[
https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615110#comment-17615110
]
Markus Schlegel commented on JXPATH-199:
----------------------------------------
Obviously, that oss-fuzz integration does not work correctly.
There are many CVE's reported by oss-fuzz, staring with
[https://nvd.nist.gov/vuln/detail/CVE-2022-40157] but also CVE-2022-40158,
CVE-2022-40159, CVE-2022-40160, CVE-2022-40161 and
[https://nvd.nist.gov/vuln/detail/CVE-2022-41852]
It seems, that non of these were processed by a JXPath maintainer (looked at
Jira, the repository, the mailing lists , ...), but they all have been marked
as "This bug has been fixed. It has been opened to the public."
Or am I missing something?
> OSS-Fuzz Integration of JXPath
> ------------------------------
>
> Key: JXPATH-199
> URL: https://issues.apache.org/jira/browse/JXPATH-199
> Project: Commons JXPath
> Issue Type: Improvement
> Reporter: Roman Wagner
> Priority: Major
>
> Hi all,
> I have prepared the initial integration
> [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8]
> of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This
> will enable continuous fuzzing of this project, which will be conducted by
> Google. Bugs that will be found by fuzzing will be reported to you. After the
> initial integration of this project into oss-fuzz, I will continue to add
> additional fuzz tests to improve the code coverage over time.
> The integration requires a primary contact, someone to deal with the bug
> reports submitted by oss-fuzz. The email address needs to belong to an
> established project committer and be associated with a Google account as per
> [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
> When a bug is found, you will receive an email that will provide you with
> access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1
> person can be included. Please let me know who I should include, if anyone.
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for
> fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for
> the JVM platform developed by Code Intelligence. It is based on libFuzzer and
> brings many of its instrumentation-powered mutation features to the JVM.
> Jazzer has already found several bugs in JVM applications: [Jazzer
> Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings]
> Please let me know if you have any questions regarding fuzzing or the
> oss-fuzz integration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
