Skip to content

feat: update fuzzing check for memory-safe languages#4950

Open
garvit-bhattt wants to merge 2 commits intoossf:mainfrom
garvit-bhattt:fix-fuzzing-score-memory-safe-langs
Open

feat: update fuzzing check for memory-safe languages#4950
garvit-bhattt wants to merge 2 commits intoossf:mainfrom
garvit-bhattt:fix-fuzzing-score-memory-safe-langs

Conversation

@garvit-bhattt
Copy link

@garvit-bhattt garvit-bhattt commented Feb 26, 2026

What kind of change does this PR introduce?

Feature / Improvement

PR title follows the guidelines:
feat: update fuzzing check for memory-safe languages

What is the current behavior?

Projects that exclusively use memory-safe languages (e.g., Go, Rust, Java, Python) and do not have detected fuzzers currently receive a failing score of 0 for the Fuzzing check.

What is the new behavior?

Projects exclusively using memory-safe languages without detected fuzzers will now receive an Inconclusive (N/A) result.

This change aligns with OpenSSF best practices, as fuzzing is primarily critical for memory-unsafe languages (C, C++, Objective-C, Objective-C++).

Key Implementation Details

  • Created a centralized HasMemoryUnsafeLanguage utility in clients/languages.go to maintain a consistent memory safety policy.
  • Updated the Fuzzing evaluation logic to distinguish between:
    • Fuzzer missing on unsafe project → score 0
    • Fuzzer missing on safe projectInconclusive (N/A)
  • Added support for multiple language name variants (e.g., lowercase, hyphenated) to ensure robustness.

Tests

  • Tests for the changes have been added.

Which issue(s) this PR fixes

Fixes #4649 — Maybe too strict to give a 0 for missing fuzzing tooling for memory safe language.

Special Notes for Reviewers

  • The memory safety policy is now centralized in clients/languages.go, making it reusable for other checks (e.g., binary artifact analysis) in the future.
  • The check robustly handles various representations of Objective-C and Objective-C++ (with/without hyphens and variations in casing).
  • Note on Testing: Failures observed in the full go test ./... suite (specifically in checks/fileparser and checks/raw) are pre-existing and unrelated to these changes.

@garvit-bhattt
feat: update fuzzing check for memory-safe languages
8ea2db0 
This update ensures that projects exclusively using memory-safe languages
are not penalized for lacking fuzzers. Changes include:

- Added HasMemoryUnsafeLanguage utility in clients/languages.go to
  centralize language safety policy.
- Updated Fuzzing check to return an Inconclusive (N/A) result for
  memory-safe-only projects without fuzzers.
- Added comprehensive unit tests for language safety and evaluation logic.
- Updated documentation in docs/checks/internal/checks.yaml.

Note: Full go test ./... reveals pre-existing failures in
checks/fileparser and checks/raw which are unrelated to these changes.
@garvit-bhattt garvit-bhattt requested a review from a team as a code owner February 26, 2026 05:40
@garvit-bhattt garvit-bhattt requested review from AdamKorcz and justaugustus and removed request for a team February 26, 2026 05:40
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@AdamKorcz AdamKorcz Awaiting requested review from AdamKorcz AdamKorcz is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Maybe too strict to give a 0 for missing fuzzing tooling for memory safe language

1 participant

@garvit-bhattt