[jira] [Commented] (BCEL-364) Integrating bcel into oss-fuzz

2022-09-20 Thread Gary D. Gregory (Jira) 


[ 
https://issues.apache.org/jira/browse/BCEL-364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17607354#comment-17607354
 ] 

Gary D. Gregory commented on BCEL-364:
--

I agree. We don't need machine generated content dumped on our heads without 
qualification.

 

> Integrating bcel into oss-fuzz
> --
>
> Key: BCEL-364
> URL: https://issues.apache.org/jira/browse/BCEL-364
> Project: Commons BCEL
>  Issue Type: Improvement
>Reporter: A. Schaich
>Priority: Minor
>
> Hi all,
> we have prepared the [Initial 
> integration|https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/8e98d61d59164683ff72203b5aa6768cb3d68acb]
>  of bcel into [Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will 
> provide more security for your project.
>  
> *Why do you need Fuzzing?*
> The Code Intelligence JVM fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] has already found 
> [hundreds of bugs|https://github.com/CodeIntelligenceTesting/jazzer#findings] 
> in open source projects including for example 
> [OpenJDK|https://nvd.nist.gov/vuln/detail/CVE-2022-21360], 
> [Protobuf|https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or 
> [jsoup|https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]. 
> Fuzzing proved to be very effective having no false positives. It provides a 
> crashing input which helps you to reproduce and debug any finding easily. The 
> integration of your project into the OSS-Fuzz platform will enable continuous 
> fuzzing of your project by 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer].
>  
> *What do you need to do?*
> The integration requires the maintainer or one established project commiter 
> to deal with the bug reports.
> You need to create or provide one email address that is associated with a 
> google account as per 
> [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
>  When a bug is found, you will receive an email that will provide you with 
> access to ClusterFuzz, crash reports, code coverage reports and fuzzer 
> statistics. More than 1 person can be included.
>  
> *How Code Intelligence can support?*
> We will continue to add more fuzz targets to improve code coverage over time. 
> Furthermore, we are permanently enhancing fuzzing technologies by developing 
> new fuzzers and more bug detectors.
>  
> Please let me know if you have any questions regarding fuzzing or the 
> OSS-Fuzz integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (BCEL-364) Integrating bcel into oss-fuzz

2022-09-20 Thread Mark Thomas (Jira) 


[ 
https://issues.apache.org/jira/browse/BCEL-364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17607264#comment-17607264
 ] 

Mark Thomas commented on BCEL-364:
--

The "no false positives" claim does not stand up to scrutiny. The false 
positive rate for the Tomcat integration provided by Code Intelligence is 
currently running at between 80% and 90%. While a few bugs have been found, 
none of them have had any security implications.

Based on the experience with Tomcat, and given that BCEL is neither designed 
nor intended to handle untrusted input, I'd question whether it is an effect 
use of the limited volunteer effort in the BCEL community to engage with this 
initiative without some changes.

I strongly recommend that we make it a condition of engaging with this 
initiative that all reported issues are first manually vetted by Code 
Intelligence for validity BEFORE being passed to the BCEL project for 
resolution.

> Integrating bcel into oss-fuzz
> --
>
> Key: BCEL-364
> URL: https://issues.apache.org/jira/browse/BCEL-364
> Project: Commons BCEL
>  Issue Type: Improvement
>Reporter: A. Schaich
>Priority: Minor
>
> Hi all,
> we have prepared the [Initial 
> integration|https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/8e98d61d59164683ff72203b5aa6768cb3d68acb]
>  of bcel into [Google OSS-Fuzz|https://github.com/google/oss-fuzz] which will 
> provide more security for your project.
>  
> *Why do you need Fuzzing?*
> The Code Intelligence JVM fuzzer 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] has already found 
> [hundreds of bugs|https://github.com/CodeIntelligenceTesting/jazzer#findings] 
> in open source projects including for example 
> [OpenJDK|https://nvd.nist.gov/vuln/detail/CVE-2022-21360], 
> [Protobuf|https://nvd.nist.gov/vuln/detail/CVE-2021-22569] or 
> [jsoup|https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]. 
> Fuzzing proved to be very effective having no false positives. It provides a 
> crashing input which helps you to reproduce and debug any finding easily. The 
> integration of your project into the OSS-Fuzz platform will enable continuous 
> fuzzing of your project by 
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer].
>  
> *What do you need to do?*
> The integration requires the maintainer or one established project commiter 
> to deal with the bug reports.
> You need to create or provide one email address that is associated with a 
> google account as per 
> [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
>  When a bug is found, you will receive an email that will provide you with 
> access to ClusterFuzz, crash reports, code coverage reports and fuzzer 
> statistics. More than 1 person can be included.
>  
> *How Code Intelligence can support?*
> We will continue to add more fuzz targets to improve code coverage over time. 
> Furthermore, we are permanently enhancing fuzzing technologies by developing 
> new fuzzers and more bug detectors.
>  
> Please let me know if you have any questions regarding fuzzing or the 
> OSS-Fuzz integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)