I am one of the maintainers of Jazzer (https://github.com/CodeIntelligenceTesting/jazzer), a new open-source fuzzer for JVM projects based on libFuzzer.
I have set up a few Commons projects for local fuzzing with Jazzer, which lead to quite a few bug reports in Compress and other projects (https://issues.apache.org/jira/browse/COMPRESS-569?jql=reporter%20%3D%20Meumertzheim). While the majority of the bugs found are undeclared exceptions, this approach also caught an infinite loop on a crafted 0.5KB .tar before it could make it into a release (see COMPRESS-569). Jazzer is in the process of being integrated into OSS-Fuzz (https://github.com/google/oss-fuzz) for continuous fuzzing on Google-provided infrastructure (ClusterFuzz). If you agree this is a good idea, I could set up Compress for fuzzing on OSS-Fuzz. All I would need from you is a list of emails to which the automated bug reports should go. The reports are usually directly actionable as they include stack traces and minimized reproducers. Fabian https://code-intelligence.com --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
