[Development] Qt in Google's OSS-Fuzz

Milian Wolff milian.wolff at kdab.com
Mon Dec 5 14:11:08 CET 2016

On Sunday, December 4, 2016 10:28:16 PM CET Peter Hartmann wrote:
> Hello,
> after Google announced their continuous fuzzing approach some days ago
> (see [1]), I tried to make Qt work with it and the fuzzing testcases I
> have written the last weeks ([2]).
> If people agree, we could try going forward with putting Qt onto
> OSS-Fuzz as well. I am almost there with setting it up ([3]), and once
> this is done I don't expect a lot of maintenance.
> The fuzzing test cases ([2]) could be hosted as a Qt playground project
> instead of github if desired.
> As a side note, this platform already contains libraries that Qt uses,
> e.g. OpenSSL, zlib, harfbuzz, ICU and others.

I'd like to see that happen, more testing is always a win. But we will need to 
learn from the coverity lessons:

- make sure from the start that multiple people in the qt community know how 
to update the tests (and qt version), and access the results
- make sure that qt security list gets notified about potential securitiy 
issues found therein

Peppe (CC'ed) has also just recently looked into fuzzing, he probably has 
something to add.

Milian Wolff | milian.wolff at kdab.com | Software Engineer
KDAB (Deutschland) GmbH&Co KG, a KDAB Group company
Tel: +49-30-521325470
KDAB - The Qt Experts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5903 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/development/attachments/20161205/33853998/attachment.bin>

More information about the Development mailing list