Google open-sources ClusterFuzzLite to secure the software supply chain

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google has announced a new open source “fuzzing” project called ClusterFuzzLite, serving as a lighter-weight version of the internet giant’s existing ClusterFuzz tool, which it open-sourced nearly three years ago.

Fuzz testing, or “fuzzing” as it’s often called, is an automated software testing technique that involves throwing invalid or random data (“fuzz”) at a computer program before it’s deployed to see how it reacts. This can help developers find bugs and flaws that could otherwise be exploited by bad actors.

With software supply chain attacks on the increase, this has shone a light on the role that open source software plays in business-critical applications — and the inherent vulnerabilities such software contains. Countless organizations, from government agencies to hospitals and corporations, have been hit by targeted software supply chain attacks over the past year, leading U.S. President Biden to issue an executive order outlining measures to combat these threats. In response, the National Institute of Standards and Technology (NIST) issued guidelines for software verification, with fuzzing included as part of its recommended “minimum standards” for software testing.

Caught by the fuzz

Back in 2016, Google launched OSS-Fuzz, which combines various fuzzing engines to serve popular open source software projects with continuous fuzzing as part of their quality assurance (QA) processes. Shortly after, Google started offering OSS-Fuzz’s ClusterFuzz backend as a free service, and then went on to open-source ClusterFuzz itself in 2019.

Fast-forward to today, and Google said that more than 500 “critical” open source projects have integrated with the OSS-Fuzz program, which in turn has identified some 6,500 vulnerabilities and fixed 21,000 functional bugs.

While ClusterFuzzLite offers many of the same features as ClusterFuzz such as continuous fuzzing, it’s essentially a stripped-down alternative that’s easier to set up as part of developers’ continuous integration (CI) workflows, requiring just a few lines of code. It’s all about fuzzing GitHub pull requests to catch bugs before they are committed to the main codebase and improve the security posture for all the companies that rely on that software component.

“With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain,” a Google blog post stated.

At launch, ClusterFuzzLite officially supports a handful of CI systems including GitHub Actions and Google Cloud Build, though it also supports Prow as part of an early-stage beta. Google said that given ClusterFuzzLite was built with extensibility in mind, it’s easy to add support for other CI systems further down the line.