summaryrefslogtreecommitdiff
path: root/tests/oss-fuzz/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'tests/oss-fuzz/README.md')
-rw-r--r--tests/oss-fuzz/README.md15
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/oss-fuzz/README.md b/tests/oss-fuzz/README.md
new file mode 100644
index 00000000..01b278d1
--- /dev/null
+++ b/tests/oss-fuzz/README.md
@@ -0,0 +1,15 @@
+Usually, software teams do functional testing (which is great) but not security testing of their code. For example:
+
+```
+func_add(int x, int y) { return x+y; }
+```
+may have a unit test like so:
+
+```
+ASSERT((func_add(4,5)==9))
+```
+However, corner cases are usually not tested so that `x=INT_MAX; y=1` shows a problem in the implementation/desired output.
+
+Fuzz testing is routinely used to generate such corner cases and feed them to program APIs. oss-fuzz is one such fuzz testing framework that is fully automated and targeted at open-source software (oss) and supported by Google. An enrolled project is continually fuzzed and bug reports are sent to maintainers as and when they are generated.
+
+To enrol a new project into oss-fuzz, the codebase must contain test harnesses that make use of the libFuzzer API. This folder hosts oss-fuzz test harnesses for xmlsec that are picked up by oss-fuzz and built. The build script resides in the oss-fuzz repo under the `projects/xmlsec` folder.