We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google has announced a new open source “fuzzing” project called ClusterFuzzLite, serving as a lighter-weight version of the internet giant’s existing ClusterFuzz tool, which it open-sourced nearly three years ago.

Fuzz testing, or “fuzzing” as it’s often called, is an automated software testing technique that involves throwing invalid or random data (“fuzz”) at a computer program before it’s deployed to see how it reacts. This can help developers find bugs and flaws that could otherwise be exploited by bad actors.

With software supply chain attacks on the increase, this has shone a light on the role that open source software plays in business-critical applications — and the inherent vulnerabilities such software contains. Countless organizations, from government agencies to hospitals and corporations, have been hit by targeted software supply chain attacks over the past year, leading U.S. President Biden to issue an executive order outlining measures to combat these threats. In response, the National Institute of Standards and Technology (NIST) issued guidelines for software verification, with fuzzing included as part of its recommended “minimum standards” for software testing.


Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

Register Here

Caught by the fuzz

Back in 2016, Google launched OSS-Fuzz, which combines various fuzzing engines to serve popular open source software projects with continuous fuzzing as part of their quality assurance (QA) processes. Shortly after, Google started offering OSS-Fuzz’s ClusterFuzz backend as a free service, and then went on to open-source ClusterFuzz itself in 2019.

Above: ClusterFuzzLite

Fast-forward to today, and Google said that more than 500 “critical” open source projects have integrated with the OSS-Fuzz program, which in turn has identified some 6,500 vulnerabilities and fixed 21,000 functional bugs.

While ClusterFuzzLite offers many of the same features as ClusterFuzz such as continuous fuzzing, it’s essentially a stripped-down alternative that’s easier to set up as part of developers’ continuous integration (CI) workflows, requiring just a few lines of code. Specifically, ClusterFuzzLite can be used to fuzz pull requests on GitHub, something that ClusterFuzz can’t be used for, helping to catch bugs before they are committed to the main codebase.

“With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain,” a Google blog post stated.

At launch, ClusterFuzzLite officially supports a handful of CI systems including GitHub Actions and Google Cloud Build, though it also supports Prow as part of an early-stage beta. Google said that given ClusterFuzzLite was built with extensibility in mind, it’s easy to add support for other CI systems further down the line.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.