Google launched ClusterFuzzLite, a continuous fuzzing tool to bolster supply chain security. Software engineers Jonathan Metzman and Oliver Chang, Google software engineers published a blog with product lead for Google CI/CD products, Michael Winser, that the new tool can run as part of the CI/CD workflows to find vulnerabilities in less time.
Fuzzing is an automated testing technique used to find bugs or unexpected behaviour by inputting random and invalid data into programs. The process may flag up vulnerabilities or errors that manual analysts may miss. ClusterFuzzLite is based on ClusterFuzz, an open-source, scalable fuzzing infrastructure released by Google and used as the foundation for the OSS-Fuzz program.
Is there a difference between ClusterFuzz and ClusterFuzzLite?
Google says that ClusterFuzzLite can be integrated into existing workflows to fuzz pull requests, improve the chances of finding bugs/vulnerabilities earlier before anything is committed.
ClusterFuzz and ClusterFuzzLite contain some of the same features, including report creation, continuous fuzzing, and sanitizer support. The team says that they differ during setup, as ClusterFuzz is easier to set up with closed-source projects. ClusterFuzz supports Google Cloud Build, GitHub Actions, and Prow.
Fuzzing for all
The team also said that ClusterFuzzLite makes fuzzing more than just an idealized bonus step of testing for those who have access to it. It is becoming a test that has to be run for any software project.
The team said that finding and preventing bugs before they get into the codebase will result in a more secure software ecosystem. The documentation for this tool can be read at GitHub.
In February, Google launched its Open-Source Vulnerabilities website for open-source vulnerability mapping.