For my understanding, is oss-fuzz an open source project that is maintained and managed by Google (and is not an Apache project) but is for “fuzz testing” with portion focused on Apache common products?
So am I correct in saying run oss-fuzz against Apache-common, which may find problems in commons. So any findings would be identified as a bug and fix as applicable? Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Bruno Kinoshita <ki...@apache.org> Sent: Monday, October 10, 2022 3:51:30 PM To: Commons Developers List <dev@commons.apache.org> Subject: Re: Re: [jxpath] reported CVE and path forward Hi Matt, I am also subscribed to oss-fuzz for Imaging. Looks like someone added jxpath to oss-fuzz here: https://github.com/google/oss-fuzz/pull/7582 The initial oss-fuzz for ASF was, if I recall correctly, all put under a single project: https://github.com/google/oss-fuzz/tree/master/projects/apache-commons If you go one level higher in that repository link, you will see there are now other projects in oss-fuzz for other Commons components. The apache-commons project (that contains Imaging, Compress, and Geometry) had a custom policy, agreed in the mailing list and later with someone that maintained oss-fuzz, where ASF issues were not disclosed in 90 days, but instead gave us more time to align the issues with our ASF process. I am not sure if these other projects follow similar policy, nor if the ASF developers are aware of the integration (I only keep an eye on compress/imaging/geometry notifications from the apache-commons project). Also not sure whether it's better to have everything in a single project in oss-fuzz or in separate projects. I'm happy with Imaging being a single oss-fuzz project if needed, but I prefer to keep the policy of giving a longer time to review the issues. I try to review important issues quickly, but the ones that I know are very low priority or won't be fixed (e.g. OOM) I leave for later. Cheers Bruno On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> wrote: > I get emails about some of the Commons fuzzing things, but I was only > aware of it being enabled for compress and imaging. > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner > <wag...@code-intelligence.com> wrote: > > > > Hi all, > > > > I am working for Code Intelligence we did our best to find a maintainer > for > > the oss-fuzz project. Unfortunately we've got no feedback until now, but > It > > seems to be an unmaintained project except for some typo fixes since some > > years. I am not sure yet to which mailing list the bug report was send > to, > > but I will check that information with the team. > > > > However, I am really happy that there is some interest in fixing the > RCE. I > > have verified the vulnerability and for me it seems to be a valid > > RCE. @Mark Thomas should we continue to discuss further details via > > secur...@apache.org? > > > > Best regards > > Roman > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
