Google’s open source FuzzLite cluster to protect the software supply chain


Let the OSS Enterprise Newsletter drive yours open source voyage! Sign up here.

Google has announced a new open source “fuzzing” project called ClusterFuzzLite, serving as a lighter version of the Internet giant’s existing ClusterFuzz tool, that is open-source nearly three years ago.

Fuzz testing, or “fuzzing” as it is often called, is an automated software testing technique that involves throwing invalid or random data (“fuzz”) at a computer program before it is distributed to see how it reacts. This can help developers find bugs and flaws that could otherwise be exploited by bad actors.

With software attacks on the increasing supply chain, this has highlighted the role that open source software plays in business-critical applications and the inherent role vulnerabilities that such software contains. Countless organizations, from government agencies to hospitals and businesses, have been affected by targeted attacks on the software supply chain over the past year, leading US President Biden to issue an executive order outline measures to combat these threats. In response, the National Institute of Standards and Technology (NIST) guidelines issued for software verification, with fuzzing included as part of its recommended “minimum standards“For software testing.

Captured by the fluff

Back in 2016, Google launched OSS fuzz, which combines various fuzzing engines to serve popular open source software projects with continuous fuzzing as part of their quality assurance (QA) processes. Shortly thereafter, Google began offering OSS-Fuzz’s ClusterFuzz backend as a free service, before moving to the same open source ClusterFuzz in 2019.

Above: ClusterFuzzLite

Fast forward to date, Google said more than 500 “critical” open source projects have integrated with the OSS-Fuzz program, which in turn has identified approximately 6,500 vulnerabilities and fixed 21,000 functional bugs.

While ClusterFuzzLite offers many of the same features as ClusterFuzz such as continuous fuzzing, it is essentially a stripped-down alternative that is easier to set up as part of developer continuous integration (CI) workflows, which only require a few lines of code. It involves fuzzing GitHub pull requests to detect bugs before they are assigned to the main code base and improve the security posture for all companies that rely on that software component.

“With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to detect bugs before they are committed, improving the overall security of the software supply chain,” said a blog post. by Google.

At launch, ClusterFuzzLite officially supports a handful of CI systems including GitHub Actions Other Google Cloud Build, although it also supports Bow as part of an early stage beta. Google said that since ClusterFuzzLite was built with extensibility in mind, it’s easy to add support for other CI systems in the future.


VentureBeat’s mission is to be a digital town square for technical decision makers to gain insights into transformative technology and transactions. Our site provides essential information on data technologies and strategies to guide you in driving your organizations. We invite you to become a member of our community, to access:

  • updated information on topics of interest to you
  • our newsletters
  • thought-leading gated content and discounted access to our valuable events, such as Transform 2021: To know more
  • network functions and more

Become a member


Please enter your comment!
Please enter your name here