From be24dc1c6e382186fb5d0d0db7344a5568097b38 Mon Sep 17 00:00:00 2001 From: Adam Korczynski Date: Thu, 19 Dec 2024 21:19:19 +0000 Subject: [PATCH 01/11] Add fuzzing audit blog post Signed-off-by: Adam Korczynski --- content/en/blog/2024/fuzzing-audit-results.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/en/blog/2024/fuzzing-audit-results.md diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md new file mode 100644 index 000000000000..73c85b15c366 --- /dev/null +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -0,0 +1,19 @@ +--- +title: Opentelemetry Collector Completes Fuzzing Audit +linkTitle: Fuzzing Audit Results +date: 2024-12-19 +author: '[Adam Korczynski](https://github.com/AdamKorcz)' +issue: +sig: GC +--- + +Opentelemetry is happy to announce the completion of the Collectors fuzzing audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by [Ada Logics](https://adalogics.com/). The audit marks a significant step in the Opentelemetry project ensuring the security and reliability of the collector for its users. + +Fuzzing is a testing technique that involves executing an API with a high amount of pseudo random inputs and observing the APIs behaviour. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages for which fuzzing has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages alike for which the outcome has also been rewarding. + +Over several years, the CNCF has invested in fuzzing for its ecosystem which has resulted in finding numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). + +The audit consisted of three main efforts: First, the Ada Logics auditors first integrated the Opentelemetry Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a service offered by Google free of charge for critical open-source projects. Essentially, critical projects can integrate into OSS-Fuzz after which OSS-Fuzz will run the project's fuzzers with excess resources in a continuous manner multiple times per week. If OSS-Fuzz finds a crash, it notifies the project and checks if the project has fixed the crash upstream which will lead OSS-Fuzz to mark issues as fixed. The whole workflow happens continuously on Google's fuzzing infrastructure which is supported by thousands of CPU cores thereby outperforming what developers and malicious threat actors can muster. With Opentelemetry integrated into OSS-Fuzz, the fuzz tests continue to test the Collector after the audit has finished to ensure continued reliability. The second effort after the Ada Logics team integrated Opentelemetry into OSS-Fuzz was to write a series of fuzz tests for the Opentelemetry Collector. The auditors wrote 49 fuzz tests for core components of the Collector and several receivers and processors in the opentelemetry-collector-contrib repository. The third effort was to let the fuzz tests run while the audit team observed their health in production. At the completion of the fuzzing audit, the 49 fuzz tests run in a healthy manner on the OSS-Fuzz platform. + +A summary of the audit has been published [here](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). + From 7a0d1ddca8743e6e81d2cf4332383acac7de3194 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:50:21 +0000 Subject: [PATCH 02/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index 73c85b15c366..80dad9d3ad29 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -1,5 +1,5 @@ --- -title: Opentelemetry Collector Completes Fuzzing Audit +title: OpenTelemetry Collector Completes Fuzzing Audit linkTitle: Fuzzing Audit Results date: 2024-12-19 author: '[Adam Korczynski](https://github.com/AdamKorcz)' From 6809ada462e74fdc6f718225a926c3970f54f63a Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:50:30 +0000 Subject: [PATCH 03/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index 80dad9d3ad29..dc62f57d38ec 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -7,7 +7,7 @@ issue: sig: GC --- -Opentelemetry is happy to announce the completion of the Collectors fuzzing audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by [Ada Logics](https://adalogics.com/). The audit marks a significant step in the Opentelemetry project ensuring the security and reliability of the collector for its users. +OpenTelemetry is happy to announce the completion of the Collector's fuzzing audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by [Ada Logics](https://adalogics.com/). The audit marks a significant step in the OpenTelemetry project, ensuring the security and reliability of the Collector for its users. Fuzzing is a testing technique that involves executing an API with a high amount of pseudo random inputs and observing the APIs behaviour. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages for which fuzzing has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages alike for which the outcome has also been rewarding. From ea0ec7f00e6b5b27fea7b45d55cd2d5d4200c241 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:50:36 +0000 Subject: [PATCH 04/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index dc62f57d38ec..d99d59352812 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -9,7 +9,9 @@ sig: GC OpenTelemetry is happy to announce the completion of the Collector's fuzzing audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by [Ada Logics](https://adalogics.com/). The audit marks a significant step in the OpenTelemetry project, ensuring the security and reliability of the Collector for its users. -Fuzzing is a testing technique that involves executing an API with a high amount of pseudo random inputs and observing the APIs behaviour. