Googles OSS-fuzz projects recently added support for Python fuzzing. I have been working on integrating Home-assistants core into OSS-fuzz and the integration can be found here: https://github.com/google/oss-fuzz/pull/4951. The integration includes the build scripts necessary to build the core on OSS-fuzz’s platform as well as a fuzzer for the json utils.
When integrated, all fuzzers will be run continuously by OSS-fuzz free of charge to look for hard-to-find bugs in the codebase. Adding new fuzzers is easy and can easily be included in the build script.
For those unfamiliar: Fuzzing is a method for testing applications whereby pseudo-random data is passed to the target application with the goal of finding bugs and vulnerabilities. Over the course of OSS-fuzz’s lifetime some critical bugs have been found in projects written in both memorysafe and -unsafe languages, and bugs have been found in Python projects as well.
It is free for critical open source projects to integrate, however with the implied expectation that bugs are fixed so that resources go towards resolving the bugs.
Although not necessary, I do suggest moving the build script and the fuzzers to the cores own repository to easier modify these. Further documentation can also be added to help contributors fuzz their code of interest. For those interested in knowing more about the fuzzer that OSS-fuzz supports, we have made a short introductory video about here: https://youtu.be/Wjjlk_W7WFo.
To complete the integration at least one maintainers email address is needed in the project.yaml file on the OSS-fuzz side. I have left my own email address in there as well to see the integration through to completion, but if you’d rather have me off that list, do let me know and I will be happy to remove it. All maintainers have access to bug reports which means that if any bugs and vulnerabilities come up, I will be able to see them.