Re: [all] OSS Fuzz

2021-05-18 Thread Fabian Meumertzheim
A quick update: OSS-Fuzz has gained coverage support for Java. You can access the latest apache-commons report at https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_apache-commons/latest and check how well the fuzzer is doing. Fabian On Thu, Apr 22, 2021, 17:44 Fabian Meumertzheim < meumertz

Re: [all] OSS-Fuzz Issue Publication

2021-05-09 Thread Fabian Meumertzheim
No worries, I'm also not in a rush to change anything, so we can give this discussion the space and time it deserves. If you want me to weigh in on any issue you open on GitHub, just @fmeum. An additional argument in favor of a delayed publication could be that sometimes completely unrelated upstr

Re: [all] OSS-Fuzz Issue Publication

2021-05-09 Thread Stefan Bodewig
Many thanks Fabian and sorry for the delay - unfortunately I'm not really able to free up as much time as necessary for any OSS stuff right now On 2021-05-03, Fabian Meumertzheim wrote: > The behavior you are observing has only become the standard somewhat > recently [1], which is also why I had

Re: [all] OSS-Fuzz Issue Publication

2021-05-03 Thread Fabian Meumertzheim
Hi, The behavior you are observing has only become the standard somewhat recently [1], which is also why I had decided to point it out before we performed the integration [2]. Let me first confirm the facts: It is correct that OSS-Fuzz will automatically open the Monorail bugs to the public rough

Re: [all] OSS-Fuzz Issue Publication

2021-05-03 Thread Gary Gregory
Voting takes three days or less if we decide we need an emergency release for a security issue for example. In reality, it can take weeks for a release manager to volunteer for a given component, review code, PRs, Jiras, an so on, before going through all the hoops to create a release candidate and

[all] OSS-Fuzz Issue Publication

2021-05-03 Thread Stefan Bodewig
Hi (Fabian) by now we've resolved the first issues detected by ClusterFuzz (and I forgot to credit it OSS Fuzz in Compress, my bad). What we observed is that the issues became public automatically once the patch fixing the issue was merged into master and ClusterFuzz reran the test. In the case of

Re: [all] OSS Fuzz

2021-04-22 Thread Fabian Meumertzheim
On Thu, Apr 22, 2021 at 5:27 PM Peter Lee wrote: > I just created a PR in Compress > https://github.com/apache/commons-compress/pull/189 Thanks! > IIUC I could create a PR github.com/google/oss-fuzz to include my google > account in auto_ccs, and I should ask the primary contact, who is Stefen

Re: [all] OSS Fuzz

2021-04-22 Thread Peter Lee
Hi Fabian, Thanks a lot for all this. > One more thing: Could you perhaps add the following line to the READMEs of > compress and imaging? > I just created a PR in Compress https://github.com/apache/commons-compress/pull/189 Seems I missed a lot these days. :-( I also got a Google account(pete

Re: [all] OSS Fuzz

2021-04-20 Thread Bruno P. Kinoshita
Done in imaging! Thanks https://github.com/apache/commons-imaging/pull/130 Bruno On Wednesday, 21 April 2021, 2:27:38 am NZST, Fabian Meumertzheim wrote: The first OSS-Fuzz build passed and some bugs have already been created. Everything looks good from my side, but let me know if

Re: [all] OSS Fuzz

2021-04-20 Thread Matt Sicker
I see that now. Thanks for handling the ticket! On Tue, 20 Apr 2021 at 11:38, sebb wrote: > > On Tue, 20 Apr 2021 at 17:22, Matt Sicker wrote: > > > > I've tried adding that email to the allow-subscribe list for that > > mailing list. Let's see if the next messages get through without > > modera

Re: [all] OSS Fuzz

2021-04-20 Thread sebb
On Tue, 20 Apr 2021 at 17:22, Matt Sicker wrote: > > I've tried adding that email to the allow-subscribe list for that > mailing list. Let's see if the next messages get through without > moderation now. As already noted, the Return-Path is different for each email - have a look at the headers in