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages for which fuzzing has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages alike for which the outcome has also been rewarding. +## What is fuzzing? + +Fuzzing is a testing technique that executes an API with a high amount of pseudo-random inputs and observes the API's behavior. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages, where it has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages as well. Over several years, the CNCF has invested in fuzzing for its ecosystem which has resulted in finding numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). From 4f05391a3432e9e6182ec1f19b6e8c190c4ca3e2 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:50:44 +0000 Subject: [PATCH 05/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index d99d59352812..d96f0f049d37 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -13,7 +13,7 @@ OpenTelemetry is happy to announce the completion of the Collector's fuzzing aud Fuzzing is a testing technique that executes an API with a high amount of pseudo-random inputs and observes the API's behavior. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages, where it has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages as well. -Over several years, the CNCF has invested in fuzzing for its ecosystem which has resulted in finding numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). +Over several years, the CNCF has invested in fuzzing for its ecosystem. This testing has found numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). The audit consisted of three main efforts: First, the Ada Logics auditors first integrated the Opentelemetry Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a service offered by Google free of charge for critical open-source projects. Essentially, critical projects can integrate into OSS-Fuzz after which OSS-Fuzz will run the project's fuzzers with excess resources in a continuous manner multiple times per week. If OSS-Fuzz finds a crash, it notifies the project and checks if the project has fixed the crash upstream which will lead OSS-Fuzz to mark issues as fixed. The whole workflow happens continuously on Google's fuzzing infrastructure which is supported by thousands of CPU cores thereby outperforming what developers and malicious threat actors can muster. With Opentelemetry integrated into OSS-Fuzz, the fuzz tests continue to test the Collector after the audit has finished to ensure continued reliability. The second effort after the Ada Logics team integrated Opentelemetry into OSS-Fuzz was to write a series of fuzz tests for the Opentelemetry Collector. The auditors wrote 49 fuzz tests for core components of the Collector and several receivers and processors in the opentelemetry-collector-contrib repository. The third effort was to let the fuzz tests run while the audit team observed their health in production. At the completion of the fuzzing audit, the 49 fuzz tests run in a healthy manner on the OSS-Fuzz platform. From 7851928a7bc3345a4f7662ae95e839749c85ee84 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:50:55 +0000 Subject: [PATCH 06/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index d96f0f049d37..cd502a9b8256 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -15,7 +15,17 @@ Fuzzing is a testing technique that executes an API with a high amount of pseudo Over several years, the CNCF has invested in fuzzing for its ecosystem. This testing has found numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). -The audit consisted of three main efforts: First, the Ada Logics auditors first integrated the Opentelemetry Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a service offered by Google free of charge for critical open-source projects. Essentially, critical projects can integrate into OSS-Fuzz after which OSS-Fuzz will run the project's fuzzers with excess resources in a continuous manner multiple times per week. If OSS-Fuzz finds a crash, it notifies the project and checks if the project has fixed the crash upstream which will lead OSS-Fuzz to mark issues as fixed. The whole workflow happens continuously on Google's fuzzing infrastructure which is supported by thousands of CPU cores thereby outperforming what developers and malicious threat actors can muster. With Opentelemetry integrated into OSS-Fuzz, the fuzz tests continue to test the Collector after the audit has finished to ensure continued reliability. The second effort after the Ada Logics team integrated Opentelemetry into OSS-Fuzz was to write a series of fuzz tests for the Opentelemetry Collector. The auditors wrote 49 fuzz tests for core components of the Collector and several receivers and processors in the opentelemetry-collector-contrib repository. The third effort was to let the fuzz tests run while the audit team observed their health in production. At the completion of the fuzzing audit, the 49 fuzz tests run in a healthy manner on the OSS-Fuzz platform. +## OSS-Fuzz + +To initiate the audit, Ada Logics auditors integrated the OpenTelemetry Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a service offered by Google to critical open source projects, free of charge. The service runs a project's fuzzers with excess resources multiple times per week. If OSS-Fuzz finds a crash, it notifies the project. It then checks if the project has fixed the crash upstream and if so, marks the issue(s) as fixed. The whole workflow happens continuously on Google's fuzzing infrastructure, supported by thousands of CPU cores. These testing resources outperform what developers or malicious threat actors