You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@avro.apache.org by "Martin Tzvetanov Grigorov (Jira)" <ji...@apache.org> on 2023/06/07 10:22:00 UTC

[jira] [Resolved] (AVRO-3769) Integrating Apache Avro into OSS-Fuzz

     [ https://issues.apache.org/jira/browse/AVRO-3769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Tzvetanov Grigorov resolved AVRO-3769.
---------------------------------------------
    Resolution: Fixed

I've agreed to add myself as a primary contact.

[https://github.com/google/oss-fuzz/pull/10453] has been merged so this issue can be closed too!

> Integrating Apache Avro into OSS-Fuzz
> -------------------------------------
>
>                 Key: AVRO-3769
>                 URL: https://issues.apache.org/jira/browse/AVRO-3769
>             Project: Apache Avro
>          Issue Type: Bug
>            Reporter: Henry Lin
>            Assignee: Martin Tzvetanov Grigorov
>            Priority: Major
>
> Hi all,
> We have prepared the [initial integration](https://github.com/google/oss-fuzz/pull/10453) of Apache Avro into [Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will provide more security for your project.
>  
> *Why do you need Fuzzing?*
> The Code Intelligence JVM fuzzer [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] has already found [hundreds of bugs|https://github.com/CodeIntelligenceTesting/jazzer/blob/main/docs/findings.md] in open source projects including for example [OpenJDK|https://nvd.nist.gov/vuln/detail/CVE-2022-21360], [Protobuf|https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or [jsoup|https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer].
>  
> *What do you need to do?*
> The integration requires the maintainer or one established project committer to deal with the bug reports.
> You need to create or provide one email address that is associated with a google account as per [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.
>  
> *How can Code Intelligence support you?*
> We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and bug detectors.
>  
> Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)