auth0 / java-jwt

Java implementation of JSON Web Token (JWT)
MIT License
5.91k stars 926 forks source link

Integrating java-jwt into OSS-Fuzz #660

Closed henryrneh closed 1 year ago

henryrneh commented 1 year ago

Hi all,

We have prepared the initial integration of java-jwt into Google OSS-Fuzz which will provide more security for your project.

Why do you need Fuzzing? The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

What do you need to do? The integration requires the maintainer or one established project committer to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

How can Code Intelligence support you? We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and bug detectors.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

jimmyjames commented 1 year ago

Hey @henryrneh, thanks for the request. We have some work planned to investigate and add some analysis tooling to this project; I don't know if it will be OSS-Fuzz or something else (some of that depends on Okta's existing tooling and review). Going to close the issue because I don't know that OSS-Fuzz will be the choice, but appreciate the suggestion.

henryrneh commented 1 year ago

Hi @jimmyjames, no problem thanks for reaching out! We will report back if there are any findings from OSS-Fuzz. Feel free to contact me or the Google OSS-Fuzz team when you have any questions.