Re: [all] OSS Fuzz

2021-04-20 Thread Matt Sicker
I've tried adding that email to the allow-subscribe list for that mailing list. Let's see if the next messages get through without moderation now. On Tue, 20 Apr 2021 at 10:46, Matt Sicker wrote: > > I've accepted all the moderation requests so far, though I also get > CC'd on the same emails, so

Re: [all] OSS Fuzz

2021-04-20 Thread Matt Sicker
I've accepted all the moderation requests so far, though I also get CC'd on the same emails, so my inbox is a little messy at the moment to verify that it's going through the mailing list, too. There's already been like 20 alerts found, so good call on the separate mailing list! :) On Tue, 20 Apr

Re: [all] OSS Fuzz

2021-04-20 Thread sebb
On Tue, 20 Apr 2021 at 16:34, Fabian Meumertzheim wrote: > > I think that the sender address has been monorail+v2.382749...@chromium.org > for > me since February, so it might be more stable than it looks. Yes, but ezmlm uses the envelope sender, i.e. the Return-Path. At least the current ones

Re: [all] OSS Fuzz

2021-04-20 Thread sebb
On Tue, 20 Apr 2021 at 16:30, Matt Sicker wrote: > > Guess we'll have to ask infra then. They probably have a way to filter > based on regex or something. I just remembered we had to do something similar for Travis and Twitter, see INFRA-18843 and INFRA-19360 Are you going to accept the moderati

Re: [all] OSS Fuzz

2021-04-20 Thread Fabian Meumertzheim
I think that the sender address has been monorail+v2.382749...@chromium.org for me since February, so it might be more stable than it looks. On Tue, Apr 20, 2021, 17:30 Matt Sicker wrote: > Guess we'll have to ask infra then. They probably have a way to filter > based on regex or something. > >

Re: [all] OSS Fuzz

2021-04-20 Thread Matt Sicker
Guess we'll have to ask infra then. They probably have a way to filter based on regex or something. On Tue, 20 Apr 2021 at 10:05, sebb wrote: > > On Tue, 20 Apr 2021 at 15:53, Matt Sicker wrote: > > > Looks like we need to add the bot email as an allowed sender to the list. > > > > Easier said t

Re: [all] OSS Fuzz

2021-04-20 Thread sebb
On Tue, 20 Apr 2021 at 15:53, Matt Sicker wrote: > Looks like we need to add the bot email as an allowed sender to the list. > Easier said than done, as email appears to use a dynamic address. > Otherwise, I’ve seen the alerts start already 😁 > > On Tue, Apr 20, 2021 at 09:27 Fabian Meumertz

Re: [all] OSS Fuzz

2021-04-20 Thread Matt Sicker
Looks like we need to add the bot email as an allowed sender to the list. Otherwise, I’ve seen the alerts start already 😁 On Tue, Apr 20, 2021 at 09:27 Fabian Meumertzheim < meumertzh...@code-intelligence.com> wrote: > The first OSS-Fuzz build passed and some bugs have already been created. > Eve

Re: [all] OSS Fuzz

2021-04-20 Thread Fabian Meumertzheim
The first OSS-Fuzz build passed and some bugs have already been created. Everything looks good from my side, but let me know if you have any questions. One more thing: Could you perhaps add the following line to the READMEs of compress and imaging? [![Fuzzing Status]( https://oss-fuzz-build-logs.

