search

eclipse-ee4j / jersey

Eclipse Jersey Project - Read our Wiki:
https://github.com/eclipse-ee4j/jersey/wiki
Other
691 stars 357 forks source link

Integration of jersey into OSS-Fuzz #5049

Open onionpsy opened 2 years ago

onionpsy commented 2 years ago

Hi all,

I have prepared the initial integration https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/8cbf0fbfe26188b6a4927f681377a85bd882ef6b of jersey into google oss-fuzz. This will enable continuous fuzzing of this project, which will be conducted by Google. Bugs that will be found by fuzzing will be reported to you. After the initial integration of this project into oss-fuzz, I will continue to add additional fuzz tests to improve the code coverage over time.

The integration requires a primary contact, someone to deal with the bug reports submitted by oss-fuzz. The email address needs to belong to an established project committer and be associated with a Google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person can be included. Please let me know who I should include, if anyone.

Jazzer is used for fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM. Jazzer has already found several bugs in JVM applications: Jazzer Findings

Please let me know if you have any questions regarding fuzzing or the oss-fuzz integration.

jansupol commented 2 years ago

Thank you, Jersey team appreciates tools like this that help makes Jersey better.

I can see it is the master branch (the default branch) that is used for your docker image. This is basically for Jersey 2.x, which is being kept updated, but the main development is in the 3.1 branch, currently. Jersey 3.1 is about to be released this month, and then the master will be made from the 3.1 branch. Hence, the tool can get a bit different result now and in a few weeks. I was not able to find information about how often is the project scanned.

As for the primary contact, I am not sure whether we should create a new Gmail account for the project or whether the personal email would be ok?

onionpsy commented 2 years ago

Ok. I made the changes to use the 3.1 branch. I'll switch back to master once 3.1 is released.

Regarding your question, you don't necessarily need a google account but it is recommended because it gives you access to clusterfuzz and the oss-fuzz issue tracker. In any case you'll receive a bug report by email. You can read more about it here: https://google.github.io/oss-fuzz/faq/#why-do-you-require-a-google-account-for-authentication

onionpsy commented 2 years ago

Hi. Just wanted to let you know that I integrated Jersey into OSS-Fuzz without maintainer. Feel free to contact me again once you want to be the maintainer. In the meantime, I'll regularly inform you of all the findings found by OSS-Fuzz.