You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "0roman (via GitHub)" <gi...@apache.org> on 2023/02/22 08:08:31 UTC

[GitHub] [lucene] 0roman commented on issue #12165: Integrating Apache Lucene into OSS-Fuzz

0roman commented on issue #12165:
URL: https://github.com/apache/lucene/issues/12165#issuecomment-1439586559

   > So I disagree with adding another fuzzing engine into Lucene. We have a library called "randomized-testing" which provides everything needed. Almost every test in Lucene has fuzzing included, the example above is just a very special one with a very wide range of components tested. Background: Lucene is using randomized testing since around 2012. Here is a talk from 2014 by @dweiss about it: https://2019.berlinbuzzwords.de/14/session/randomize-your-tests-and-it-will-blow-your-socks.html
   
   The talk was interesting, and Randomized Testing is a great contribution to explore complex boundary conditions and to find unexpected edge cases. However, the approach is quite different, which is fine because it fits your use case.
   
   Modern fuzzing is coverage-guided, which means the tested code is instrumented to give the fuzzer feedback about code coverage and further insights when executing a test case. The fuzzer then optimizes its mutations to generate inputs that maximize code coverage and pass checks in the code, such as string comparisons. Furthermore, [Jazzer](https://github.com/CodeIntelligenceTesting/jazzer) has specialized bug detectors that detect various classes of vulnerabilities like command injections, insecure deserialization, or attacker-controlled class loading.
   
   Based on that, I suggest we continue the OSS-Fuzz Onboarding without a maintainer. This way, you don't get any findings notifications from OSS-Fuzz. We will then receive finding reports from OSS-Fuzz, and we will make sure that we communicate interesting findings with you. You can still be added as maintainers afterward if you later see an added value in the findings you get. Thanks all for the contribution.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org