Fuzzing

Does the project use fuzzing tools?

This check tries to determine if the project uses fuzzing.

Fuzzing tools inject semi-random data into a program to detect bugs. They often use known-to-be-dangerous values (fuzz vectors like random long sequences, extreme values, out-of-bound values, or metacharacters) for each input type, and check the program response.

Reference: OpenSSF Scorecard - Fuzzing.

Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws.

For certain languages (C is the archetype) where the memory is managed by the developer, fuzzing can uncover memory-handling and type-mismatch bugs like stack- and heap- overruns, integer overflows, attacks on format strings, off-by-one vulnerabilities…​

This check tries to determine if the project uses fuzzing by checking:

As fuzzers are more relevant for certain languages, the set of languages that should be considered by the check could be configured.

Example: for OSS-Fuzz over GitHub follow the instructions here.

There are many fuzzer tools and ways to run in the build and CI tools, and it is challenging for an automated tool to detect them all. A FAIL status is therefore not a definitive indication that the project is at risk.