explaingit

google/clusterfuzz

5,560PythonAudience · ops devopsComplexity · 5/5LicenseSetup · hard

TLDR

Google's large-scale automated testing system that finds crashes and security bugs in software by feeding it massive amounts of random input across thousands of machines.

Mindmap

mindmap
  root((ClusterFuzz))
    What it does
      Automated fuzzing
      Finds crashes and bugs
      Deduplicates reports
    Scale
      100k virtual machines
      27k+ bugs found
      8900+ CVEs found
    Features
      Multiple fuzz engines
      Commit bisection
      Web dashboard
    Variants
      ClusterFuzz full
      ClusterFuzzLite CI
    Audience
      Security engineers
      DevOps teams
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run continuous automated fuzz testing on a C or C++ project across a cluster of machines to find crashes before users do.

USE CASE 2

Integrate fuzzing into a CI/CD pipeline using ClusterFuzzLite for teams that don't need a full dedicated cluster.

USE CASE 3

Automatically deduplicate crash reports and bisect which code commit introduced a bug.

USE CASE 4

Connect to OSS-Fuzz to get free fuzzing infrastructure for an open-source project.

Tech stack

PythonGo

Getting it running

Difficulty · hard Time to first run · 1day+

Full deployment requires a Google Cloud account and significant infrastructure, ClusterFuzzLite is the simpler CI-only alternative.

In plain English

ClusterFuzz is a system for automatically testing software by feeding it large amounts of random or mutated input to see if anything breaks. This technique is called fuzzing. The goal is to find crashes, security vulnerabilities, and other defects before real users encounter them. Google built ClusterFuzz to test its own products at scale, including Chrome. It also serves as the backend for OSS-Fuzz, a Google-run service that provides free fuzzing infrastructure to open-source projects. As of early 2023, ClusterFuzz and OSS-Fuzz together have found over 27,000 bugs in Google's software and more than 8,900 security vulnerabilities across hundreds of open-source projects. The system is designed to run on large numbers of machines at once. The OSS-Fuzz deployment, for example, uses around 100,000 virtual machines. When a crash is found, ClusterFuzz automatically deduplicates it to avoid filing the same bug twice, files a report in an issue tracker like Jira, and can also find which code change introduced the problem by bisecting through the version history. ClusterFuzz supports several well-known fuzzing engines, meaning it can use different strategies for generating test inputs and select the most effective approach for a given piece of software. It also provides a web interface for managing fuzzing jobs and reviewing results. For teams that want something simpler and do not need a dedicated cluster, Google also offers ClusterFuzzLite, a lighter version designed to run as part of a standard software build and test pipeline.

Copy-paste prompts

Prompt 1
Walk me through setting up ClusterFuzzLite in a GitHub Actions CI pipeline to fuzz a C++ project, what fuzz targets do I need to write?
Prompt 2
How does ClusterFuzz deduplicate crashes and automatically file bug reports, what integrations does it support for issue trackers?
Prompt 3
I want to onboard my open-source project to OSS-Fuzz. What are the requirements and how is ClusterFuzz involved as the backend?
Prompt 4
Show me how to write a libFuzzer-style fuzz target for a Python library so ClusterFuzz can test it.
Open on GitHub → Explain another repo

← google on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.