OSS-Fuzz integration

[fmeum]

The Java fuzzer Jazzer has now been integrated into OSS-Fuzz, Google's fuzzing platform for open-source software. Jazzer has already found multiple bugs and security issues, including two cases of undeclared exceptions in the Jackson CBOR parser. Using OSS-Fuzz's resources, this and other Jackson parsers could be continuously fuzzed from the HEAD of the current development branch.

I have drafted a PR for the OSS-Fuzz integration of the CBOR parser at https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/748d97dd0c8b1640c6291b8ae9ef9b07cd0ec617. I had to tweak a few Maven settings to get all required repositories to build on the 2.13 branch.

@cowtowncoder What do you think about this? I will gladly answer your questions regarding OSS-Fuzz and the implications of being fuzzed by it.

[cowtowncoder]

@fmeum This sounds like a great improvement and I would be very interested in getting something like this working. Testing all kinds of edge cases is difficult and anything that helps findings rare problems with encoding or handling is very valuable. Sometimes I get reports for a bug that must have been in for 8 years but is too rare to have been caught, reported.

I'll try reading the linked article to learn more. I assume the challenges lie in integrating the generation and tests, and perhaps having mechanisms for how to deal with problems found (esp. during time when problem persists).

[fmeum]

In fact, the linked PR is already fully functional. You would only need to do the following:

• [ ] Confirm that your email address at https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/748d97dd0c8b1640c6291b8ae9ef9b07cd0ec617#diff-da1e38fde41c8757c625cb4f89f5e13c60c998e1798aa35711f804fe760c2dadR3 is correct and associated with a Google account (used for controlling access to the bug reports produced by OSS-Fuzz)
• [ ] Decide which branch should be fuzzed. I set this to 2.13 in the line https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/748d97dd0c8b1640c6291b8ae9ef9b07cd0ec617#diff-4a89f67f31d3cf609bf16452d2253658b5b157b69b11917718c583859e364aa3R21, but of course that version would change over time. I can switch it to master if you would prefer that or we can figure out a way to determine the active branch automatically.
• [ ] Potentially look into a build issue with jackson-databind and OpenJDK 15 caused by the use of --enable-preview together with a source version setting of 14. This is worked around by the somewhat hacky line https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/748d97dd0c8b1640c6291b8ae9ef9b07cd0ec617#diff-370728a680fe940d581caace54c9684c0a1ecd5c48bd9d35f3a1fd981e0ddaa8R19.

The most important thing to know about OSS-Fuzz is that any findings (both general bugs and security issues) will become public automatically after 90 days or a short time after the fix has landed in the project's repository.

[cowtowncoder]

@fmeum thank you! On specific points:

• Yes, email works (I may want to change it to tatu at fasterxml dot com at some point but both work)
• 2.13 is probably the best at this point: master is for Jackson 3.0 and at some point we may want to change it (or if possible add?), but for now 2.13 is optimal
• Not sure what to do with preview: that is needed for Record support, although only by test code (non-test code uses reflection to dynamically enable support iff specific classes are available). Open to suggestions

• Publication of issues: good to know, makes sense. I'd assume that for typical issues found this is not problematic, but good to know as a constraint.

  Now, on usage: would this be running "in the background", and report findings if any, based on generated test inputs, against latest commits? Or would I need to do something. Apologies if this is a FAQ.

[fmeum]

• Yes, email works (I may want to change it to tatu at fasterxml dot com at some point but both work)

Since I was making some changes anyway, I went ahead and updated your email: https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/c13c42f956f567afbf9f7532e4462cd65c0e0500

• 2.13 is probably the best at this point: master is for Jackson 3.0 and at some point we may want to change it (or if possible add?), but for now 2.13 is optimal

It is certainly possible to set up fuzzing for two distinct branches, but in order to keep things simple let's start with 2.13.

• Not sure what to do with preview: that is needed for Record support, although only by test code (non-test code uses reflection to dynamically enable support iff specific classes are available). Open to suggestions

Thanks for the hint that this is only needed for tests. In the commit linked above, I am now disabling the java14+ Maven profile to cleanly prevent any build issues.

Now, on usage: would this be running "in the background", and report findings if any, based on generated test inputs, against latest commits? Or would I need to do something. Apologies if this is a FAQ.

This would be running in the background (on ClusterFuzz, to be precise) and automatically pick up the newest commit on the 2.13 branch about once per day. You will be notified via email of any finding (you can take a look at the public ones here). There is nothing you need to do other than act on the received bug reports. Once an issue has been fixed on the 2.13 branch, ClusterFuzz will automatically detect this.

I will be CCed on any issue found by Jazzer and will gladly help you in case you should have any problems reproducing the findings.

If you agree to all of this, I will submit this commit as a PR to the OSS-Fuzz repo to get the project up and running.

[cowtowncoder]

@fmeum That sounds great. Let's do it!