I think fuzzing is a really promising practice we should integrate into our CI pipeline to figure out certain defects. Here is my elevator pitch:
1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. 2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a fuzzer for JVM applications and open-sourced by Code Intelligence. 3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated platform (including Google-provided build nodes!) to fuzz some noteworthy F/OSS projects. 4. [2021-04-10] OSS-Fuzz adds Jazzer support <https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html>. 5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j CVE-2021-44228 in ~5 min with a one-line fuzz target <https://twitter.com/fhenneke/status/1470377931230875650?s=20>. 6. [2021-12-15] OSS-Fuzz adds Log4j to their suite <https://github.com/google/oss-fuzz/pull/7016>. Though this is just the beginning. Somebody needs to spend some serious amount of time to enrich the fuzz tests and cover as many Log4j entry points as possible. I am tinkering with the idea of a Kickstarter-like initiative to sign up for this. Maybe as a 2-months-long gig? Thoughts?