Re: [all] OSS Fuzz

2021-04-19 Thread sebb
On Mon, 19 Apr 2021 at 07:54, Stefan Bodewig wrote: > > On 2021-04-18, Stefan Bodewig wrote: > > > I've created https://issues.apache.org/jira/browse/INFRA-21741 if you > > want to lend a hand moderating, you may want to add yourself to the > > ticket before the list is created. > > The list has b

Re: [all] OSS Fuzz

2021-04-19 Thread Fabian Meumertzheim
On Mon, Apr 19, 2021 at 8:56 AM Stefan Bodewig wrote: > > Can there be more than one "primary" contact? There is a reason why we > use role based mail aliases and mailing lists, it is pretty likely > people become completely unavailable for a while and I don't want to > block adding people to auto

Re: [all] OSS Fuzz

2021-04-19 Thread Fabian Meumertzheim
On Mon, Apr 19, 2021 at 9:03 AM Stefan Bodewig wrote: > I hope my approval has been enough as I'm not a "reviewer with write > access". I think it will suffice to prove that I have submitted the PRs on behalf of someone affiliated with Apache Commons. The OSS-Fuzz reviewers will review the PR fo

Re: [all] OSS Fuzz

2021-04-19 Thread Stefan Bodewig
On 2021-04-19, Stefan Bodewig wrote: > On 2021-04-18, Fabian Meumertzheim wrote: >> Stefan, if you agree, I would submit the two PRs tomorrow and ask you >> to sign them off on GitHub via a comment on the PR and a link to this >> email thread. > Fine with me. I hope my approval has been enough

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-18, Fabian Meumertzheim wrote: > Stefan, if you agree, I would submit the two PRs tomorrow and ask you > to sign them off on GitHub via a comment on the PR and a link to this > email thread. Fine with me. Thank you Stefan ---

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-18, Fabian Meumertzheim wrote: > On Sun, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote: >> Can probably do, what is the duty of a primary contact? My github >> username is bodewig. > The primary contact may be asked to sign off on PRs to that project in > the OSS-Fuzz repo, in particul

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-18, Stefan Bodewig wrote: > I've created https://issues.apache.org/jira/browse/INFRA-21741 if you > want to lend a hand moderating, you may want to add yourself to the > ticket before the list is created. The list has been created, so if you want to receive the fuzz reports please subs

Re: [all] OSS Fuzz

2021-04-18 Thread Bruno P. Kinoshita
Thank you Stefan! Bruno On Monday, 19 April 2021, 4:22:18 am NZST, Stefan Bodewig wrote: On 2021-04-18, Fabian Meumertzheim wrote: > Anyone who is (or wants to be) a moderator on that list and has a Google > account, please let me know the primary email address so that I can add it

Re: [all] OSS Fuzz

2021-04-18 Thread Bruno P. Kinoshita
Hi Fabian, Yes, please: brunodepaulak at gmail Thanks! Bruno On Monday, 19 April 2021, 7:36:42 am NZST, Fabian Meumertzheim wrote: I have prepared the integrations at https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-compress and https://github.com/CodeIntelligenceTest

Re: [all] OSS Fuzz

2021-04-18 Thread Fabian Meumertzheim
I have prepared the integrations at https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-compress and https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-imaging. I have included Matt's Google account in the auto_ccs list for both, so you will have access to the full report

Re: [all] OSS Fuzz

2021-04-18 Thread Fabian Meumertzheim
On Sun, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote: > Can probably do, what is the duty of a primary contact? My github > username is bodewig. The primary contact may be asked to sign off on PRs to that project in the OSS-Fuzz repo, in particular if someone needs to be added to the "auto_ccs" l

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-18, Fabian Meumertzheim wrote: > Anyone who is (or wants to be) a moderator on that list and has a Google > account, please let me know the primary email address so that I can add it > to the "auto_ccs" list for oss-fuzz.com access. > Stefan, would you want to act as the "primary_conta

Re: [all] OSS Fuzz

2021-04-18 Thread Fabian Meumertzheim
Thanks for creating the list. Anyone who is (or wants to be) a moderator on that list and has a Google account, please let me know the primary email address so that I can add it to the "auto_ccs" list for oss-fuzz.com access. Stefan, would you want to act as the "primary_contact"? That does not r

