skupper-router project initialization

[ganeshmurthy]

No description provided.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

ganeshmurthy is integrating a new project:
- Main repo: https://github.com/skupperproject/skupper-router.git
- Criticality score: 0.51218

[vitorguidi]

_ No description provided. _

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

[ganeshmurthy]

Can you share with us how large the user base is, and what interesting attack surface OSS Fuzz can help protecting?

skupper-router is an open source project which is part of a larger project called Skupper (https://skupper.io/)
Skupper is used to interconnect different clouds by forming Virtual Application Networks. Skupper is used in 6 downstream projects. One of our upstream users is Goldman Sachs. Unfortunately, we have no idea how large our upstream user base is. This might be helpful perhaps - https://hanadigital.github.io/grev/?user=skupperproject&repo=skupper

skupper-router uses the qpid-proton library which is already one of the oss-fuzz projects https://github.com/google/oss-fuzz/tree/master/projects/qpid-proton

skupper-router is capable of reading tcp traffic over a listening port. It sniffs the initial incoming tcp bytes to determine if the protocol being used is http1 or http2 or some other protocol. If say, the protocol is http2, it starts reading http2 frames to get some stats from the traffic like request method, url etc. OSS Fuzz can send in random data to these protocol observers and try to crash the router.