All,
Over the last two years, I've worked quite a bit with Jazzer and
oss-fuzz on my $dayjob.
Dominik Stadler has done an amazing job with fuzz harnesses for
POI[0], and there are some rudimentary harnesses for PDFBox [1].
Commons-compress, of course, is very well represented[2].
I was initially against including Tika because I didn't want a bunch
of NullPointerException reports. I've changed my initial stance, and I
think we would benefit from adding harnesses to ossfuzz for Tika.
WDYT?
Best,
Tim
[0] https://github.com/google/oss-fuzz/tree/master/projects/apache-poi
[1] https://github.com/google/oss-fuzz/tree/master/projects/pdfbox
[2]
https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-compress
On Fri, Mar 5, 2021 at 9:27 AM Nick Burch <n...@apache.org> wrote:
>
> Hi All
>
> For those who don't follow dev@commons, there's yet another fulling tool
> on the block! Details below. Looks pretty neat, and is now being used on a
> few Apache Commons projects, including Commons Compress which we use
>
> What do people think about more fuzzing? Worth doing? Or just too much
> noise, given the spread of dependencies etc? I can reach out to these
> folks if there's interest, and see if they'd set up an instance for us
>
> (My view is we can never protect against all broken docs, and people
> calling Tika need to take account + take care as we will fall over fairly
> often, but that we ought to try to fix the most obvious problems! 1% of
> the internet is still a lot and all that....)
>
> Nick
>
> ---------- Forwarded message ----------
> Date: Fri, 5 Mar 2021 09:07:03 +0100
> From: Fabian Meumertzheim <meumertzh...@code-intelligence.com>
> Reply-To: Commons Developers List <d...@commons.apache.org>
> To: d...@commons.apache.org
> Subject: [COMPRESS] OSS-Fuzz integration
>
> I am one of the maintainers of Jazzer
> (https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
> fuzzer for JVM projects based on libFuzzer.
>
> I have set up a few Commons projects for local fuzzing with Jazzer,
> which lead to quite a few bug reports in Compress and other projects
> (https://issues.apache.org/jira/browse/COMPRESS-569?jql=reporter%20%3D%20Meumertzheim).
> While the majority of the bugs found are undeclared exceptions, this
> approach also caught an infinite loop on a crafted 0.5KB .tar before
> it could make it into a release (see COMPRESS-569).
>
> Jazzer is in the process of being integrated into OSS-Fuzz
> (https://github.com/google/oss-fuzz) for continuous fuzzing on
> Google-provided infrastructure (ClusterFuzz).
>
> If you agree this is a good idea, I could set up Compress for fuzzing
> on OSS-Fuzz. All I would need from you is a list of emails to which
> the automated bug reports should go. The reports are usually directly
> actionable as they include stack traces and minimized reproducers.
>
> Fabian
> https://code-intelligence.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
