Berlin, May 23, 2017 - For the last five months, The Document Foundation
has made use of OSS-Fuzz, Google’s effort to make open source software
more secure and stable, to further improve the quality and reliability
of LibreOffice's source code. Developers have used the continuous and
automated fuzzing process, which often catches issues just hours after
they appear in the upstream code repository, to solve bugs - and
potential security issues - before the next binary release.LibreOffice
is the first free office suite in the marketplace to leverage Google’s
OSS-Fuzz. The service, which is associated with other source code
scanning tools such as Coverity, has been integrated into LibreOffice's
security processes - under Red Hat’s leadership - to significantly
improve the quality of the source code.
LibreOffice is the first free office suite in the marketplace to
leverage Google’s OSS-Fuzz. The service, which is associated with other
source code scanning tools such as Coverity, has been integrated into
LibreOffice's security processes - under Red Hat’s leadership - to
significantly improve the quality of the source code.
According to Coverity Scan’s last report, LibreOffice has an industry
leading defect density of 0.01 per 1,000 lines of code (based on
6,357,292 lines of code analyzed on May 15, 2017). “We have been using
OSS-Fuzz, like we use Coverity, to catch bugs - some of which may turn
into security issues - before the release. So far, we have been able to
solve all of the 33 bugs identified by OSS-Fuzz well in advance over the
date of disclosure”, says Red Hat’s Caolán McNamara, a senior developer
and the leader of the security team at LibreOffice.
Additional information about Google OSS-Fuzz is available on the
project’s homepage on GitHub - https://github.com/google/oss-fuzz - and
on Google Open Source Blog: (1)
https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html
(announcement), and (2)
https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
(results after five months).
Blog post: http://blog.documentfoundation.org/blog/2017/05/23/oss-fuzz/