Skip to content

fuzz: add Go fuzz targets, CI workflow, and docs for OSS-Fuzz #2307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fuzz: add Go fuzz targets, CI workflow, and docs for OSS-Fuzz #2307

wants to merge 1 commit into from
+160 −0

Conversation

@RajaPremSai
Copy link

Add Go fuzz testing infrastructure and OSS-Fuzz preparation

This PR implements fuzz testing for Cobra as requested in #2261, adding Go 1.18+ fuzz targets, CI integration, and documentation for OSS-Fuzz onboarding.

Changes

Fuzz Tests (fuzz/cobra_fuzz_test.go)

  • FuzzLd: Tests Levenshtein distance implementation with invariants (symmetry, non-negativity, identity, case-insensitive behavior)
  • FuzzConfigEnvVar: Validates configEnvVar output constraints (A-Z0-9_ only, stable mapping)

CI Integration (.github/workflows/fuzz.yml)

  • Runs short fuzz sessions (30s) on PRs and pushes
  • Uses Go 1.22+ with caching for efficiency

Documentation

  • README.md: Added "Fuzz testing" section with local run instructions
  • site/content/fuzzing.md: Comprehensive guide including OSS-Fuzz integration steps
  • CONTRIBUTING.md: Added fuzz testing section for contributors

Testing

# Local fuzz run
go test ./... -run=^$ -fuzz=Fuzz -fuzztime=30s

OSS-Fuzz Integration

The project is now prepared for OSS-Fuzz integration. The documentation outlines the steps to:

  1. Create projects/cobra/ in google/oss-fuzz
  2. Add project.yaml, Dockerfile, and build.sh
  3. Use compile_go_fuzzer for each fuzz target

Security Impact

Fuzz testing helps identify edge cases and potential security vulnerabilities in core utility functions, particularly around string processing and environment variable handling.

Closes #2261

@CLAassistant
Copy link

CLAassistant commented Sep 10, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the area/github For changes to Github specific things not shipped in the library label Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/github For changes to Github specific things not shipped in the library

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate fuzz testing

2 participants

@RajaPremSai @CLAassistant