[COMPRESS-720] Integrate OSS-Fuzz fuzzers and enable CIFuzz#762
[COMPRESS-720] Integrate OSS-Fuzz fuzzers and enable CIFuzz#762vishalcoc44 wants to merge 4 commits intoapache:masterfrom
Conversation
|
@garydgregory could you check this out. |
pom.xml
Outdated
| <dependency> | ||
| <groupId>com.code-intelligence</groupId> | ||
| <artifactId>jazzer-junit</artifactId> | ||
| <version>0.24.0</version> | ||
| <scope>test</scope> | ||
| </dependency> | ||
| </dependencies> |
There was a problem hiding this comment.
I find this dependency, which is not trivial to build and includes native code, difficult to trust.
There was a problem hiding this comment.
@raboof can you take a look at the new changes, i've removed jazzer-junit entirely. The fuzzer targets are now vanilla Java classes with no external requirements.
|
Hi @raboof |
I've removed the dependency completely now. |
| /** | ||
| * Class with common functionality shared among fuzzing harnesses. | ||
| */ | ||
| public class BaseTests { |
There was a problem hiding this comment.
Hello @vishalcoc44
If this class is meant to be an abstract class, then please declare it as such and use the prefix "Abstract" in its name instead of "Base". Otherwise it looks like this class could be instantiated.
3 participants
JIRA Ticket: COMPRESS-720
Currently, our fuzz testing lives externally in the google/oss-fuzz repository. While effective, this creates a gap between development and security testing. and also the fact that google is increasingly wanting their fuzzers to live in the upstream repositories.
This integration ensures that:
Fuzzers evolve with the code: No more "bit-rot" when internal APIs change.
Instant Feedback: The new CIFuzz workflow automatically stress-tests every Pull Request before it's merged.
Developer Empowerment: Any contributor can now run these security tests locally with a single Maven command.
Maven Integration: * Added jazzer-junit as a test-scoped dependency.
Introduced a fuzz Maven profile. This keeps the fuzzers tucked away during standard mvn test runs but makes them easy to trigger via mvn test -Pfuzz.
17 Fuzzer Targets: * We’ve integrated coverage for all major formats: Zip, Tar, 7z, Ar, Arj, Cpio, Dump, and several compressors (BZip2, Gzip, LZ4, Snappy, Z, etc.).
Automated Workflow: * Added .github/workflows/cifuzz.yml to tap into Google's cifuzz actions for continuous security monitoring. (this workflow will run a mini cifuzz test everytime someone changes something in the repo.