Use oss-fuzz

[marshallpierce]

They'll accept rust-base64: google/oss-fuzz#2145

[denniskempin]

I am looking through the supply chain of some of my projects to look for ways to contribute back.

Are you still interested in this? I just onboarded a project to oss-fuzz, I'd be happy to do another one.

[marshallpierce]

@denniskempin Yes, that would be great, thanks! This will be especially handy once SIMD-based (and therefore unsafe) engines are a thing.

[denniskempin]

Hi @marshallpierce! Onboarding was pretty easy, I got a working commit here: denniskempin/oss-fuzz@8ccaa5f

In order to interact with oss-fuzz infrastructure and receive access to the filed bugs you will need to provide a google account. See: https://google.github.io/oss-fuzz/faq/#why-do-you-require-a-google-account-for-authentication

Could you email me with a google email address you would like to use and a list of additional emails you'd like to add to the CC? My email is [email protected]

[denniskempin]

Pull request is up. Sorry for the delay: google/oss-fuzz#10693

[denniskempin]

It sounds like they would prefer to use https://google.github.io/clusterfuzzlite/ for rust-base64 (which makes sense, a centralized infra for all OSS fuzzing is hard to maintain).

Unfortunately it does not support CircleCI. This could be set up with GitHub actions on this repo.

It may not be too much work to implement CircleCI support into ClusterFuzzLite though. That may be generally useful beyond rust-base64 anyway.

[marshallpierce]

If it's not too bad to use GitHub Actions just for fuzzing, that sounds like a good compromise -- I like fuzzing more than I dislike GHA. :) If that's not workable, then I'm fine with switching the whole setup to GHA.