OSS-Fuzz would be very interesting to try out. We've tried using it in Commons, and so far, it's helped discover some bugs in commons-imaging (several binary file formats) and commons-compress (also several binary file formats). I'm the current contact point in Commons for our fuzzing setup, though not much is going on there since the initial issues were addressed.
On Mon, Jan 10, 2022 at 10:38 AM Gary Gregory <[email protected]> wrote: > > This all sounds great. > > On top of real issues, I am sure this will present exceptions being thrown > here and there where we can make at the very least said exceptions carry > meaningful messages instead of a mysterious IOOB or AIOBE. > > I guess it all depends what I want to do with my nights and weekends :-p > > Gary > > > On Mon, Jan 10, 2022, 06:27 Volkan Yazıcı <[email protected]> wrote: > > > I think fuzzing is a really promising practice we should integrate into our > > CI pipeline to figure out certain defects. Here is my elevator pitch: > > > > 1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is > > an > > automated software testing technique that involves providing invalid, > > unexpected, or random data as inputs to a computer program. > > 2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a > > fuzzer for JVM applications and open-sourced by Code Intelligence. > > 3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated > > platform (including Google-provided build nodes!) to fuzz some > > noteworthy > > F/OSS projects. > > 4. [2021-04-10] OSS-Fuzz adds Jazzer support > > <https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html > > >. > > 5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j > > CVE-2021-44228 in ~5 min with a one-line fuzz target > > <https://twitter.com/fhenneke/status/1470377931230875650?s=20>. > > 6. [2021-12-15] OSS-Fuzz adds Log4j to their suite > > <https://github.com/google/oss-fuzz/pull/7016>. > > > > Though this is just the beginning. Somebody needs to spend some serious > > amount of time to enrich the fuzz tests and cover as many Log4j entry > > points as possible. > > > > I am tinkering with the idea of a Kickstarter-like initiative to sign up > > for this. Maybe as a 2-months-long gig? > > > > Thoughts? > >
