Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fuzzing audit report for Collector #2432

Merged
merged 5 commits into from
Dec 16, 2024
Merged

Add fuzzing audit report for Collector #2432

merged 5 commits into from
Dec 16, 2024

Conversation

AdamKorcz
Copy link
Contributor

The Opentelemetry Collector has undergone a fuzzing audit in collaboration with the CNCF and @reyang @jpkrohling @codeboten

The CNCF asks that fuzzing audit reports are stored in the respective projects repository. We thought this community repo is a great way to do that.

We have done the same for all previous CNCF fuzzing audits. Some examples are:

  1. Helm (community repo): Report
  2. containerd (website repo): Report
  3. Envoy (core repo): Report
  4. Lima (core repo): Report
  5. Crossplane (core repo): Report

@reyang
Copy link
Member

reyang commented Nov 8, 2024

Thanks @AdamKorcz!

reyang
reyang approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@reyang reyang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I suggest that we change "Opentelemetry" to "OpenTelemetry" (check https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification#project-naming) in the pdf file, it'll be better if there is a way for folks to add comments in the PR if this is a markdown file, but I understand that CNCF prefers pdf.

image

@reyang
Copy link
Member

reyang commented Nov 8, 2024

@svrnm I think either this repo or https://github.com/open-telemetry/opentelemetry.io/ would work. Just want to get you informed in case you might have a strong preference.

@AdamKorcz
Copy link
Contributor Author

LGTM.

I suggest that we change "Opentelemetry" to "OpenTelemetry" (check https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification#project-naming) in the pdf file, it'll be better if there is a way for folks to add comments in the PR if this is a markdown file, but I understand that CNCF prefers pdf.

image

Updated in 2992691

@tigrannajaryan
Copy link
Member

@AdamKorcz it is great to see fuzz tests added to the Collector. I have a couple quick questions:

  1. Did fuzzing find any bugs so far?
  2. I am unable to locate the fuzz tests in the contrib repo. I can see them in the core repo but not in the contrib. I may be looking at the wrong place.

@AdamKorcz
Copy link
Contributor Author

AdamKorcz commented Nov 8, 2024
edited
Loading

@tigrannajaryan

  1. There are no public bugs from the fuzzers. I can't comment on any private crashes here as they might have security implications, but feel free to message me on the CNCF slack. Edit: All emails on this list can view the private crashes: https://github.com/google/oss-fuzz/blob/81b41ad37a95577aa34ffa1f0711d467f897a619/projects/opentelemetry/project.yaml#L5.
  2. The contrib fuzzers stalled in this PR: add fuzz tests to multiple receivers and processors opentelemetry-collector-contrib#35715, but they are running on OSS-Fuzz from my branch. Would be great to see them merged.

@svrnm
Copy link
Member

svrnm commented Nov 11, 2024

@svrnm I think either this repo or open-telemetry/opentelemetry.io would work. Just want to get you informed in case you might have a strong preference.

No strong preference, both is fine with me.

What we could do, if we want to have it on the website, is pairing it with a blog post, so it is not just put somewhere, but also shared with our community and end users, similar to https://opentelemetry.io/blog/2024/security-audit-results/

@reyang
Copy link
Member

reyang commented Dec 10, 2024

@svrnm I think either this repo or open-telemetry/opentelemetry.io would work. Just want to get you informed in case you might have a strong preference.

No strong preference, both is fine with me.

What we could do, if we want to have it on the website, is pairing it with a blog post, so it is not just put somewhere, but also shared with our community and end users, similar to https://opentelemetry.io/blog/2024/security-audit-results/

@svrnm what would be the next step? Do you plan to merge this PR?

@svrnm
Copy link
Member

svrnm commented Dec 11, 2024

@svrnm I think either this repo or open-telemetry/opentelemetry.io would work. Just want to get you informed in case you might have a strong preference.

No strong preference, both is fine with me.
What we could do, if we want to have it on the website, is pairing it with a blog post, so it is not just put somewhere, but also shared with our community and end users, similar to https://opentelemetry.io/blog/2024/security-audit-results/

@svrnm what would be the next step? Do you plan to merge this PR?

Merging works for me if we have the required amount of approvals, but if someone would sit down and write a few words I am also happy to have a blog post for it on the otel.io blog. Where the pdf lives doesn't matter, we can keep it here or we can have it as part of the blog post on the website.

trask
trask approved these changes Dec 11, 2024
View reviewed changes
Copy link
Member

@trask trask left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approving as I support it living either here or in website repo

@svrnm svrnm mentioned this pull request Dec 16, 2024
Closed
@trask trask enabled auto-merge (squash) December 16, 2024 15:56
@trask trask disabled auto-merge December 16, 2024 16:01
@trask trask merged commit 7e33a87 into open-telemetry:main Dec 16, 2024
4 checks passed
@AdamKorcz AdamKorcz mentioned this pull request Dec 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trask trask trask approved these changes

@reyang reyang reyang approved these changes

@arminru arminru arminru approved these changes

@mx-psi mx-psi mx-psi approved these changes

@austinlparker austinlparker austinlparker approved these changes

@svrnm svrnm svrnm approved these changes

@alolita alolita Awaiting requested review from alolita alolita is a code owner

@danielgblanco danielgblanco Awaiting requested review from danielgblanco danielgblanco is a code owner

@jpkrohling jpkrohling Awaiting requested review from jpkrohling jpkrohling is a code owner

@mtwo mtwo Awaiting requested review from mtwo mtwo is a code owner

@tedsuo tedsuo Awaiting requested review from tedsuo tedsuo is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@AdamKorcz @reyang @tigrannajaryan @svrnm @trask @austinlparker @mx-psi @arminru