Hi Eric,
As far as I know, there is no integration between issues found in OSS Fuzz
and our JIRA. Issues reported in OSS Fuzz exist only there. And security
issues shouldn't go to JIRA if possible (according to ASF's security
policies, I believe?).
Here's the workflow I have been using for Commons Imaging:
1. View issues
1. Log in to oss-fuzz.com with my GitHub log in (there's a Google one
too). It recognizes that my email is authorized to view oss-fuzz
issues for
the apache-commons project, so it shows the “Testcases” with crashes for
the fuzzer. OR
2. Get the direct link to a Testcase from an email from
2. Expand a Testcase
3. Read the Stacktrace
4. Download the Unminimized Testcase - this is the payload used for
testing, in the case of Imaging this is normally a PNG, GIF, etc. image
file that was automatically generated by the fuzzer
5. Test with Commons Imaging and other tools to validate the issue (e.g.
GIMP, exiftool, etc)
1. If I reproduce it locally, and identify as something that doesn't
need to be fixed (e.g. a file with a thumbnail that wants to
allocate 10GB
of memory in a 2GB JVM/server) then I can mark the testcase as
not security
or fixed
2. If I reproduce it locally and the issue is indeed a security
issue, then I prepare a fix and work following the Apache
Commons Security
guidelines: https://commons.apache.org/security.html
This way OSS Fuzz issues contribute positively to the project, identifying
issues I or other maintainers wouldn't have picked otherwise. We follow the
Commons and ASF security process as best as we can as volunteers (i.e.
within a time frame we can allocate to work on this issue) to fix the issue
and prepare a CVE if needed, cutting a new release.
This is the complete process that I've used in Imaging. Not sure if jxpath
must follow the same process, but I guess it would be something similar, or
at least according to Commons & ASF security guidelines and processes.
-Bruno
On Tue, 11 Oct 2022 at 10:25, Eric Bresie <ebre...@gmail.com> wrote:
> Or is that this
> https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues
>
> Get Outlook for iOS<https://aka.ms/o0ukef>
> ________________________________
> From: Eric Bresie <ebre...@gmail.com>
> Sent: Monday, October 10, 2022 4:22:42 PM
> To: Commons Developers List <dev@commons.apache.org>
> Subject: Re: [jxpath] reported CVE and path forward
>
> So then discussed here (1) (which assume is what’s being done here) and
> bugs raised here (2)? Has (2) been done yet?
>
> 1. https://commons.apache.org/proper/commons-jxpath/mail-lists.html
> 2. https://commons.apache.org/proper/commons-jxpath/issue-tracking.html
>
>
> Get Outlook for iOS<https://aka.ms/o0ukef>
> ________________________________
> From: Bruno Kinoshita <ki...@apache.org>
> Sent: Monday, October 10, 2022 4:15:03 PM
> To: Commons Developers List <dev@commons.apache.org>
> Subject: Re: [jxpath] reported CVE and path forward
>
> Hi Eric,
>
> For my understanding, is oss-fuzz an open source project that is maintained
> > and managed by Google (and is not an Apache project) but is for “fuzz
> > testing” with portion focused on Apache common products?
> >
>
> That's my understanding too, although I am not sure if it is maintained and
> managed solely by Google. But you are correct in that oss-fuzz is not an
> Apache project. It is an external service similar to GitHub Actions,
> Dependabot, Codecov, etc.
>
> So am I correct in saying run oss-fuzz against Apache-common, which may
> > find problems in commons. So any findings would be identified as a bug
> and
> > fix as applicable?
> >
>
> That sounds correct to me.
>
> There is an apache-commons oss-fuzz project created in the oss-fuzz GitHub
> repository. That becomes a project in the oss-fuzz web system which I and
> other ASF members have access to - anyone from ASF can request access:
> https://oss-fuzz.com
>
> It was created some time ago, and Commons Imaging was one of the first
> included. We (ASF Commons) were involved in setting up that project, so
> that someone from ASF would receive notifications (by being CC'ed in
> oss-fuzz notifications). We decided against using the dev-list, so only
> those that volunteered at the time receive emails.
