You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "A. Schaich (Jira)" <ji...@apache.org> on 2022/09/20 14:52:00 UTC

[jira] [Created] (BCEL-364) Integrating bcel into oss-fuzz

A. Schaich created BCEL-364:
-------------------------------

             Summary: Integrating bcel into oss-fuzz
                 Key: BCEL-364
                 URL: https://issues.apache.org/jira/browse/BCEL-364
             Project: Commons BCEL
          Issue Type: Improvement
            Reporter: A. Schaich


Hi all,

we have prepared the [Initial integration|https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/8e98d61d59164683ff72203b5aa6768cb3d68acb] of bcel into [Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will provide more security for your project.

 

*Why do you need Fuzzing?*
The Code Intelligence JVM fuzzer [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] has already found [hundreds of bugs|https://github.com/CodeIntelligenceTesting/jazzer#findings] in open source projects including for example [OpenJDK|https://nvd.nist.gov/vuln/detail/CVE-2022-21360], [Protobuf|https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or [jsoup|https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer].

 

*What do you need to do?*
The integration requires the maintainer or one established project commiter to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

 

*How Code Intelligence can support?*
We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

 

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)