skupper-router project initialization

[ganeshmurthy]

No description provided.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

ganeshmurthy is integrating a new project:
- Main repo: https://github.com/skupperproject/skupper-router.git
- Criticality score: 0.51218

[vitorguidi]

_ No description provided. _

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

[ganeshmurthy]

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

skupper-router is an open source project which is part of a larger project called Skupper (https://skupper.io/)
Skupper is used to interconnect different clouds by forming Virtual Application Networks. Skupper is used in 6 downstream projects. One of our upstream users is Goldman Sachs. Unfortunately, we have no idea how large our upstream user base is. This might be helpful perhaps - https://hanadigital.github.io/grev/?user=skupperproject&repo=skupper

skupper-router uses the qpid-proton library which is already one of the oss-fuzz projects https://github.com/google/oss-fuzz/tree/master/projects/qpid-proton

skupper-router is capable of reading tcp traffic over a listening port. It sniffs the initial incoming tcp bytes to determine if the protocol being used is http1 or http2 or some other protocol. If say, the protocol is http2, it starts reading http2 frames to get some stats from the traffic like request method, url etc. OSS Fuzz can send in random data to these protocol observers and try to crash the router.

[vitorguidi]

lgtm

[vitorguidi]

We can merge this once the CI tests get fixed. @ganeshmurthy

[maflcko]

This is the inverse of how it should be done. Each RUN layer that installs something will need to have an update in the same RUN layer. Otherwise a stale update layer could lead to issues in the later install layer.

edit: Also, cmake is already installed anyway?

[ganeshmurthy]

Removed the unnecessary cmake install and fixed up the call to apt-get update

[vitorguidi]

@ganeshmurthy we can merge this once the tests pass

[ganeshmurthy]

@ganeshmurthy we can merge this once the tests pass

I think I fixed a problem that I saw in the CI test failure. I pushed up a fix for it. Let's see if the CI passes this time