- edited description
Integrating snakeyaml into OSS-Fuzz
Issue #523
resolved
Hi all,
I have prepared the integration (CodeIntelligenceTesting/oss-fuzz@51f91af) of snakeyaml into google oss-fuzz. This will enable continuous fuzzing of this project, which will be conducted by Google. Bugs that will be found by fuzzing will be reported to you.
The integration requires a primary contact, someone to deal with the bug reports submitted by oss-fuzz. The email address needs to belong to an established project committer and be associated with a Google account as per here. This will provide you with access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person can be included. Please let me know who I should include, if anyone.
Ideally, the fuzz tests would live in this repo (snakeyaml) instead of the oss-fuzz repo to better stay in sync with the code. We can create a PR to do that if you are interested.
Jazzer is used for fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.
Jazzer has already found a lot of critical bugs in JVM applications.
Please let me know if you have any questions regarding fuzzing or the oss-fuzz integration.
Comments (7)
-
Account Deactivated reporter
-
Account Deactivated reporter
Just wanted to check in to see if either @Alexander Maslov or @Andrey Somov are interested in receiving bug reports for this project? Just to clarify our position, we have already written the initial fuzz targets and will handle expanding the code coverage further. Also, if you don’t want to host the fuzz targets we create, they can live in the Google oss-fuzz repo. You would simply need to receive emails from Google and address any discovered bugs / vulnerabilities. If you are interested, please let me know an email address I can use. Preferably a google account as that will enable you full access to the oss-fuzz dashboard.
-
@Dae Dae, why not to create it, receive the reports and forward them here when found ?
-
Account Deactivated reporter
Hi @Andrey Somov , what you suggest is an option. The reason I did not propose that is that I am currently onboarding several projects into oss-fuzz so my hope is to pass the bug reports directly to a maintainer. It could quickly become unmanageable for me. However, if that is the only way, then we will proceed as you suggest.
-
I want to be sure we are not overloaded with false positives (which is already the case with Github)
You can start it and if it appears to be reporting the appropriate things - we will become the maintainers.
-
Account Deactivated reporter
Hi @Andrey Somov , that sounds fair. I will prepare the PR to google and then report any discovered bugs to you.
-
- changed status to resolved
Feel free to ask questions or support
- Log in to comment
