You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by Nick Burch <ni...@apache.org> on 2021/03/05 14:27:00 UTC

FW: OSS-Fuzz integration 

Hi All

For those who don't follow dev@commons, there's yet another fulling tool 
on the block! Details below. Looks pretty neat, and is now being used on a 
few Apache Commons projects, including Commons Compress which we use

What do people think about more fuzzing? Worth doing? Or just too much 
noise, given the spread of dependencies etc? I can reach out to these 
folks if there's interest, and see if they'd set up an instance for us

(My view is we can never protect against all broken docs, and people 
calling Tika need to take account + take care as we will fall over fairly 
often, but that we ought to try to fix the most obvious problems! 1% of 
the internet is still a lot and all that....)

Nick

---------- Forwarded message ----------
Date: Fri, 5 Mar 2021 09:07:03 +0100
From: Fabian Meumertzheim <me...@code-intelligence.com>
Reply-To: Commons Developers List <de...@commons.apache.org>
To: dev@commons.apache.org
Subject: [COMPRESS] OSS-Fuzz integration

I am one of the maintainers of Jazzer
(https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
fuzzer for JVM projects based on libFuzzer.

I have set up a few Commons projects for local fuzzing with Jazzer,
which lead to quite a few bug reports in Compress and other projects
(https://issues.apache.org/jira/browse/COMPRESS-569?jql=reporter%20%3D%20Meumertzheim).
While the majority of the bugs found are undeclared exceptions, this
approach also caught an infinite loop on a crafted 0.5KB .tar before
it could make it into a release (see COMPRESS-569).

Jazzer is in the process of being integrated into OSS-Fuzz
(https://github.com/google/oss-fuzz) for continuous fuzzing on
Google-provided infrastructure (ClusterFuzz).

If you agree this is a good idea, I could set up Compress for fuzzing
on OSS-Fuzz. All I would need from you is a list of emails to which
the automated bug reports should go. The reports are usually directly
actionable as they include stack traces and minimized reproducers.

Fabian
https://code-intelligence.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org