You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by Wei-Chiu Chuang <we...@apache.org> on 2023/06/12 21:03:32 UTC
Fwd: [jira] [Created] (HADOOP-18768) Integrating Apache Hadoop into OSS-Fuzz
Are there Hadoop committers who would like to help triage bug reports from
OSS-Fuzz?
---------- Forwarded message ---------
From: Henry Lin (Jira) <ji...@apache.org>
Date: Mon, Jun 12, 2023 at 9:10 AM
Subject: [jira] [Created] (HADOOP-18768) Integrating Apache Hadoop into
OSS-Fuzz
To: <co...@hadoop.apache.org>
Henry Lin created HADOOP-18768:
----------------------------------
Summary: Integrating Apache Hadoop into OSS-Fuzz
Key: HADOOP-18768
URL: https://issues.apache.org/jira/browse/HADOOP-18768
Project: Hadoop Common
Issue Type: Test
Reporter: Henry Lin
Hi all,
We have prepared the [initial integration|
https://github.com/google/oss-fuzz/pull/10511] of Apache Hadoop into
[Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will provide
more security for your project.
*Why do you need Fuzzing?*
The Code Intelligence JVM fuzzer [Jazzer|
https://github.com/CodeIntelligenceTesting/jazzer] has already found
[hundreds of bugs|
https://github.com/CodeIntelligenceTesting/jazzer/blob/main/docs/findings.md]
in open source projects including for example [OpenJDK|
https://nvd.nist.gov/vuln/detail/CVE-2022-21360], [Protobuf|
https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or [jsoup|
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c].
Fuzzing proved to be very effective having no false positives. It provides
a crashing input which helps you to reproduce and debug any finding easily.
The integration of your project into the OSS-Fuzz platform will enable
continuous fuzzing of your project by [Jazzer|
https://github.com/CodeIntelligenceTesting/jazzer].
*What do you need to do?*
The integration requires the maintainer or one established project
committer to deal with the bug reports.
You need to create or provide one email address that is associated with a
google account as per [here|
https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
When a bug is found, you will receive an email that will provide you with
access to ClusterFuzz, crash reports, code coverage reports and fuzzer
statistics. More than 1 person can be included.
*How can Code Intelligence support you?*
We will continue to add more fuzz targets to improve code coverage over
time. Furthermore, we are permanently enhancing fuzzing technologies by
developing new fuzzers and bug detectors.
Please let me know if you have any questions regarding fuzzing or the
OSS-Fuzz integration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org