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
Hi all I've created https://issues.apache.org/jira/browse/INFRA-21741 if you want to lend a hand moderating, you may want to add yourself to the ticket before the list is created. Thanks Stefan - To unsubscribe, e-mail:

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-17, Matt Sicker wrote: > I have a Google account I can be CC’d on. I do security engineering > professionally, so I have some experience in the area as well. Thanks Matt, I'll add you as one of the initial moderators as well. Stefan ---

Re: [all] OSS Fuzz

2021-04-18 Thread Stefan Bodewig
On 2021-04-17, Fabian Meumertzheim wrote: > Let me describe the restrictions in more detail, including example reports. > Everyone listed under "primary" or "auto_cc" will receive the bugs created > in the issue tracker at [1] in email form and can also add comments by > replying to the email thre

Re: [all] OSS Fuzz

2021-04-18 Thread Emmanuel Bourg
Le 17/04/2021 à 18:33, Gary Gregory a écrit : > I'll go with the consensus here but I feel that the security list should be > for humans and posts there deserve human attention on an ASAP basis. I've > just seen too many false positives and noise from automated tools over the > years. Let's just g

Re: [all] OSS Fuzz

2021-04-17 Thread Fabian Meumertzheim
On Sun, Apr 18, 2021 at 12:43 AM sebb wrote: > How do you ensure that a specific Google account is authorised to view > a particular project? This is exclusively governed by the project's "project.yaml" [1]. An example of such a file is [2]. [1] https://google.github.io/oss-fuzz/getting-started

Re: [all] OSS Fuzz

2021-04-17 Thread Matt Sicker
Can we make a Google group or shared Google account for the commons PMC? On Sat, Apr 17, 2021 at 17:43 sebb wrote: > On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim > wrote: > > > > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig > wrote: > > > > > > I'm not sure I understand this. AFAIU I co

Re: [all] OSS Fuzz

2021-04-17 Thread sebb
On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim wrote: > > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote: > > > > I'm not sure I understand this. AFAIU I could never become a "primary" > > or an "auto_cc" as I will not create a Google account. Do we need to > > have one? In that case som

Re: [all] OSS Fuzz

2021-04-17 Thread sebb
On Sat, 17 Apr 2021 at 17:33, Gary Gregory wrote: > > I'll go with the consensus here but I feel that the security list should be > for humans and posts there deserve human attention on an ASAP basis. I've > just seen too many false positives and noise from automated tools over the > years. Agree

Re: [all] OSS Fuzz

2021-04-17 Thread Fabian Meumertzheim
On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote: > > I'm not sure I understand this. AFAIU I could never become a "primary" > or an "auto_cc" as I will not create a Google account. Do we need to > have one? In that case somebody who doesn't share my personal set of > allergic reactions may wa

Re: [all] OSS Fuzz

2021-04-17 Thread Gary Gregory
I'll go with the consensus here but I feel that the security list should be for humans and posts there deserve human attention on an ASAP basis. I've just seen too many false positives and noise from automated tools over the years. Gary On Sat, Apr 17, 2021, 09:48 Stefan Bodewig wrote: > On 202

Re: [all] OSS Fuzz

2021-04-17 Thread Matt Sicker
I have a Google account I can be CC’d on. I do security engineering professionally, so I have some experience in the area as well. On Sat, Apr 17, 2021 at 08:58 Stefan Bodewig wrote: > On 2021-04-15, Fabian Meumertzheim wrote: > > > Just to keep the following in mind: Full access to bug reports

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-15, Fabian Meumertzheim wrote: > Just to keep the following in mind: Full access to bug reports and > reproducers requires a Google account (which can be associated with > any existing non-list email address). At least the moderators of the > list would therefore have to be listed expli

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-13, Gary Gregory wrote: > Please don't use @security for automated emails, that ML IMO should be for > humans. > If you want to setup a new ML for bots that's fine, we can direct GitHub's > Dependanot emails there if GitHub allows for that. I don't believe dependabot and the results o