can muster. + +## The tests + +After the Ada Logics team integrated OpenTelemetry into OSS-Fuzz, the next step was to write a series of fuzz tests for the OpenTelemetry Collector. The auditors wrote 49 fuzz tests for core components of the Collector, as well as several receivers and processors in the `opentelemetry-collector-contrib` repository. + +The fuzz tests were left to run while the audit team observed their health in production. At the completion of the fuzzing audit, the 49 fuzz tests on the OSS-Fuzz platform were healthy. + +To ensure continued reliability, the fuzz testing continues on the Collector even though the audit is complete. A summary of the audit has been published [here](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). From b826052ae15fa6bb857568de8f37ad50f7ef22ea Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:51:18 +0000 Subject: [PATCH 07/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index cd502a9b8256..5e2cb6d46155 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -27,5 +27,11 @@ The fuzz tests were left to run while the audit team observed their health in pr To ensure continued reliability, the fuzz testing continues on the Collector even though the audit is complete. -A summary of the audit has been published [here](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). +## The results so far + +Fuzz testing for the Collector is ongoing, allowing for changes to the project to be tested as well. As of the date of this post, no crashes have been detected. + +But the work is not done! The Ada Logics team created the Collector's fuzzing setup as a reference implementation that other OpenTelemetry subprojects can rely on to create their own fuzz testing, ensuring greater stability for the project as a whole. + +For more insight into the audit process, see the [published summary](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). From b99f6030809ad2aaa4fcd2bacc8c0d2257b6d51a Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:51:59 +0000 Subject: [PATCH 08/11] Update content/en/blog/2024/fuzzing-audit-results.md Co-authored-by: Severin Neumann --- content/en/blog/2024/fuzzing-audit-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index 5e2cb6d46155..0c1f6c0ba65b 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -3,7 +3,7 @@ title: OpenTelemetry Collector Completes Fuzzing Audit linkTitle: Fuzzing Audit Results date: 2024-12-19 author: '[Adam Korczynski](https://github.com/AdamKorcz)' -issue: +issue: 5798 sig: GC --- From 728c7a2cac07b699c984ee9bb8f39a04315e0b95 Mon Sep 17 00:00:00 2001 From: Severin Neumann Date: Fri, 20 Dec 2024 15:19:23 +0100 Subject: [PATCH 09/11] Update content/en/blog/2024/fuzzing-audit-results.md --- content/en/blog/2024/fuzzing-audit-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index 0c1f6c0ba65b..fbcae5874d01 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -1,7 +1,7 @@ --- title: OpenTelemetry Collector Completes Fuzzing Audit linkTitle: Fuzzing Audit Results -date: 2024-12-19 +date: 2024-12-20 author: '[Adam Korczynski](https://github.com/AdamKorcz)' issue: 5798 sig: GC From 830dc7b054b97a7e1cf697da6822c3acdf3dd08e Mon Sep 17 00:00:00 2001 From: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com> Date: Fri, 20 Dec 2024 14:53:42 +0000 Subject: [PATCH 10/11] Results from /fix:all --- content/en/blog/2024/fuzzing-audit-results.md | 56 +++++++++++++++---- static/refcache.json | 12 ++++ 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index fbcae5874d01..97a1f317a70c 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -7,31 +7,65 @@ issue: 5798 sig: GC --- -OpenTelemetry is happy to announce the completion of the Collector's fuzzing audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by [Ada Logics](https://adalogics.com/). The audit marks a significant step in the OpenTelemetry project, ensuring the security and reliability of the Collector for its users. +OpenTelemetry is happy to announce the completion of the Collector's fuzzing +audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by +[Ada Logics](https://adalogics.com/). The audit marks a significant step in the +OpenTelemetry project, ensuring the security and reliability of the Collector +for its users. ## What is fuzzing? -Fuzzing is a testing technique that executes an API with a high amount of pseudo-random inputs and observes the API's behavior. The technique has increased in popularity due to its empirical success in finding security vulnerabilities and reliability issues. Fuzzing initially developed with a focus on testing software implemented in memory-unsafe languages, where it has been most productive. However, in recent years, fuzzing has expanded to memory-safe languages as well. +Fuzzing is a testing technique that executes an API with a high amount of +pseudo-random inputs and observes the API's behavior. The technique has +increased in popularity due to its empirical success in finding security +vulnerabilities and reliability issues. Fuzzing initially developed with a focus +on testing software implemented in memory-unsafe languages, where it has been +most productive. However, in recent years, fuzzing has expanded to memory-safe +languages as well. -Over several years, the CNCF has invested in fuzzing for its ecosystem. This testing has found numerous security vulnerabilities in widely used projects such as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane (CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). +Over several years, the CNCF has invested in fuzzing for its ecosystem. This +testing has found numerous security vulnerabilities