Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: OSS-Fuzz integration #3

Open
onionpsy opened this issue Mar 15, 2023 · 1 comment
Open

[Feature Request]: OSS-Fuzz integration #3

onionpsy opened this issue Mar 15, 2023 · 1 comment

Comments

@onionpsy
Copy link

Describe the Feature

Hi all,

we have integrated xz-java into Google OSS-Fuzz which will provide more security for your project: google/oss-fuzz#9797

Why do you need Fuzzing?
The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

What do you need to do?
The integration requires the maintainer or one established project commiter to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

How Code Intelligence can support?
We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

Expected Complications

No response

Will I try to implement this new feature?

Yes
@JiaT75
Copy link
Contributor

JiaT75 commented Nov 30, 2023

Hello!

I apologize for ignoring this for such a long time. Thank you for adding XZ for Java to OSS-Fuzz. XZ Utils (the C implementation) is also in OSS-Fuzz so I have some understanding of the process. I suppose the following steps should be taken to maximize the usefulness of this:

In xz-java:

  • Move your XZEncoderFuzzer.java file into our repository

In OSS-Fuzz:

  • Remove XZEncoderFuzzer.java
  • Update build.sh to account for the fuzz target moving
  • Update project.yaml so that we can be notified when OSS-Fuzz finds something

I will start working through this, just letting you know in case I am missing an important step.

Also, is there a name that you would like to be used in the THANKS file? On your GitHub profile I did not see a surname. You may of course remain anonymous if you wish :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@onionpsy @JiaT75