



Google has released ClusterFuzz Lite, an ongoing fuzzing solution to improve the security of its software supply chain.

On Thursday, Google software engineers Jonathan Metzman and Oliver Chang, along with Google’s CI / CD product leader Michael Winser, wrote in a blog post that the new tool “runs as part of the CI / CD workflow to exploit vulnerabilities.” You can find it sooner. ” So far. “

Fuzzing is an automated testing technique for finding bugs and unexpected behavior by entering invalid and random data into a program. This allows you to flag vulnerabilities and errors that may go unnoticed by manual analysis.

A new tool, ClusterFuzz Lite, is based on ClusterFuzz, an open source scalable fuzzing infrastructure previously released by Google and used as the fuzzing backbone for OSS-Fuzz programs.

According to Google, ClusterFuzzLite can be integrated into existing workflows to fuzz pull requests, increasing the likelihood of finding vulnerabilities early in the development process before changes are committed.

ClusterFuzz and ClusterFuzzLite include some of the same features such as continuous fuzzing, coverage reporting, sanitizer support, etc., but the main difference is that ClusterFuzz is easy to set up in a closed source project, so it was developed. Is available to people. Of it to fuzz their software right away.

Currently, ClusterFuzzLite supports GitHub Actions, Google Cloud Build, and Prow.

“With ClusterFuzzLite, fuzzing isn’t the ideal” bonus “test round for anyone with access to fuzzing, but an important mandatory step that everyone can use continuously in any software project,” the team said. Stated. “By finding and preventing bugs before they enter the code base, we can build a safer software ecosystem.”

Documentation on the tool can be accessed on GitHub.

In February, Google launched the Open Source Vulnerabilities (OSV) website, an open source vulnerability mapping platform.

