Google has recently announced the launch of ClusterFuzzLite – a dedicated fuzzing tool for CI/CD workflows to find vulnerabilities. Google believes this tool can help improve software supply chain security.
ClusterFuzzLite Security Tool Launched
In a blog post, Google Open Source Security Team has announced launching ClusterFuzzLite as an integrated CI/CD workflow security tool.
Describing its functionality, the post reads that ClusterFuzzLite is a reliable tool for continuous fuzzing – a software testing technique that works on random and valid data input to the programs to detect vulnerabilities.
It can run as an integrated tool to spot bugs that may escape manual code review.
Users can easily integrate this tool into their workflow to start fuzzing from the early development stages for supply chain security. As stated in the post,
With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed.
Google further explained that this tool works with OSS-Fuzz – another open-source tool from Google released earlier, to detect regression vulnerabilities during development.
ClusterFuzzLite offers functionalities similar to ClusterFuzz, but it is easy to set up and supports closed-source projects testing. That’s how it becomes a feasible fuzzing tool for developers.
Currently, this tool is already in use by systemd and curl projects during code review. Praising this tool for its efficiency, the author of curl, Daniel Stenberg, commented,
When the human reviewers nod and have approved the code and your static code analyzers and linters can’t detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.
Interested users can get ClusterFuzzLite from GitHub.
Let us know your thoughts in the comments.