You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/06/01 11:48:10 UTC

[Bug 66101] New: Initial integration of tomcat into OSS-Fuzz

https://bz.apache.org/bugzilla/show_bug.cgi?id=66101

            Bug ID: 66101
           Summary: Initial integration of tomcat into OSS-Fuzz
           Product: Tomcat 10
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Examples
          Assignee: dev@tomcat.apache.org
          Reporter: patrice.salathe@code-intelligence.com
  Target Milestone: ------

Hi all,

I have prepared the initial integration
https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/bf7c594227c2af140dc3ca7c349b165c1396b1bf
of tomcat into google oss-fuzz (https://github.com/google/oss-fuzz). This will
enable continuous fuzzing of this project, which will be conducted by Google.
Bugs that will be found by fuzzing will be reported to you. After the initial
integration of this project into oss-fuzz, I will continue to add additional
fuzz tests to improve the code coverage over time.

The integration requires a primary contact, someone to deal with the bug
reports submitted by oss-fuzz. The email address needs to belong to an
established project committer and be associated with a Google account as per
here
(https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/).
When a bug is found, you will receive an email that will provide you with
access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person
can be included. Please let me know who I should include, if anyone.

Jazzer (https://github.com/CodeIntelligenceTesting/jazzer) is used for fuzzing
Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM
platform developed by Code Intelligence. It is based on libFuzzer and brings
many of its instrumentation-powered mutation features to the JVM. Jazzer has
already found several bugs in JVM applications: Jazzer Findings
(https://github.com/CodeIntelligenceTesting/jazzer#findings)

Please let me know if you have any questions regarding fuzzing or the oss-fuzz
integration.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66101] Initial integration of tomcat into OSS-Fuzz

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66101

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I'll set up a Google account for the Tomcat security team's address.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66101] Initial integration of tomcat into OSS-Fuzz

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66101

--- Comment #2 from PatriceS <pa...@code-intelligence.com> ---
(In reply to Mark Thomas from comment #1)
> I'll set up a Google account for the Tomcat security team's address.

Perfect, thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66101] Initial integration of tomcat into OSS-Fuzz

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66101

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Done. Please use:
security@tomcat.apache.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org