villebro opened a new pull request, #126: URL: https://github.com/apache/superset-kubernetes-operator/pull/126
## Summary Adds Go-native fuzzing (`go test -fuzz`) for the operator's pure, input-driven functions. The `Superset` CR is authored by a trusted namespace admin, so this is robustness insurance rather than a security control: it guards the spots that do real string parsing, code generation, and merging against panics and non-determinism on awkward-but-valid input. It is also recognized by the OpenSSF Scorecard fuzzing check. Native Go fuzzing covers these needs without the onboarding cost of a hosted service. Four targets cover where that risk actually lives: - `FuzzCompareVersions` — semver parsing of image tags (asserts the ordering contract: reflexive rebuild, antisymmetric direction, always a defined result). - `FuzzPyQuote` / `FuzzRenderConfig` — Python config generation from arbitrary config strings (asserts safe quoting/round-trip and deterministic rendering across every component type). - `FuzzMergeMaps` — label/annotation merging (asserts last-writer-wins union and idempotence). Each target's seed corpus replays as ordinary subtests during `make test-unit`, so regressions are caught on every PR. ## Details - Fuzz targets live in `*_fuzz_test.go` beside the code they exercise, same package, no build tag. - `make fuzz` runs all targets bounded by `FUZZTIME` (default 30s; override for longer runs). - A scheduled `.github/workflows/fuzz.yaml` (weekly + `workflow_dispatch`) runs the targets for longer to explore new inputs and uploads any crash reproducer as an artifact. On a finding, the `testdata/fuzz/<target>/<id>` file is committed as a permanent regression seed. - Documents how/when to fuzz in `docs/contributing/development-guidelines.md` (new `### Fuzzing` section) with a brief pointer in `AGENTS.md`. - Drive-by docs cleanup: removed a couple of distracting meta-commentary asides in `security.md` and `configuration.md`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
