[jira] [Commented] (CXF-8823) Integrating Apache-CXF into OSS-Fuzz

Sat, 04 Mar 2023 08:36:33 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17696465#comment-17696465
 ] 

Henry Lin commented on CXF-8823:
--------------------------------

Thank you for your feedback [~coheigea] . The CXF modules selected to fuzz were 
basically based on the requests from Google and past CVEs. If you have any 
suggestion on which modules are most worthy to fuzz or some improvements for 
current fuzz targets please let me know, some small examples or pointer to 
already written tests are quite appreciated! I added a fuzz target focusing on 
the parsing of the requests hopefully. 

> Integrating Apache-CXF into OSS-Fuzz
> ------------------------------------
>
>                 Key: CXF-8823
>                 URL: https://issues.apache.org/jira/browse/CXF-8823
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Henry Lin
>            Priority: Major
>
> Hi all,
> We have prepared the [initial 
> integration|https://github.com/google/oss-fuzz/pull/9853] of Apache-CXF into 
> [Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will provide more 
> security for your project.
>  
> *Why do you need Fuzzing?*
> The Code Intelligence JVM fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] has already found 
> [hundreds of bugs|https://github.com/CodeIntelligenceTesting/jazzer#findings] 
> in open source projects including for example 
> [OpenJDK|https://nvd.nist.gov/vuln/detail/CVE-2022-21360], 
> [Protobuf|https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or 
> [jsoup|https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]. 
> Fuzzing proved to be very effective having no false positives. It provides a 
> crashing input which helps you to reproduce and debug any finding easily. The 
> integration of your project into the OSS-Fuzz platform will enable continuous 
> fuzzing of your project by 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer].
>  
> *What do you need to do?*
> The integration requires the maintainer or one established project committer 
> to deal with the bug reports.
> You need to create or provide one email address that is associated with a 
> google account as per 
> [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
>  When a bug is found, you will receive an email that will provide you with 
> access to ClusterFuzz, crash reports, code coverage reports and fuzzer 
> statistics. More than 1 person can be included.
>  
> *How can Code Intelligence support you?*
> We will continue to add more fuzz targets to improve code coverage over time. 
> Furthermore, we are permanently enhancing fuzzing technologies by developing 
> new fuzzers and bug detectors.
>  
> Please let me know if you have any questions regarding fuzzing or the 
> OSS-Fuzz integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to