doc-reports: add cncf audit report

[DavidKorczynski]

Adds security audit report facilitated by the CNCF.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• [N/A] Example configuration file for the change
• [N/A] Debug log output from testing the change

• [N/A] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• [N/A] Run local packaging test showing all targets (including any new ones) build.
• [N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• [N/A] Documentation required for this feature

Backporting

• [N/A] Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• doc-reports/cncf-security-audit.pdf is excluded by !**/*.pdf

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cosmo0920]

I happened to fing a few errors inside the report:

• add input fuzzer is pointed to #77460 but there's no exiting in Fluent Bit repo. So, it could be #7746?

This report contains the rseults from a security audit of Fluent Bit carried out by Ada Logics, and the audit was funded by the
Cloud Native Computing Foundation.

rseults should be results. This could be just a typo.

“we added 5 new fuzzers fo Fluent Bit”

fo could be a typo of for?

[DavidKorczynski]

thank you @cosmo0920 -- fixed

[cosmo0920]

• add input fuzzer is pointed to #77460 but there's no exiting in Fluent Bit repo. So, it could be #7746?

Thanks for the fix.

Bu the part of

Throughout this audit, we added 5 new fuzzers for Fluent Bit, as well as extended many of the existing harnesses. Below are
key pull requests for these additions:
• add cfl_record_accessor fuzzer
• split cmetrics decoding
• extend ctrace fuzzer
• Extend cmetrics fuzzer
• add input fuzzer
• add config yaml fuzzer
• add mp fuzzer
• add fstore fuzzer

• add input fuzzer is still pointed to #77460 but there's no exiting in Fluent Bit repo.

[DavidKorczynski]

@cosmo0920 you're right -- I missed that! Fixed now.

[cosmo0920]

One thing, we need to use doc-reports prefix for each of your commits.
After applying that, it'll be fine for 👍.

[DavidKorczynski]

One thing, we need to use doc-reports prefix for each of your commits. After applying that, it'll be fine for 👍.

Sounds good! Squashed my commits to one and prefixed.