Introducing OSS-Fuzz insights
Deps.dev is continually adding new features to help developers assess the security of open source projects and the risks posed by adopting them as dependencies. Today, deps.dev is excited to announce the integration of data from projects tested by the OSS-Fuzz service. This new integration will provide users with a signal that the maintainers of a project are actively maintaining good security practices — including preventive measures — to safeguard the project from major vulnerabilities.
Fuzz testing, or fuzzing, is an automated software testing technique that involves providing random data as input to a program to find bugs that might not be found by other testing methods such as manual or unit testing. To developers considering using an open source project, fuzzing provides a positive signal about the security posture of that project: it shows investment from maintainers and ongoing work to discover and mitigate vulnerabilities.
Google’s OSS-Fuzz is a free service that continuously fuzzes critical open source projects. Its fuzzing runs all day, every day, and an individual project may be fuzzed more than once in a 24-hour period to catch new bugs introduced with code changes as soon as possible. As of July 2023, OSS-Fuzz has helped identify and fix over 9,600 vulnerabilities and 30,600 bugs across more than 1,000 projects, including widely used projects such as netty and spring-framework.
Deps.dev now tells you whether a project is fuzzed with OSS-Fuzz and, if so, the percentage of lines of code covered and the configuration details for the project, which show how thoroughly and in what way the project is fuzzed. For example, google/leveldb’s page on deps.dev shows that 75.1% of the project is fuzzed, and links directly to the configurations in the OSS-Fuzz GitHub repository for those who want to dig deeper into the details of how the project is fuzzed:
We are pleased that this integration will help our users to make more informed security decisions and will highlight the investments that maintainers have made into their project’s security. To get started checking out the fuzzing data for your favorite project, just navigate to the project’s page on deps.dev!