search

mozilla / rhino

Rhino is an open-source implementation of JavaScript written entirely in Java
https://rhino.github.io
Other
4.06k stars 831 forks source link

oss-fuzz integration #1290

Open aschaich opened 1 year ago

aschaich commented 1 year ago

Hi all,

we have prepared the Initial Integration of rhino into Google OSS-Fuzz which will provide more security for your project.

Why do you need Fuzzing? The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

What do you need to do? The integration requires the maintainer or one established project commiter to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

How Code Intelligence can support? We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

rbri commented 1 year ago

just made a pr (https://github.com/google/oss-fuzz/pull/9371) for this

@gbrail @p-bakker have done this already for HtmlUnit, so i'm already a bit familar with the next steps. As soon as the first issues are comming in i will add test cases for reprodducing this and maybe fixes also :-)

Hope this is fine for you...

And 'all the best for 2023' for you and your family

p-bakker commented 8 months ago

Would be fine for me, which email address will you use?

rbri commented 8 months ago

@p-bakker this is done already - rbri at rbri tot de so far - but we can change this

p-bakker commented 8 months ago

Ah, great, so we can close this issue then?

p-bakker commented 8 months ago

Had it yielded anything yet?

p-bakker commented 8 months ago

As @rbri created a PR that got merged, can this issue now be closed, or is there more to it? @rbri / @aschaich