[
https://issues.apache.org/jira/browse/COMPRESS-720?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vishal Satish updated COMPRESS-720:
-----------------------------------
Description:
This task involves upstreaming 17 existing fuzzers from the Google OSS-Fuzz
repository to the main Apache Commons Compress repository.
Integrating fuzzers directly into the project's build system encourages
maintainer ownership, prevents bit-rot, and enables automated fuzzing of Pull
Requests via CIFuzz. This fulfills the "Ideal Integration" pattern for OSS
projects.
1. Maven Configuration: Added jazzer-junit dependency and a 'fuzz' profile to
allow running fuzzers with 'mvn test -Pfuzz'.
2. {*}Fuzzer Targets{*}: Ported 17 targets covering Zip, Tar, 7z, Ar, Arj,
Cpio, and various compressors into
src/test/java/org/apache/commons/compress/fuzz.
3. CI Integration: Added a GitHub Action workflow
(.github/workflows/cifuzz.yml) to run fuzz tests on every PR using Google's
cifuzz actions.
All ported code follows the Apache License 2.0 and has been verified to compile
against the Java 8 baseline.
was:
This task involves upstreaming 17 existing fuzzers from the Google OSS-Fuzz
repository to the main Apache Commons Compress repository.
### Motivation
Integrating fuzzers directly into the project's build system encourages
maintainer ownership, prevents bit-rot, and enables automated fuzzing of Pull
Requests via CIFuzz. This fulfills the "Ideal Integration" pattern for OSS
projects.
### Changes
1. Maven Configuration: Added jazzer-junit dependency and a 'fuzz' profile to
allow running fuzzers with 'mvn test -Pfuzz'.
2. Fuzzer Targets: Ported 17 targets covering Zip, Tar, 7z, Ar, Arj, Cpio, and
various compressors (Snappy, LZ4, Gzip, etc.) into
src/test/java/org/apache/commons/compress/fuzz.
3. CI Integration: Added a GitHub Action workflow
(.github/workflows/cifuzz.yml) to run fuzz tests on every PR using Google's
cifuzz actions.
All ported code follows the Apache License 2.0 and has been verified to compile
against the Java 8 baseline.
> Integrate OSS-Fuzz fuzzers and enable CIFuzz
> --------------------------------------------
>
> Key: COMPRESS-720
> URL: https://issues.apache.org/jira/browse/COMPRESS-720
> Project: Commons Compress
> Issue Type: Improvement
> Components: Archivers, Compressors
> Reporter: Vishal Satish
> Priority: Major
> Labels: fuzzing, oss-fuzz, security
>
> This task involves upstreaming 17 existing fuzzers from the Google OSS-Fuzz
> repository to the main Apache Commons Compress repository.
> Integrating fuzzers directly into the project's build system encourages
> maintainer ownership, prevents bit-rot, and enables automated fuzzing of Pull
> Requests via CIFuzz. This fulfills the "Ideal Integration" pattern for OSS
> projects.
> 1. Maven Configuration: Added jazzer-junit dependency and a 'fuzz' profile to
> allow running fuzzers with 'mvn test -Pfuzz'.
> 2. {*}Fuzzer Targets{*}: Ported 17 targets covering Zip, Tar, 7z, Ar, Arj,
> Cpio, and various compressors into
> src/test/java/org/apache/commons/compress/fuzz.
> 3. CI Integration: Added a GitHub Action workflow
> (.github/workflows/cifuzz.yml) to run fuzz tests on every PR using Google's
> cifuzz actions.
> All ported code follows the Apache License 2.0 and has been verified to
> compile against the Java 8 baseline.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
