Integrating snakeyaml into OSS-Fuzz

Issue #523 resolved
Dae created an issue

Hi all,

I have prepared the integration (CodeIntelligenceTesting/oss-fuzz@51f91af) of snakeyaml into google oss-fuzz. This will enable continuous fuzzing of this project, which will be conducted by Google. Bugs that will be found by fuzzing will be reported to you.

The integration requires a primary contact, someone to deal with the bug reports submitted by oss-fuzz. The email address needs to belong to an established project committer and be associated with a Google account as per here. This will provide you with access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person can be included. Please let me know who I should include, if anyone.

Ideally, the fuzz tests would live in this repo (snakeyaml) instead of the oss-fuzz repo to better stay in sync with the code. We can create a PR to do that if you are interested.

Jazzer is used for fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.
Jazzer has already found a lot of critical bugs in JVM applications.

Please let me know if you have any questions regarding fuzzing or the oss-fuzz integration.

Comments (7)

  1. Dae Account Deactivated reporter

    Just wanted to check in to see if either @Alexander Maslov or @Andrey Somov are interested in receiving bug reports for this project? Just to clarify our position, we have already written the initial fuzz targets and will handle expanding the code coverage further. Also, if you don’t want to host the fuzz targets we create, they can live in the Google oss-fuzz repo. You would simply need to receive emails from Google and address any discovered bugs / vulnerabilities. If you are interested, please let me know an email address I can use. Preferably a google account as that will enable you full access to the oss-fuzz dashboard.

  2. Dae Account Deactivated reporter

    Hi @Andrey Somov , what you suggest is an option. The reason I did not propose that is that I am currently onboarding several projects into oss-fuzz so my hope is to pass the bug reports directly to a maintainer. It could quickly become unmanageable for me. However, if that is the only way, then we will proceed as you suggest.

  3. Andrey Somov

    I want to be sure we are not overloaded with false positives (which is already the case with Github)

    You can start it and if it appears to be reporting the appropriate things - we will become the maintainers.

  4. Dae Account Deactivated reporter

    Hi @Andrey Somov , that sounds fair. I will prepare the PR to google and then report any discovered bugs to you.

  5. Log in to comment