in widely used projects such +as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the +Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane +(CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). ## OSS-Fuzz -To initiate the audit, Ada Logics auditors integrated the OpenTelemetry Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a service offered by Google to critical open source projects, free of charge. The service runs a project's fuzzers with excess resources multiple times per week. If OSS-Fuzz finds a crash, it notifies the project. It then checks if the project has fixed the crash upstream and if so, marks the issue(s) as fixed. The whole workflow happens continuously on Google's fuzzing infrastructure, supported by thousands of CPU cores. These testing resources outperform what developers or malicious threat actors can muster. +To initiate the audit, Ada Logics auditors integrated the OpenTelemetry +Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a +service offered by Google to critical open source projects, free of charge. The +service runs a project's fuzzers with excess resources multiple times per week. +If OSS-Fuzz finds a crash, it notifies the project. It then checks if the +project has fixed the crash upstream and if so, marks the issue(s) as fixed. The +whole workflow happens continuously on Google's fuzzing infrastructure, +supported by thousands of CPU cores. These testing resources outperform what +developers or malicious threat actors can muster. ## The tests -After the Ada Logics team integrated OpenTelemetry into OSS-Fuzz, the next step was to write a series of fuzz tests for the OpenTelemetry Collector. The auditors wrote 49 fuzz tests for core components of the Collector, as well as several receivers and processors in the `opentelemetry-collector-contrib` repository. +After the Ada Logics team integrated OpenTelemetry into OSS-Fuzz, the next step +was to write a series of fuzz tests for the OpenTelemetry Collector. The +auditors wrote 49 fuzz tests for core components of the Collector, as well as +several receivers and processors in the `opentelemetry-collector-contrib` +repository. -The fuzz tests were left to run while the audit team observed their health in production. At the completion of the fuzzing audit, the 49 fuzz tests on the OSS-Fuzz platform were healthy. +The fuzz tests were left to run while the audit team observed their health in +production. At the completion of the fuzzing audit, the 49 fuzz tests on the +OSS-Fuzz platform were healthy. -To ensure continued reliability, the fuzz testing continues on the Collector even though the audit is complete. +To ensure continued reliability, the fuzz testing continues on the Collector +even though the audit is complete. ## The results so far -Fuzz testing for the Collector is ongoing, allowing for changes to the project to be tested as well. As of the date of this post, no crashes have been detected. +Fuzz testing for the Collector is ongoing, allowing for changes to the project +to be tested as well. As of the date of this post, no crashes have been +detected. -But the work is not done! The Ada Logics team created the Collector's fuzzing setup as a reference implementation that other OpenTelemetry subprojects can rely on to create their own fuzz testing, ensuring greater stability for the project as a whole. - -For more insight into the audit process, see the [published summary](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). +But the work is not done! The Ada Logics team created the Collector's fuzzing +setup as a reference implementation that other OpenTelemetry subprojects can +rely on to create their own fuzz testing, ensuring greater stability for the +project as a whole. +For more insight into the audit process, see the +[published summary](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). diff --git a/static/refcache.json b/static/refcache.json index ee2e246570dd..707a9a56df52 100644 --- a/static/refcache.json +++ b/static/refcache.json @@ -59,6 +59,10 @@ "StatusCode": 200, "LastSeen": "2024-08-09T10:46:17.075695-04:00" }, + "https://adalogics.com/": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:22.847313555Z" + }, "https://adri-v.medium.com/43dca4a857a0": { "StatusCode": 200, "LastSeen": "2024-02-23T23:30:53.006527-05:00" @@ -3899,6 +3903,10 @@ "StatusCode": 200, "LastSeen": "2024-08-06T15:19:48.633928+02:00" }, + "https://github.com/AdamKorcz": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:22.289195232Z" + }, "https://github.com/AkhigbeEromo": { "StatusCode": 200, "LastSeen": "2024-12-17T15:37:25.440239-05:00" @@ -5251,6 +5259,10 @@ "StatusCode": 200, "LastSeen": "2024-11-07T20:32:07.730871-05:00" }, + "https://github.com/google/oss-fuzz": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:23.420338032Z" + }, "https://github.com/google/pprof": { "StatusCode": 200, "LastSeen": "2024-10-24T15:10:16.695786+02:00" From d51ab2587b60f6fe44d110025445ce9aa6bfcb75 Mon Sep 17 00:00:00 2001 From: Severin Neumann Date: Fri, 20 Dec 2024 16:10:18 +0100 Subject: [PATCH 11/11] Update content/en/blog/2024/fuzzing-audit-results.md --- content/en/blog/2024/fuzzing-audit-results.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md index 97a1f317a70c..a3ad3552a51b 100644 --- a/content/en/blog/2024/fuzzing-audit-results.md +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -5,6 +5,7 @@ date: 2024-12-20 author: '[Adam Korczynski](https://github.com/AdamKorcz)' issue: 5798 sig: GC +cSpell:ignore: Korczynski containerd --- OpenTelemetry is happy to announce the completion of the Collector's fuzzing