Berlin, May 23, 2017 – For the last five months, The Document Foundation has made use of OSS-Fuzz, Google’s effort to make open source software more secure and stable, to further improve the quality and reliability of LibreOffice’s source code. Developers have used the continuous and automated fuzzing process, which often catches issues just hours after they appear in the upstream code repository, to solve bugs – and potential security issues – before the next binary release.
LibreOffice is the first free office suite in the marketplace to leverage Google’s OSS-Fuzz. The service, which is associated with other source code scanning tools such as Coverity, has been integrated into LibreOffice’s security processes – under Red Hat’s leadership – to significantly improve the quality of the source code.
According to Coverity Scan’s last report, LibreOffice has an industry leading defect density of 0.01 per 1,000 lines of code (based on 6,357,292 lines of code analyzed on May 15, 2017). “We have been using OSS-Fuzz, like we use Coverity, to catch bugs – some of which may turn into security issues – before the release. So far, we have been able to solve all of the 33 bugs identified by OSS-Fuzz well in advance over the date of disclosure”, says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.
Additional information about Google OSS-Fuzz is available on the project’s homepage on GitHub – https://github.com/google/oss-fuzz – and on Google Open Source Blog: (1) https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html (announcement), and (2) https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html (results after five months).