[ https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615136#comment-17615136 ]
Roman Wagner edited comment on JXPATH-199 at 10/10/22 2:25 PM: --------------------------------------------------------------- Hi [~schlm3] , good hint. For clarification: All issues are still valid and are not fixed. Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157]) are a special case, because if the environment has changed and the jvm is using less stack memory the same crashing input will not lead to the crash anymore. Indeed, there was a change that decreased the stack memory usage of the fuzzer. Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer will be able to produce a new crashing input for the increased stack memory in a few seconds. That has already happened, but was not published by oss-fuzz yet since it tries to allow a responsible disclosure for all bugs, although it was the same issue. Some automation is still missing here, which definitively will be implemented in the future. CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not verified as fixed since then. was (Author: JIRAUSER288041): Hi [~schlm3] , good hint. For clarification: All issues are still valid and are not fixed. Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157]) are a special case, because if the environment has changed and the jvm is using less stack memory the same crashing input will not lead to the crash anymore. Indeed, there was a change that decreased the stack memory usage of the fuzzer. Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer will be able to produce a new crashing input for the increased stack memory in a few seconds. That has already happened, but was not published by oss-fuzz yet since it tries to allow a responsible disclosure for all bugs. CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not verified as fixed since then. > OSS-Fuzz Integration of JXPath > ------------------------------ > > Key: JXPATH-199 > URL: https://issues.apache.org/jira/browse/JXPATH-199 > Project: Commons JXPath > Issue Type: Improvement > Reporter: Roman Wagner > Priority: Major > > Hi all, > I have prepared the initial integration > [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8] > of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This > will enable continuous fuzzing of this project, which will be conducted by > Google. Bugs that will be found by fuzzing will be reported to you. After the > initial integration of this project into oss-fuzz, I will continue to add > additional fuzz tests to improve the code coverage over time. > The integration requires a primary contact, someone to deal with the bug > reports submitted by oss-fuzz. The email address needs to belong to an > established project committer and be associated with a Google account as per > [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. > When a bug is found, you will receive an email that will provide you with > access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 > person can be included. Please let me know who I should include, if anyone. > [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for > fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for > the JVM platform developed by Code Intelligence. It is based on libFuzzer and > brings many of its instrumentation-powered mutation features to the JVM. > Jazzer has already found several bugs in JVM applications: [Jazzer > Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings] > Please let me know if you have any questions regarding fuzzing or the > oss-fuzz integration. -- This message was sent by Atlassian Jira (v8.20.10#820010)