Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG OSS-Fuzz does not detect multiple repos fuzzed under a project #2745

Open
34fathombelow opened this issue Mar 13, 2023 · 6 comments
Open

BUG OSS-Fuzz does not detect multiple repos fuzzed under a project #2745

34fathombelow opened this issue Mar 13, 2023 · 6 comments
Labels
check/Fuzzing kind/bug Something isn't working

Comments

@34fathombelow
Copy link

Describe the bug
https://github.com/argoproj currently uses oss-fuzz to perform fuzzing on the four repositories listed below:

  1. https://github.com/argoproj/argo-workflows
  2. https://github.com/argoproj/argo-cd
  3. https://github.com/argoproj/argo-events
  4. https://github.com/argoproj/argo-rollouts

I see that #2719 was recently merged and parses the results of https://oss-fuzz-build-logs.storage.googleapis.com/status.json. I'm not sure if this fix would cover our case. I do see the main project being detected in the build results, but not each repo as listed above.

Expected behavior
Fuzzing check to detect the repos that we have enabled for fuzzing.

Additional context
I appreciate all the hard work that has gone into this project. Keep up the great work.
@34fathombelow 34fathombelow added the kind/bug Something isn't working label Mar 13, 2023
@34fathombelow 34fathombelow changed the title BUG OSS fuzz does not detect multiple repos fuzzed under a project BUG OSS-Fuzz does not detect multiple repos fuzzed under a project Mar 13, 2023
@naveensrinivasan
Copy link
Member

The project clones multiple sub project in a single docker file https://github.com/google/oss-fuzz/blob/master/projects/argo/Dockerfile

@spencerschrock
Copy link
Contributor

#2719 won't handle this as written. Since the main repo url is "github.com/argoproj", none of the sub projects would work.

It would be easy to convert extend the logic to fall back to searching the org: e.g.github.com/argoproj/argo-cd -> github.com/argoproj. This would result in quite a few false positives though.

@34fathombelow
Copy link
Author

@spencerschrock I agree extending the logic would not be the best solution, as you stated this would create many false positives.

Do you have any other solutions or suggestions? I'd really like to avoid refactoring the fuzzing checks we already have in place.

@spencerschrock
Copy link
Contributor

Hmm, the vast majority of main_repo fields from project.yaml files refer to a single repo. Only 6 oss-fuzz projects that point to a GitHub repo point to an org (~0.6%):

argoproj
dapr
knative
notaryproject
QubesOS
unicode-rs

We support looking for a .onefuzz file to detect microsoft OneFuzz, so I could see a similar .ossfuzz file as a possibility or even just a general .fuzzing file as a catch-all with a user filled explanation. Would be curious what other @ossf/scorecard-maintainers thoughts are.

@34fathombelow
Copy link
Author

Thank you all for looking into this, any updates would be appreciated.

@spencerschrock
Copy link
Contributor

Thank you all for looking into this, any updates would be appreciated.

Not much feedback on the issue from other Scorecard maintainers, but I can say we're planning maintainer annotations that would help address add context to situations like this. The design hasn't started, but its on our roadmap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Fuzzing kind/bug Something isn't working
Projects
Scorecard - NEW
Status: Backlog - Bugs
Milestone
No milestone
Development

No branches or pull requests
3 participants
@naveensrinivasan @spencerschrock @34fathombelow