Closed centic9 closed 1 year ago
One strange thing: Running fuzz-introspector locally for one of the projects as follows seems to somehow proivde the .class files and thus makes introspection work, but when run as part of oss-fuzz builds, it is missing.
cd oss-fuzz
python3 infra/helper.py introspector apache-poi
@arthurscchan could you take a look at this?
Another finding:
Latest runs in oss-fuzz have this fixed now, e.g. commons-bcel in https://oss-fuzz-build-logs.storage.googleapis.com/log-65c3c6ab-9375-4512-b0d2-a1867c2ac5d4.txt (apache-poi now times out, but this is likely a different issue: https://oss-fuzz-build-logs.storage.googleapis.com/log-27ba5608-2d21-46dc-9411-9c07ba3bd9a6.txt).
The java frontend currently fails for a number of projects in oss-fuzz with a message
'c' flag requires manifest or input files to be specified!
.See the recent introspection builds at e.g. https://oss-fuzz-build-logs.storage.googleapis.com/index.html#apache-commons-bcel or https://oss-fuzz-build-logs.storage.googleapis.com/index.html#apache-poi (among likely other projects with similar errors).
It seems the code at https://github.com/ossf/fuzz-introspector/blob/main/frontends/java/oss-fuzz-main.py#L74 fails to find the class-files for these projects and thus the invocation of the "jar"-tool at https://github.com/ossf/fuzz-introspector/blob/main/frontends/java/oss-fuzz-main.py#L91 is incorrect as there are no class-files provided.
Initial analysis indicates that these projects store the .java code for fuzz-targets under a "src/main/java" sub-directory and use Maven for building the fuzz-target via a pom.xml, meaning that no .class files are available in the "out" directory, the code is only included in the .jar-file
poi-fuzzer-5.2.4-SNAPSHOT.jar
.It seems fuzz-introspector does not support this project-setup currently as it is looking for .class-files in the directory structure, but in this case they are only available inside the shaded jar-file.
Not sure what the best option is, adjusting projects in oss-fuzz seems hard and error-prone, ideally fuzz-introspector would support this type of setup out of the box.
It could e.g. extract the fuzz-target from the .jar file in this case.
Also a check with a better error message would be nice as currently the root-cause is not very clear from the error-message.
I'd be willing to work on a PR if I can get some guidance as to what a good approach would be.