It’s not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:
- integration of fuzzy testing in to the CI environment
There is a nice read (blog post of a Security Engineer) about how to integrate public repositories into Google OSS-Fuzz (“continous open source software fuzzying as a service”) and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with patch rewards… probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like rclcpp
, rclc
, rmw
) the priority in comparison to the other point in the list (higher levels of abstraction like features, “security by design”) is quite low. Nevertheless worth to being mention here I guess.