[ https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615110#comment-17615110 ]
Markus Schlegel commented on JXPATH-199: ---------------------------------------- Obviously, that oss-fuzz integration does not work correctly. There are many CVE's reported by oss-fuzz, staring with [https://nvd.nist.gov/vuln/detail/CVE-2022-40157] but also CVE-2022-40158, CVE-2022-40159, CVE-2022-40160, CVE-2022-40161 and [https://nvd.nist.gov/vuln/detail/CVE-2022-41852] It seems, that non of these were processed by a JXPath maintainer (looked at Jira, the repository, the mailing lists , ...), but they all have been marked as "This bug has been fixed. It has been opened to the public." Or am I missing something? > OSS-Fuzz Integration of JXPath > ------------------------------ > > Key: JXPATH-199 > URL: https://issues.apache.org/jira/browse/JXPATH-199 > Project: Commons JXPath > Issue Type: Improvement > Reporter: Roman Wagner > Priority: Major > > Hi all, > I have prepared the initial integration > [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8] > of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This > will enable continuous fuzzing of this project, which will be conducted by > Google. Bugs that will be found by fuzzing will be reported to you. After the > initial integration of this project into oss-fuzz, I will continue to add > additional fuzz tests to improve the code coverage over time. > The integration requires a primary contact, someone to deal with the bug > reports submitted by oss-fuzz. The email address needs to belong to an > established project committer and be associated with a Google account as per > [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. > When a bug is found, you will receive an email that will provide you with > access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 > person can be included. Please let me know who I should include, if anyone. > [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for > fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for > the JVM platform developed by Code Intelligence. It is based on libFuzzer and > brings many of its instrumentation-powered mutation features to the JVM. > Jazzer has already found several bugs in JVM applications: [Jazzer > Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings] > Please let me know if you have any questions regarding fuzzing or the > oss-fuzz integration. -- This message was sent by Atlassian Jira (v8.20.10#820010)