Re: [all] OSS Fuzz

2021-04-17 Thread Stefan Bodewig
On 2021-04-13, Mark Thomas wrote: > On 13/04/2021 17:49, Stefan Bodewig wrote: > >> Fabian has offered to set up OSS Fuzz for Compress. Given that the >> issues OSS Fuzz detects may or may not be security sensitive, I don't >> feel it would be a good idea to have the tool send reports to a publ

Re: [all] OSS Fuzz

2021-04-15 Thread Peter Lee
> > From: Fabian Meumertzheim > > Sent: Wednesday, April 14, 2021 12:13 PM > > To: Commons Developers List > > Subject: Re: [all] OSS Fuzz > > > > On Wed, Apr 14, 2021, 17:14 Matt Sicker wrote: > > > > > Would the undeclared

Re: [all] OSS Fuzz

2021-04-14 Thread Fabian Meumertzheim
sted in fuzzing for that as well. I do not have a preference on the > email list question. > > Regards, > Matt J > > From: Fabian Meumertzheim > Sent: Wednesday, April 14, 2021 12:13 PM > To: Commons Developers List > Subject: Re: [all]

Re: [all] OSS Fuzz

2021-04-14 Thread Matt Juntunen
PM To: Commons Developers List Subject: Re: [all] OSS Fuzz On Wed, Apr 14, 2021, 17:14 Matt Sicker wrote: > Would the undeclared runtime exceptions be "fixable" for the fuzzing > tool if the methods declared their runtime exceptions being thrown? Or > the javadocs? As in,

Re: [all] OSS Fuzz

2021-04-14 Thread Fabian Meumertzheim
and also > > can't give a meaningful estimate of the ratio of normal bugs to > > security issues we will find, I will only provide the following > > general points of information on OSS-Fuzz: > > > > * By design, fuzzing produces little to no false positives. Unless

Re: [all] OSS Fuzz

2021-04-14 Thread Matt Sicker
information on OSS-Fuzz: > > * By design, fuzzing produces little to no false positives. Unless a > library maintains non-trivial global state that is not accounted for > in the fuzz target, all OSS-Fuzz findings should at least be fully > reproducible reports of normal bugs, in

Re: [all] OSS Fuzz

2021-04-13 Thread Fabian Meumertzheim
false positives. Unless a library maintains non-trivial global state that is not accounted for in the fuzz target, all OSS-Fuzz findings should at least be fully reproducible reports of normal bugs, including stack traces and minimized reproducing inputs. * Deduplicating certain kinds of issues m

Re: [all] OSS Fuzz

2021-04-13 Thread Bruno P. Kinoshita
+1 for oss fuzz. Fabian also got in contact a few days earlier, and asked me about using it with Commons Imaging. I told him it had to be discussed here first, but that I thought it could be useful (we are parsing several image file formats, probably a few things could be improved). As for th

Re: [all] OSS Fuzz

2021-04-13 Thread Gary Gregory
Please don't use @security for automated emails, that ML IMO should be for humans. If you want to setup a new ML for bots that's fine, we can direct GitHub's Dependanot emails there if GitHub allows for that. Gary On Tue, Apr 13, 2021, 12:57 Mark Thomas wrote: > On 13/04/2021 17:49, Stefan Bod

Re: [all] OSS Fuzz

2021-04-13 Thread Mark Thomas
On 13/04/2021 17:49, Stefan Bodewig wrote: Fabian has offered to set up OSS Fuzz for Compress. Given that the issues OSS Fuzz detects may or may not be security sensitive, I don't feel it would be a good idea to have the tool send reports to a public mailing list. Therefore I propose to create

[all] OSS Fuzz

2021-04-13 Thread Stefan Bodewig
Hi all I want to pick up (and finish) the discussion that started in Compress[1]. Short Recap: OSS Fuzz[2] runs fuzz testing for open source projects by invoking methods of our code with random data looking for unexpected outcomes (undeclared exceptions or worse code that never retu