities
Language: Shell
Homepage: https://google.github.io/oss-fuzz
Size: 42.5 MB
Stars: 9,853
Watchers: 253
Forks: 2,101
Open Issues: 483
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

security-study-tutorial - OSS-Fuzz - continuous fuzzing of open source software
DevSecOps - https://github.com/google/oss-fuzz - Fuzz: Continuous Fuzzing for Open Source Software |![osss-fuzz](https://img.shields.io/github/stars/google/oss-fuzz?style=for-the-badge) | (DAST)
awesome-repositories - google/oss-fuzz - OSS-Fuzz - continuous fuzzing for open source software. (Shell)
AwesomeCppGameDev - oss-fuzz - Fuzz - continuous fuzzing of open source software. (Tools)
awesome-systools - OSS-Fuzz - Continuous Fuzzing for Open Source Software (Continuous Integration / Messaging)
awesome-devsecops-russia - Репозиторий oss-fuzz от Google
awesome-hacking-lists - google/oss-fuzz - OSS-Fuzz - continuous fuzzing for open source software. (Shell)
awesome-software-supply-chain-security - OSS-Fuzz - ![GitHub stars](https://img.shields.io/github/stars/google/oss-fuzz?style=flat-square) - OSS-Fuzz - continuous fuzzing for open source software. (Fuzz Testing)
my-awesome - google/oss-fuzz - testing,fuzzing,oss-fuzz,security,stability,vulnerabilities pushed_at:2024-10 star:10.4k fork:2.2k OSS-Fuzz - continuous fuzzing for open source software. (Shell)

README

        # OSS-Fuzz: Continuous Fuzzing for Open Source Software

[Fuzz testing] is a well-known technique for uncovering programming errors in

software. Many of these detectable errors, like [buffer overflow], can have

serious security implications. Google has found [thousands] of security

vulnerabilities and stability bugs by deploying [guided in-process fuzzing of

Chrome components], and we now want to share that service with the open source

community.

[Fuzz testing]: https://en.wikipedia.org/wiki/Fuzz_testing

[buffer overflow]: https://en.wikipedia.org/wiki/Buffer_overflow

[thousands]: https://issues.chromium.org/issues?q=label:Stability-LibFuzzer%20-status:Duplicate,WontFix

[guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html

In cooperation with the [Core Infrastructure Initiative] and the [OpenSSF],

OSS-Fuzz aims to make common open source software more secure and stable by

combining modern fuzzing techniques with scalable, distributed execution.

Projects that do not qualify for OSS-Fuzz (e.g. closed source) can run their own

instances of [ClusterFuzz] or [ClusterFuzzLite].

[Core Infrastructure Initiative]: https://www.coreinfrastructure.org/

[OpenSSF]: https://www.openssf.org/

We support the [libFuzzer], [AFL++], and [Honggfuzz] fuzzing engines in

combination with [Sanitizers], as well as [ClusterFuzz], a distributed fuzzer

execution environment and reporting tool.

[libFuzzer]: https://llvm.org/docs/LibFuzzer.html

[AFL++]: https://github.com/AFLplusplus/AFLplusplus

[Honggfuzz]: https://github.com/google/honggfuzz

[Sanitizers]: https://github.com/google/sanitizers

[ClusterFuzz]: https://github.com/google/clusterfuzz

[ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/

Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages

supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386

builds.

[LLVM]: https://llvm.org

## Overview

![OSS-Fuzz process diagram](docs/images/process.png)

## Documentation

Read our [detailed documentation] to learn how to use OSS-Fuzz.

[detailed documentation]: https://google.github.io/oss-fuzz

## Trophies

As of August 2023, OSS-Fuzz has helped identify and fix over [10,000] vulnerabilities and [36,000] bugs across [1,000] projects.

[10,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Type%3DBug-Security%20label%3Aclusterfuzz%20-status%3ADuplicate%2CWontFix&can=1

[36,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Type%3DBug%20label%3Aclusterfuzz%20-status%3ADuplicate%2CWontFix&can=1

[1,000]: https://github.com/google/oss-fuzz/tree/master/projects

## Blog posts

* 2023-08-16 - [AI-Powered Fuzzing: Breaking the Bug Hunting Barrier]

* 2023-02-01 - [Taking the next step: OSS-Fuzz in 2023]

* 2022-09-08 - [Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically]

* 2021-12-16 - [Improving OSS-Fuzz and Jazzer to catch Log4Shell]

* 2021-03-10 - [Fuzzing Java in OSS-Fuzz]

* 2020-12-07 - [Improving open source security during the Google summer internship program]

* 2020-10-09 - [Fuzzing internships for Open Source Software]

* 2018-11-06 - [A New Chapter for OSS-Fuzz]

* 2017-05-08 - [OSS-Fuzz: Five months later, and rewarding projects]

* 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software]

[AI-Powered Fuzzing: Breaking the Bug Hunting Barrier]: https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html

[Announcing OSS-Fuzz: Continuous fuzzing for open source software]: https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html

[OSS-Fuzz: Five months later, and rewarding projects]: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

[A New Chapter for OSS-Fuzz]: https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html

[Fuzzing internships for Open Source Software]: https://security.googleblog.com/2020/10/fuzzing-internships-for-open-source.html

[Improving open source security during the Google summer internship program]: https://security.googleblog.com/2020/12/improving-open-source-security-during.html

[Fuzzing Java in OSS-Fuzz]: https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html

[Improving OSS-Fuzz and Jazzer to catch Log4Shell]: https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html

[Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically]: https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html

[Taking the next step: OSS-Fuzz in 2023]: https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html