Skip to content

BUG: OSS-Fuzz detection fails if project.yaml URL points to subfolder #3257

New issue
New issue
Closed
#3364
Closed
BUG: OSS-Fuzz detection fails if project.yaml URL points to subfolder#3257
#3364
Labels
check/Fuzzingkind/bugSomething isn't working
@pnacht

Description

@pnacht
pnacht
opened on Jul 10, 2023

Describe the bug
If a repo's project.yaml file on the OSS-Fuzz repo points to a sub-folder, Scorecard's Fuzzing detection fails.

Reproduction steps
Steps to reproduce the behavior:

  1. Note that google/go-cmp gets a 0/10 for Fuzzing: https://securityscorecards.dev/viewer/?uri=github.com/google%2Fgo-cmp
  2. However, the project is fuzzed: https://github.com/google/oss-fuzz/tree/master/projects/go-cmp
  3. However, the project.yaml points to the repo's cmp folder: main_repo: "https://github.com/google/go-cmp/cmp".

Expected behavior
Scorecard should parse the project.yaml's URL more cautiously, to ensure it always gets the correct username and repo.

Additional context
After a brief conversation with @spencerschrock, the issue seems to be here:

scorecard/clients/ossfuzz/client.go

Lines 142 to 146 in 271f0f2

const splitLen = 2
split := strings.SplitN(strings.Trim(u.Path, "/"), "/", splitLen)
if len(split) != splitLen {
return "", fmt.Errorf("%s: %w", rawURL, errMalformedURL)
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    check/Fuzzingkind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions