Integrating with Google/OSS-fuzz

[jesslatimer]

Hi,

I would like to help keep rdflib running smoothly by adding fuzz testing and integrating it with google/oss-fuzz. In case you are not familiar with fuzz testing, briefly, it is an additional layer of testing (working alongside other tests) that is particularly good at finding unexpected bugs as it doesn't rely on a developer's suspicion to target a piece of code for testing. Wikipedia explains it nicely:

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

Google offers a free, continuous fuzzing service called OSS-fuzz. If rdflib is integrated into oss-fuzz, the fuzz tests under rdflib will be built and then run once a day, to search for bugs and vulnerabilities. This service can be integrated with the CI for rdflib so that the fuzz tests are run for 10min or so for every pull request, preventing buggy code from being merged.

I've opened up a pull request to add a basic fuzz-testing harness here #2233. If you are keen on adding rdflib to oss-fuzz I'd be happy to champion the integration :)

[aucampia]

Hi @jesslatimer - I'm quite interested in more testing, I will have a look at your PR to see what this entails and give some feedback when I can, hopefully in the next week or two.

[jesslatimer]

Hi @jesslatimer - I'm quite interested in more testing, I will have a look at your PR to see what this entails and give some feedback when I can, hopefully in the next week or two.

Not a problem. I look forward to hearing your comments and opinions.