>
> I checked the GitHub repository today, and found other Commons Components,
> that are not part of the apache-commons project, and that have the
> notifications configured to emails of a security company. So in this case
> the findings in Commons repositories would be identified as a bug and
> report to that company, without - as far as I can tell - involvement of ASF
> Commons devs.
>
> Hope that clarifies,
>
> Bruno
>
>
> On Tue, 11 Oct 2022 at 10:06, Eric Bresie <ebre...@gmail.com> wrote:
>
> > For my understanding, is oss-fuzz an open source project that is
> > maintained and managed by Google (and is not an Apache project) but is
> for
> > “fuzz testing” with portion focused on Apache common products?
> >
> > So am I correct in saying run oss-fuzz against Apache-common, which may
> > find problems in commons. So any findings would be identified as a bug
> and
> > fix as applicable?
> >
> >
> > Get Outlook for iOS<https://aka.ms/o0ukef>
> > ________________________________
> > From: Bruno Kinoshita <ki...@apache.org>
> > Sent: Monday, October 10, 2022 3:51:30 PM
> > To: Commons Developers List <dev@commons.apache.org>
> > Subject: Re: Re: [jxpath] reported CVE and path forward
> >
> > Hi Matt,
> >
> > I am also subscribed to oss-fuzz for Imaging.
> >
> > Looks like someone added jxpath to oss-fuzz here:
> > https://github.com/google/oss-fuzz/pull/7582
> >
> > The initial oss-fuzz for ASF was, if I recall correctly, all put under a
> > single project:
> > https://github.com/google/oss-fuzz/tree/master/projects/apache-commons
> >
> > If you go one level higher in that repository link, you will see there
> are
> > now other projects in oss-fuzz for other Commons components.
> >
> > The apache-commons project (that contains Imaging, Compress, and
> Geometry)
> > had a custom policy, agreed in the mailing list and later with someone
> that
> > maintained oss-fuzz, where ASF issues were not disclosed in 90 days, but
> > instead gave us more time to align the issues with our ASF process.
> >
> > I am not sure if these other projects follow similar policy, nor if the
> ASF
> > developers are aware of the integration (I only keep an eye on
> > compress/imaging/geometry notifications from the apache-commons project).
> > Also not sure whether it's better to have everything in a single project
> in
> > oss-fuzz or in separate projects. I'm happy with Imaging being a single
> > oss-fuzz project if needed, but I prefer to keep the policy of giving a
> > longer time to review the issues. I try to review important issues
> quickly,
> > but the ones that I know are very low priority or won't be fixed (e.g.
> OOM)
> > I leave for later.
> >
> > Cheers
> > Bruno
> >
> > On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> wrote:
> >
> > > I get emails about some of the Commons fuzzing things, but I was only
> > > aware of it being enabled for compress and imaging.
> > >
> > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner
> > > <wag...@code-intelligence.com> wrote:
> > > >
> > > > Hi all,
> > > >
> > > > I am working for Code Intelligence we did our best to find a
> maintainer
> > > for
> > > > the oss-fuzz project. Unfortunately we've got no feedback until now,
> > but
> > > It
> > > > seems to be an unmaintained project except for some typo fixes since
> > some
> > > > years. I am not sure yet to which mailing list the bug report was
> send
> > > to,
> > > > but I will check that information with the team.
> > > >
> > > > However, I am really happy that there is some interest in fixing the
> > > RCE. I
> > > > have verified the vulnerability and for me it seems to be a valid
> > > > RCE. @Mark Thomas should we continue to discuss further details via
> > > > secur...@apache.org?
> > > >
> > > > Best regards
> > > > Roman
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > > For additional commands, e-mail: dev-h...@commons.apache.org
> > >
> > >
> >
>
