Skip to content

Latest commit

 

History

History
54 lines (41 loc) · 2.52 KB

File metadata and controls

54 lines (41 loc) · 2.52 KB

OSS-Fuzz for CPython

CPython uses OSS-Fuzz, Google's continuous fuzzing service for open-source projects, to find bugs and security vulnerabilities by feeding semi-random data to various APIs.

CPython has two OSS-Fuzz projects:

OSS-Fuzz bug reports are private when filed, so access to crash details and reproducer test cases is limited to those listed in the auto_ccs fields of the OSS-Fuzz project configuration files. Those listed can log into https://oss-fuzz.com/ with their Google account to view crash details, reproducer test cases, and project statistics. If you need access, contact the :gh-python-team:`fuzzers` team. Completed issues, and issues that remain unresolved after 90 days, are publicly visible in the OSS-Fuzz issue tracker.

Coverage and target statistics are available in the OSS-Fuzz Introspector project profiles for cpython3 and python3-libraries.

In addition, CIFuzz runs the fuzz targets on GitHub Actions for PRs to the main branch changing relevant files.

.. seealso::

   The `libFuzzer <https://llvm.org/docs/LibFuzzer.html>`__ documentation for
   details about the fuzzing engine used by OSS-Fuzz.


Adding new targets

Add new targets to the python3-libraries project. For more information, see the documentation in the :github:`python/library-fuzzers` repository.

If the new target covers a standard library module, update the relevant CIFuzz path configuration so pull requests touching that module trigger fuzzing. See the LIBRARY_FUZZER_PATHS set in :cpy-file:`Tools/build/compute-changes.py`.